Doubling-oriented Doche–Icart–Kohel Curve

In mathematics, the doubling-oriented Doche–Icart–Kohel curve is a form in which an elliptic curve can be written. It is a special case of Weierstrass form and it is also important in elliptic-curve cryptography because the doubling speeds up considerably (computing as composition of 2-isogeny and its dual).
It has been introduced by Christophe Doche, Thomas Icart, and David R. Kohel in ''Efficient Scalar Multiplication by Isogeny Decompositions.''Christophe Doche, Thomas Icart, and David R. Kohel, ''Efficient Scalar Multiplication by Isogeny Decompositions''

Definition

Let $K$ be a field and let $a\in K$. Then, the Doubling-oriented Doche–Icart–Kohel curve with parameter ''a'' in affine coordinates is represented by:

$y^2=x^3+ax^2+16ax$

Equivalently, in projective space, projective coordinates:

$ZY^2=X^3+aZX^2+16aXZ^2,$

with $x=\frac$ and $y=\frac$.

Notice that, since this curve is a special case of elliptic curve, Weierstrass form, transformations to the most common form of elliptic curve (Weierstrass form) are not needed.

Group law

It is interesting to analyze the elliptic curve#The group law, group law in elliptic curve cryptography, defining the addition and doubling formulas, because these formulas are necessary to compute multiples of points ''[n]P'' (see Exponentiation by squaring). In general, the group law is defined in the following way: if three points lies in the same line then they sum up to zero. So, by this property, the group laws are different for every curve shape.

In this case, since these curves are special cases of Weierstrass curves, the addition is just the standard addition on Weierstrass curves. On the other hand, to double a point, the standard doubling formula can be used, but it would not be so fast.
In this case, the identity element, neutral element is $\theta=(0:1:0)$ (in projective coordinates), for which $\theta=-\theta$. Then, if $P=(x,y)$ is a non-trivial element ($P!=O$), then the inverse of this point (by addition) is –P=(x,-y).

Addition

In this case, affine coordinates will be used to define the addition formula:

(x₁,y₁)+(x₂,y₂)=(x₃,y₃) where

x₃ = (-x₁³+(x₂-a)x₁²+(x₂²+2ax₂)x₁+(y₁²-2y₂y₁+(-x₂³-ax₂²+y₂²)))/(x₁²-2x₂x₁+x₂²)

y₃ = ((-y₁+2y₂)x₁³+(-ay₁+(-3y₂x₂+ay₂))x₁²+((3x₂²+2ax₂)y₁-2ay₂x₂)x₁+(y₁³-3y₂y₁²+(-2x₂³-ax₂²+3y₂²)y₁+(y₂x₂³+ay₂x₂²-y₂³)))/(-x₁³+3x₂x₁²-3x₂²x₁+x₂³)

Doubling

2(x₁,y₁)=(x₃,y₃)

x₃ = 1/(4y₁²)x₁⁴-8a/y₁²x₁²+64a2/y₁²

y₃ = 1/(8y₁³)x₁⁶+((-a²+40a)/(4y₁³))x₁⁴+((ay₁²+(16a³-640a²))/(4y₁³))x₁²+((-4a²y₁²-512a³)/y₁³)

Algorithms and examples

Addition

The fastest addition is the following one (comparing with the results given in: http://hyperelliptic.org/EFD/g1p/index.html), and the cost that it takes is 4 multiplications, 4 squaring and 10 addition.

A = Y₂-Y₁

AA = A²

B = X₂-X₁

CC = B²

F = X₁CC

Z₃ = 2CC

D = X₂Z₃

ZZ₃ = Z₃²

X₃ = 2(AA-F)-aZ₃-D

Y₃ = ((A+B)²-AA-CC)(D-X₃)-Y₂ZZ₃

Example

Let $K=\mathbb$. Let P=(X₁,Y₁)=(2,1), Q=(X₂,Y₂)=(1,-1) and a=1, then

A=2

AA=4

B=1

CC=1

F=2

Z₃=4

D=4

ZZ₃=16

X₃=-4

Y₃=336

Thus, P+Q=(-4:336:4)

Doubling

The following algorithm is the fastest one (see the following link to compare: http://hyperelliptic.org/EFD/g1p/index.html), and the cost that it takes is 1 multiplication, 5 squaring and 7 additions.

A = X₁²

B = A-a16

C = a₂A

YY = Y₁²

YY₂ = 2YY

Z₃ = 2YY₂

X₃ = B²

V = (Y₁+B)2-YY-X₃

Y₃ = V(X₃+64C+a(YY₂-C))

ZZ₃ = Z₃²

Example

Let $K=\mathbb$ and a=1. Let P=(-1,2), then Q=[2]P=(x3,y3) is given by:

A=1

B=-15

C=2

YY=4

YY₂=8

Z₃=16

X₃=225

V=27

Y₃=9693

ZZ₃=256

Thus, Q=(225:9693:16).

Extended coordinates

The addition and doubling computations should be as fast as possible, so it is more convenient to use the following representation of the coordinates:

$x,y$ are represented by $X,Y,Z,ZZ$ satisfying the following equations:

$x=\frac$

$y=\frac$

$ZZ=Z^2$

Then, the Doubling-oriented Doche–Icart–Kohel curve is given by the following equation:

$Y^2=ZX^3+aZ^2X^2+16aZ^3X$.

In this case,$P=(X: Y: Z: ZZ)$ is a general point with inverse $-P=(X: -Y: Z: ZZ)$.
Furthermore, the points over the curve satisfy: $(X:Y:Z:Z^2)=(\lambda X: \lambda^2Y: \lambda Z: \lambda^2Z^2)$ for all $\lambda$ nonzero.

Faster doubling formulas for these curves and mixed-addition formulas were introduced by Doche, Icart and Kohel; but nowadays, these formulas are improved by Daniel J. Bernstein and Tanja Lange (see below the link of EFD).

Internal Link

For more information about the running-time required in a specific case, see Table of costs of operations in elliptic curves

Notes

References

*

*

External links

* http://hyperelliptic.org/EFD/g1p/index.html
* http://www.hyperelliptic.org/EFD/g1p/auto-2dik.html

{{DEFAULTSORT:Doubling-oriented Doche-Icart-Kohel curve
Elliptic curves
Elliptic curve cryptography