Fast Elliptic Curve Arithmetic and Improved WEIL Pairing Evaluation

This explains https://arxiv.org/abs/math/0208038.

Motivation

Compute 2P+Q2P + Q without the intermediate results 2P2P and P+QP + Q given E:y2=x3+ax+bE: y^2 = x^3 + a \cdot x + b, where 4a3+27b204a^3 + 27b^2 \ne 0,

  • 2P2P: 1 multiplication, 2 squarings and 1 division. If P=(x1,y1)P = (x_1, y_1), R=2P=(x2,y2)R = 2P = (x_2, y_2) is computed as follows:

λ=3x12+a2y1x2=λ22x1y2=(x1x2)λy1\lambda = \frac{3 {x_1}^2 + a}{2 y_1} \\x_2 = \lambda^2 - 2x_1 \\ y_2 = (x_1 - x_2) \lambda - y_1

  • P+QP + Q: 1 multiplication, 1 squaring and 1 division. If P=(x1,y1)P = (x_1, y_1) and Q=(x2,y2)Q = (x_2, y_2), R=P+Q=(x3,y3)R = P + Q = (x_3, y_3) is computed as follows:

λ1=(y2y1)/(x2x1),x3=λ12x1x2,y3=(x1x3)λ1y1\lambda_1 = (y_2 - y_1) / (x_2 - x_1),\\ x_3 = {\lambda_1}^2 - x_1 -x_2, \\ y_3 = (x_1 - x_3)\lambda_1 - y_1

  • Naive 2P+Q2P + Q: 2 multiplications, 3 squarings and 2 divisions

How can we improve this?

Algorithm

Suppose P=(x1,y1)P = (x_1, y_1) and Q=(x2,y2)Q = (x_2, y_2) are distinct points on EE, with x1x2x_1 \ne x_2. The sum P+QP + Q has coordinates (x3,y3)(x_3, y_3), where:

λ1=(y2y1)/(x2x1),x3=λ12x1x2,y3=(x1x3)λ1y1\lambda_1 = (y_2 - y_1) / (x_2 - x_1),\\ x_3 = {\lambda_1}^2 - x_1 -x_2, \\ y_3 = (x_1 - x_3)\lambda_1 - y_1

Now suppose we want to add (P+Q)(P + Q) to PP. To do this, we add (x1,y1)(x_1, y_1) to (x3,y3)(x_3, y_3) using the same addition rule. Assuming x3x1x_3 \ne x_1, the resulting coordinates are (x4,y4)(x_4, y_4), where

λ2=(y3y1)/(x3x1),x4=λ22x1x3,y4=(x1x4)λ2y1\lambda_2 = (y_3 - y_1) / (x_ 3 - x_1), \\ x_4 = {\lambda_2}^2 - x_1 - x_3, \\ y_4 = (x_1 - x_4)\lambda_2 - y_1

We can omit the explicit computation of y3y_3 since it is used only to calculate λ2\lambda_2. Instead, λ2\lambda_2 can be computed directly as:

λ2=(y3y1)/(x3x1)=((x1x3)λ12y1)/(x3x1)=λ12y1/(x3x1)\begin{align*} \lambda_2 &= (y_3 - y_1) / (x_3 - x_1)\\ &= ((x_1 - x_3) \lambda_1 - 2y_1) / (x_3 - x_1) \\ &= -\lambda_1 - 2y_1 / (x_3 - x_1) \\ \end{align*}

Which means you can compute λ2\lambda_2 using x1,y1x_1, y_1 and λ1\lambda_1.

λ2=λ12y1/(λ12x22x1)\lambda_2 = -\lambda_1 - 2y_1 / ({\lambda_1}^2 -x_2 - 2x_1)

Additionally, you can compute x4x_4 using x2,λ1x_2, \lambda_1 and λ2\lambda_2.

x3=λ12x1x2x3x4=λ12x1x2(λ22x1x3)x4=λ12x2λ22x4=x2+λ22λ12\begin{align*} x_3 &= {\lambda_1}^2 - x_1 - x_2 \\ x_3 - x_4 &= {\lambda_1}^2 - x_1 - x_2 -( {\lambda_2}^2 - x_1 - x_3 ) \\ -x_4 &={\lambda_1}^2 - x_2 - \lambda_2^2 \\ x_4 &= x_2 + {\lambda_2}^2 - {\lambda_1}^2 \end{align*}

This trick can also be applied when computing 3P3P. Thus, 3P+Q=((P+Q)+P)+P3P + Q = ((P + Q) + P) + P saves 2 multiplicaitons.

Conclusion

The cost of this algorithm is as follows:

  • Optimized 2P+Q2P + Q: 1 multiplication, 2 squarings and 2 divisions (+ 1 squaring when P=QP = Q)

    • Idea: (P+Q)+P(P + Q) +P instead of 2P+Q2P + Q and yy-coordinate is not computed when computing (P+Q)(P + Q) ⇒ This saves a field multiplication

    • if P=QP = Q

      • 2 * (1 multiplication, 2 squarings and 1 division) - 1 multiplication

    • otherwise

      • 2 * (1 multiplication, 1 squaring and 1 division) - 1 multiplication

Written by ryan Kim from A41

PreviousCoordinate FormsNextEdwards Curve

Last updated