Jacobian curve

In mathematics, the Jacobi curve is a representantion of an elliptic curve different than the usual one (Weierstrass equation). Sometimes it is used in cryptography instead of the Weierstrass form because it can provide a defence against simple and differential power analysis style (SPA) attacks; it is possible, indeed, to use the general addition formula also for doubling a point on an elliptic curve of this form: in this way the two operations become indistinguishable from some side-channel information.^[1] The Jacobi curve offers also faster arithmetic compared to the Weierstrass curve.

The Jacobi curve can be of two types: the Jacobi intersection, that is given by an intersection of two surfaces, and the Jacobi quartic.

1 Definition: Jacobi intersection
2 Group law
3 Addition and doubling in affine coordinates
4 Extended coordinates
5 Definition: Jacobi quartic
6 Jacobi quartic in affine coordinates
7 Group law
8 Alternative coordinates for the Jacobi quartic
9 See also
10 External links
11 Notes
12 References

Definition: Jacobi intersection

Let $K$ be a field. An elliptic curve in the projective space $\mathbb P^3$ over $K$ can be represented as the intersection of two quadric surfaces:

$Q: \{Q_1(X_0,X_1,X_2,X_3)=0\} \cap \{Q_2(X_0,X_1,X_2,X_3)=0\}$

It is possible to define the Jacobi form of an elliptic curve as the intersection of two quadrics, using the following map applied to the usual Weierstrass curve $E:$ $y^2 = x^3%2Bax%2Bb$ , $a,b \in K$ :

$\Phi: (x,y) \mapsto (X,Y,Z,T) = (x,y,1,x^2)$

This map sends the point $(x,y) \in E$ to the point $(X,Y,Z,T)$ that satisfies the following system of equations:

$\mathbf S: \begin{cases} X^2-TZ=0\\ Y^2-aXZ-bZ^2-TX=0 \end{cases}$

The map $\Phi$ can be applied to an elliptic curve in the Weierstrass form $E:$ $y^2 = x^3%2Bax%2Bb$ with three points of order two: this means that the polynomial $f(x)=x^3%2Bax%2Bb$ has three roots in the field $K$ . Suppose that the roots are $0, -1, j$ , with $-j \in K$ , then the three points of order two are: (0,0), (-1,0), (-j,0) and the curve $E$ can, thus, be written as:

$E\ �:\ y^2 = x(x%2B1)(x%2Bj),$

where $O=(0:1:0)$ is the "point at infinity", that is the neutral element in the group law.

The curve $E$ corresponds to the following intersection of surfaces in $\mathbb P^3$ :

$\mathbf S1: \begin{cases} X^2%2BY^2-T^2=0\\ kX^2%2BZ^2-T^2=0 \end{cases}$ .

The "special case" is when j=0: the elliptic curve has a double point and thus it is singular.

S1 is obtained by applying to $E$ the transformation:

$\psi$ : $E \rightarrow S1$

$(x,y) \mapsto (X,Y,Z,T)=(-2y,x^2-j,x^2%2B2jx%2Bj,x^2%2B2x%2Bj)$

$O=(0:1:0) \mapsto (0,1,1,1)$

Group law

(See also The group law).

Given an elliptic curve, it is possible to do some "operations" between its points: for example one can add two points P and Q obtaining the point P+Q that belongs to the curve ; given a point P on the elliptic curve, it is possible to "double" P, that means find [2]P=P+P (the square brackets are used to indicate [n]P, the point P added n times), and also find the negation of P, that means find -P. In this way, the points of an elliptic curve forms a group. Adding and doubling formulas are useful also to compute [n]P, the nth multiple of a point P on an elliptic curve: this operation is considered the most in elliptic curve cryptography.

For S1, the neutral element of the group is the point $(0,1,1,1)$ , that is the image of $0=(0:1:0)$ by $\psi$ .

Addition and doubling

Given $P_1=(X_1,Y_1,Z_1,T_1)$ and $P_2=(X_2,Y_2,Z_2,T_2)$ , two points on $S1$ , the coordinates of the point $P_3=P_1%2BP_2$ are:

$X_3 = T_1Y_2X_1Z_2 %2B Z_1X_2Y_1T_2$

$Y_3 = T_1Y_2Y_1T_2 - Z_1X_2X_1Z_2$

$Z_3 = T_1Z_1T_2Z_2 - kX_1Y_1X_2Y_2$

$T_3 = (T_1Y_2)^2 %2B (Z_1X_2)^2$

These formulas are also valid for doubling: it sufficies to have $P_1=P_2$ . So adding or doubling points in $S1$ are operations that both require 16 multiplications plus one multiplication by a constant ( $k$ ).

It is also possible to use the following formulas for doubling the point $P_1$ and find $P_3=[2]P_1$ :

$X_3 = 2Y_1T_1Z_1X_1$

$Y_3 = (T_1Y_1)^2 - (T_1Z_1)^2 %2B (Z_1Y_1)^2$

$Z_3 = (T_1Z_1)^2 - (T_1Y_1)^2 %2B (Z_1Y_1)^2$

$T_3 = (T_1Z_1)^2 %2B (T_1Y_1)^2 - (Z_1Y_1)^2$

Using these formulas 8 multiplications are needed to double a point. However there are even more efficient “strategies” for doubling that require only 7 multiplications.^[2] In this way it is possible to triple a point with 23 multiplications; indeed $[3]P_1$ can be obtained by adding $P_1$ with $[2]P_1$ with a cost of 7 multiplications for $[2]P_1$ and 16 for $P_1%2B[2]P_1$ ^[2]

Example of addition and doubling

Let the field $K=\mathbb R$ , or $K=\mathbb C$ . Consider the case:

$\mathbf S1: \begin{cases} X^2%2BY^2-T^2=0\\ 4X^2%2BZ^2-T^2=0 \end{cases}$

Consider the points $P_1=(1,\sqrt{3},0,2)$ and $P_2=(1,2,1,\sqrt{5})$ : it is easy to verify that $P1$ and $P2$ belong to S1 (it is sufficient to see that these points satisfy both equations of the system S1).

Using the formulas given above for adding two points, the coordinates for $P_3$ , where $P_3=P_1%2BP_2$ are:

$X_3 = T_1Y_2X_1Z_2 %2B Z_1X_2Y_1T_2 = 4$

$Y_3 = T_1Y_2Y_1T_2 - Z_1X_2X_1Z_2 = 4\sqrt{15}$

$Z_3 = T_1Z_1T_2Z_2 - kX_1Y_1X_2Y_2 = -8\sqrt{3}$

$T_3 = (T_1Y_2)^2 %2B (Z_1X_2)^2 = 16$

The resulting point is $P_3=(4,4\sqrt{15},-8\sqrt{3},16)$ .

With the formulas given above for doubling, it is possible to find the point $P_3=[2]P_1$ :

$X_3 = 2Y_1T_1Z_1X_1 = 0$

$Y_3 = (T_1Y_1)^2 - (T_1Z_1)^2 %2B (Z_1Y_1)^2 = 12$

$Z_3 = (T_1Z_1)^2 - (T_1Y_1)^2 %2B (Z_1Y_1)^2 = -12$

$T_3 = (T_1Z_1)^2 %2B (T_1Y_1)^2 - (Z_1Y_1)^2 = 12$

So, in this case $P_3 = [2]P_1 = (0,12,-12,12)$ .

Negation

Given the point $P_1=(X_1,Y_1,Z_1,T_1)$ in $S1$ , its negation is $-P_1=(-X_1,Y_1,Z_1,T_1). \,$

Addition and doubling in affine coordinates

Given two affine points $P_1=(x_1,y_1,z_1)$ and $P_2=(x_2,y_2,z_2)$ , their sum is a point $P_3$ with coordinates:

$x_3 = \frac{y_2x_1z_2 %2B z_1x_2y_1}{(y_2^2 %2B (z_1x_2)^2)}$

$y_3 = \frac{y_2y_1-z_1x_2x_1z_2}{(y_2^2%2B(z_1x_2)^2)}$

$z_3 = \frac{z_1z_2-ax_1y_1x_2y_2}{(y_2^2%2B(z_1x_2)^2)}$

These formulas are valid also for doubling with the condition $P_1=P_2$ .

Extended coordinates

There is another kind of coordinate system with which a point in the Jacobi intersection can be represented.

Given the following elliptic curve in the Jacobi intersection form:

$\mathbf S1: \begin{cases} x^2%2By^2=1\\ kx^2%2Bz^2=1 \end{cases}$

the extended coordinates describe a point $P=(x,y,z)$ with the variables $X,Y,Z,T,XY,ZT$ , where:

$x = X/T$

$y = Y/T$

$z = Z/T$

$XY = X\cdot Y$

$ZT = Z\cdot T$

Sometimes these coordinates are used, because they are more convenient (in terms of time-cost) in some specific situations.

To have more information about the operations based on the use of these coordinates see http://hyperelliptic.org/EFD/g1p/auto-jintersect-extended.html

Definition: Jacobi quartic

Let $K$ be a field. An elliptic curve in Jacobi quartic form can be obtained from a curve $C$ in the Weierstrass form with at least one point of order 2:

$C: y^2 = x^3%2Bax%2Bb, \,$

with $a,b \in K$ .

Let $P=(p,0)$ be a root of $y^2 = x^3%2Bax%2Bb$ , then P is a point of order 2 of the elliptic curve; let $O$ be the point at infinity.

The following transformation $f$ sends each point of $C$ to a point in the Jacobi coordinates ( $(X:Y:Z)=(sX:s^2 Y:sZ)$ )

$f$ : $C \rightarrow \mathbb J$

$(p,0) \mapsto (0:-1:1)$

$(x,y)\neq (p,0) \mapsto (2(x-p)�: (2x%2Bp)(x-p)^2- y^2: y)$

$O \mapsto (0�:1�:1)$ ^[3]

Applying $f$ to $C$ , one obtains a curve in $\mathbb J$ of the following form:

$C'\ �:\ Y^2= eX^4-2dX^2Z^2%2B Z^4$ ^[3]

where $e=\frac{-( 3p^2%2B4a)}{16}, d=\frac{3p}{4}, e, d \in K$ .

C' represents an elliptic curve in the Jacobi quartic form, in Jacobi coordinates.

Jacobi quartic in affine coordinates

The general form of a Jacobi quartic curve in affine coordinates is:

$y^2 = ex^4 %2B 2ax^2 %2B 1$ ,

where often $e=1$ is assumed.

Group law

The neutral element of the group law of $C'$ is the projective point $(0:1:1)$ .

Addition and doubling in affine coordinates

Given two affine points $P_1=(x_1,y_1)$ and $P_2=(x_2,y_2)$ , their sum is a point $P_3=(x_3,y_3)$ , such that:

$x_3 = \frac{x_1y_2%2By_1x_2}{1-(x_1x_2)^2}$

$y_3 = \frac{((1%2B(x_1x_2)^2)(y_1y_2%2B2ax_1x_2)%2B2x_1x_2({x_1}^2%2B{x_2}^2))}{(1-(x_1x_2)^2)^2}$

As in the Jacobi intersections, also in this case it is possible to use this formula for doubling as well.

Addition and doubling in projective coordinates

Given two points $P_1=(X_1:Y_1:Z_1)$ and $P_2=(X_2:Y_2:Z_2)$ in $C'$ , the coordinates for the point $P_3=(X_3:Y_3:Z_3)$ , where $P_3=P_1%2BP_2$ , are given in terms of $P_1$ and $P_2$ by the formulae:

$X_3 = X_1Z_1Y_2 %2B Y_1X_2Z_2$

$Y_3 = [(Z_1Z_2)^2%2Be(X_1X_2)^2][Y_1Y_2-2dX_1X_2Z_1Z_2]%2B2eX_1X_2Z_1Z_2(X_1^2Z_2^2%2BZ_1^2X_2^2)$

$Z_3 = (Z_1Z_2)^2-e(X_1X_2)^2$

One can use this formula also for doubling, with the condition that $P_2=P_1$ : in this way the point $P_3=P_1%2BP_1=[2]P_1$ is obtained.

The number of multiplications required to add two points is 13 plus 3 multiplications by constants: in particular there are two multiplications by the constant $e$ and one by the constant $d$ .

There are some "strategies" to reduce the operations required for adding and doubling points: the number of multiplications can be decreased to 11 plus 3 multiplications by constants (see ^[4] section 3 for more details).

The number of multiplications can be reduced by working on the constants $e$ and $d$ : the elliptic curve in the Jacobi form can be modified in order to have a smaller number of operations for adding and doubling. So, for example, if the constant $d$ in C’ is significantly small, the multiplication by $d$ can be cancelled; however the best option is to reduce $e$ : if it is small, not only one, but two multiplications are neglected.

Example of addition and doubling

Consider an elliptic curve in the Weierstrass form in affine coordinates over the field $K=\mathbb{R}$ , or $K=\mathbb{C}$ , with $a=4$ and $b=0$ :

$C\ �:\ y^2 = x^3 %2B 4x$

$C$ has a point $P$ of order 2: $P=(p,0)=(0,0)$ .

Applying the function $\psi$ to $E$ , the following elliptic curve in projective Jacobi quartic form is obtained:

$C'\ �:\ Y^2 = X^4 %2B Z^4$

where $e = \frac{-(3p^2%2B4a)}{16} = 1$ and $d=\frac{3p}{4}=0$ .

Choosing two points $P_1=(1:\sqrt{2}:1)$ and $P2=(2:\sqrt{17}:1)$ , it is possible to find their sum $P_3=P_1%2BP_2$ using the formulae for adding given above:

$X_3 = X_1Z_1Y_2 %2B Y_1X_2Z_2 = \sqrt{17} %2B 2\sqrt{2}$

$Y_3 = [(Z_1Z_2)^2%2Be(X_1X_2)^2][Y_1Y_2-2dX_1X_2Z_1Z_2]%2B2eX_1X_2Z_1Z_2(X_1^2Z_2^2%2BZ_1^2X_2^2) = 5\sqrt{34} %2B 20$

$Z_3 = (Z_1Z_2)^2-e(X_1X_2)^2 = -3$ .

So $P_3=(\sqrt{17}%2B2\sqrt{2}:5\sqrt{34}%2B20:-3)$ .

Using the same formulae, the point $P_3=[2]P_1$ is obtained:

$X_3 = 1\cdot1\cdot\sqrt{2} %2B \sqrt{2}\cdot1\cdot1 = 2\sqrt{2}$

$Y_3 = [1%2B1\cdot1]\cdot[\sqrt{2}\cdot\sqrt{2}] %2B 2\cdot1\cdot(1^4%2B1^4) = 8$

$Z_3 = 1^4 - 1\cdot(1\cdot1)^2 = 0$

so, $P_3=(2\sqrt{2}:8:0)$ .

Negation

The negation of a point $P_1=(X_1:Y_1:Z_1)$ is:

$-P_1=(-X_1:Y_1:Z_1)$

Alternative coordinates for the Jacobi quartic

There are other systems of coordinates that can be used to represent a point in a Jacobi quartic: they are used to obtain fast computations in certain cases. For more information about the time-cost required in the operations with these coordinates see http://hyperelliptic.org/EFD/g1p/auto-jquartic.html

Given an affine Jacobi quartic

$y^2 = x^4 %2B 2ax^2 %2B 1$

the Doubling-oriented XXYZZ coordinates introduce an additional curve parameter c satisfying

$a^2%2Bc^2=1$

and they represent a point (x,y) as (X, XX, Y, Z, ZZ, R), such that:

$x = X/Z$

$y = Y/ZZ$

$XX = X^2$

$ZZ = Z^2$

$R = 2\cdot X\cdot Z$

the Doubling-oriented XYZ coordinates, with the same additional assumption ( $a^2%2Bc^2=1$ ), represent a point (x,y) with (X, Y, Z) satisfying the following equations:

$x = X/Z$

$y = Y/Z^2$

Using the XXYZZ coordinates there is no additional assumption, and they represent a point (x,y) as (X,XX,Y,Z,ZZ) such that:

$x = X/Z$

$y = Y/ZZ$

$XX = X^2$

$ZZ = Z^2$

while the XXYZZR coordinates represent (x,y) as (X,XX,Y,Z,ZZ,R) such that:

$x = X/Z$

$y = Y/ZZ$

$XX = X^2$

$ZZ = Z^2$

$R = 2\cdot X\cdot Z$

with the XYZ coordinates the point (x,y) is given by (X,Y,Z), with:

$x = X/Z$

$y = Y/Z^2$ .

External links

http://hyperelliptic.org/EFD/g1p/index.html

Notes

^ Olivier Billet, The Jacobi Model of an Elliptic Curve and Side-Channel Analysis
^ ^a ^b P.Y.Liardet and N.P.Smart, Preventing SPA/DPA in ECC Systems Using the Jacobi Form, pag 397
^ ^a ^b Olivier Billet and Marc Joye, The Jacobi Model of an Elliptic Curve and Side-Channel Analysis, pag 37-38
^ Sylvain Duquesne, Improving the Arithmetic of Elliptic Curves in the Jacobi Model-I3M, (UMR CNRS 5149) and Lirmm, (UMR CNRS 5506), Universite Montpellier II

References

Olivier Billet, Marc Joye (2003). The Jacobi Model of an Elliptic Curve and the Side-Channel Analysis. Springer-Verlag Berlin Heidelberg 2003. ISBN 978-3-540-40111-7. http://www.springerlink.com/content/p0013kgt6xpulkvb/fulltext.pdf.
P.Y. Liardet, N.P. Smart (2001). Preventing SPA/DPA in ECC Systems Using the Jacobi Form. Springer-Verlag Berlin Heidelberg 2001. ISBN 978-3-540-42521-2. http://www.springerlink.com/content/h3bhhlxn9qbg05pj/fulltext.pdf.
http://hyperelliptic.org/EFD/index.html

Jacobian curve

Contents

Definition: Jacobi intersection

Group law

Addition and doubling

Example of addition and doubling

Negation

Addition and doubling in affine coordinates

Extended coordinates

Definition: Jacobi quartic

Jacobi quartic in affine coordinates

Group law

Addition and doubling in affine coordinates

Addition and doubling in projective coordinates

Example of addition and doubling

Negation

Alternative coordinates for the Jacobi quartic

See also

External links

Notes

References