Compression for trace zero points on Edwards curves
Elisa Gorla
joint work w/ G. Bianco
Institut de mathématiques, Université de Neuchâtel
SIAM Conference on Applied Algebraic Geometry
National Institute for Mathematical Sciences, Daejeon, Korea
August 7, 2015
Public key cryptography and the DLP
The security of many cryptographic primitives is based on the practical
intractability of the Discrete Logarithm Problem.
Definition
Discrete Logarithm Problem (DLP): given a finite group (G , +) and
g ∈ G , h ∈ hg i find an a ∈ Z s.t. ag = h.
Public key cryptography and the DLP
The security of many cryptographic primitives is based on the practical
intractability of the Discrete Logarithm Problem.
Definition
Discrete Logarithm Problem (DLP): given a finite group (G , +) and
g ∈ G , h ∈ hg i find an a ∈ Z s.t. ag = h.
Examples
If G = Z or G = Zn , then a = h/g is easy to compute (polynomial compl).
If G = F∗q is a finite field, the DLP in (F∗q , ·) is hard (subexponential
compl).
If G is the Picard group of an elliptic or hyperelliptic curve, the DLP is
very hard (exponential compl).
Public key cryptography and the DLP
The security of many cryptographic primitives is based on the practical
intractability of the Discrete Logarithm Problem.
Definition
Discrete Logarithm Problem (DLP): given a finite group (G , +) and
g ∈ G , h ∈ hg i find an a ∈ Z s.t. ag = h.
Examples
If G = Z or G = Zn , then a = h/g is easy to compute (polynomial compl).
If G = F∗q is a finite field, the DLP in (F∗q , ·) is hard (subexponential
compl).
If G is the Picard group of an elliptic or hyperelliptic curve, the DLP is
very hard (exponential compl).
Ideally G also has: efficient computation of the operation, easily
computable order, efficient representation of the elements.
Public key cryptography and the DLP
The security of many cryptographic primitives is based on the practical
intractability of the Discrete Logarithm Problem.
Definition
Discrete Logarithm Problem (DLP): given a finite group (G , +) and
g ∈ G , h ∈ hg i find an a ∈ Z s.t. ag = h.
Examples
If G = Z or G = Zn , then a = h/g is easy to compute (polynomial compl).
If G = F∗q is a finite field, the DLP in (F∗q , ·) is hard (subexponential
compl).
If G is the Picard group of an elliptic or hyperelliptic curve, the DLP is
very hard (exponential compl).
Ideally G also has: efficient computation of the operation, easily
computable order, efficient representation of the elements.
Efficient representation of group elements
Efficiently representing the elements of G allows to reduce storage space
and transmission bandwidth (same as source coding).
Definition
A representation is an injective map R : G −→ F`q .
A representation is optimal if log2 |G | = ` log2 q + O(1).
Efficient representation of group elements
Efficiently representing the elements of G allows to reduce storage space
and transmission bandwidth (same as source coding).
Definition
A representation is an injective map R : G −→ F`q .
A representation is optimal if log2 |G | = ` log2 q + O(1).
Remarks
1. In practice, allow R to have low degree d. Then R identifies up to d
elements and log2 |G | = log2 (|G |/d) + O(1).
Efficient representation of group elements
Efficiently representing the elements of G allows to reduce storage space
and transmission bandwidth (same as source coding).
Definition
A representation is a low degree map R : G −→ F`q .
A representation is optimal if log2 |G | = ` log2 q + O(1).
Remarks
1. In practice, allow R to have low degree d. Then R identifies up to d
elements and log2 |G | = log2 (|G |/d) + O(1).
Efficient representation of group elements
Efficiently representing the elements of G allows to reduce storage space
and transmission bandwidth (same as source coding).
Definition
A representation is a low degree map R : G −→ F`q .
A representation is optimal if log2 |G | = ` log2 q + O(1).
Remarks
1. In practice, allow R to have low degree d. Then R identifies up to d
elements and log2 |G | = log2 (|G |/d) + O(1).
2. A representation imposes computational costs of compression
(computing R) and decompression (computing R−1 ).
Efficient representation of group elements
Efficiently representing the elements of G allows to reduce storage space
and transmission bandwidth (same as source coding).
Definition
A representation is a low degree map R : G −→ F`q .
A representation is optimal if log2 |G | = ` log2 q + O(1).
Remarks
1. In practice, allow R to have low degree d. Then R identifies up to d
elements and log2 |G | = log2 (|G |/d) + O(1).
2. A representation imposes computational costs of compression
(computing R) and decompression (computing R−1 ).
3. If G = A(Fq ) for A an abelian variety, then
log2 |A(Fq )| = dim A · log2 q + O(1), hence R is optimal iff ` = dim A.
Twisted Edwards curves
Fq a finite field with |Fq | = q, char(Fq ) 6= 2.
Definition
A twisted Edwards curve over Fq is a plane curve of equation
ax 2 + y 2 = 1 + dx 2 y 2
with a, d ∈ Fq \ {0}, a 6= d.
Twisted Edwards curves
Fq a finite field with |Fq | = q, char(Fq ) 6= 2.
Definition
A twisted Edwards curve over Fq is a plane curve of equation
ax 2 + y 2 = 1 + dx 2 y 2
with a, d ∈ Fq \ {0}, a 6= d.
• Plane models of elliptic curves introduced by Edwards.
Twisted Edwards curves
Fq a finite field with |Fq | = q, char(Fq ) 6= 2.
Definition
A twisted Edwards curve over Fq is a plane curve of equation
ax 2 + y 2 = 1 + dx 2 y 2
with a, d ∈ Fq \ {0}, a 6= d.
• Plane models of elliptic curves introduced by Edwards.
• Proposed for use in cryptography by Bernstein and Lange (twisted
curves by Bernstein, Birkner, Joye, Lange, Peters).
Twisted Edwards curves
Fq a finite field with |Fq | = q, char(Fq ) 6= 2.
Definition
A twisted Edwards curve over Fq is a plane curve of equation
ax 2 + y 2 = 1 + dx 2 y 2
with a, d ∈ Fq \ {0}, a 6= d.
• Plane models of elliptic curves introduced by Edwards.
• Proposed for use in cryptography by Bernstein and Lange (twisted
curves by Bernstein, Birkner, Joye, Lange, Peters).
• Birationally equivalent over Fq to Montgomery curves.
Why Edwards curves?
The addition law on Ea,d is
(x1 , y1 ) + (x2 , y2 ) =
x1 y2 +x2 y1
y1 y2 −ax1 x2
1+dx1 x2 y1 y2 , 1−dx1 x2 y1 y2
Ea,d has points at infinity Ω1 = [1, 0, 0] and Ω2 = [0, 1, 0].
The neutral element is O = (0, 1) and −(x, y ) = (−x, y ).
Why Edwards curves?
The addition law on Ea,d is
(x1 , y1 ) + (x2 , y2 ) =
x1 y2 +x2 y1
y1 y2 −ax1 x2
1+dx1 x2 y1 y2 , 1−dx1 x2 y1 y2
Ea,d has points at infinity Ω1 = [1, 0, 0] and Ω2 = [0, 1, 0].
The neutral element is O = (0, 1) and −(x, y ) = (−x, y ).
• The same formulas compute additions and doublings.
Why Edwards curves?
The addition law on Ea,d is
(x1 , y1 ) + (x2 , y2 ) =
x1 y2 +x2 y1
y1 y2 −ax1 x2
1+dx1 x2 y1 y2 , 1−dx1 x2 y1 y2
Ea,d has points at infinity Ω1 = [1, 0, 0] and Ω2 = [0, 1, 0].
The neutral element is O = (0, 1) and −(x, y ) = (−x, y ).
• The same formulas compute additions and doublings.
• If
√
a ∈ Fq and
√
d 6∈ Fq , the formulas are complete.
Why Edwards curves?
The addition law on Ea,d is
(x1 , y1 ) + (x2 , y2 ) =
x1 y2 +x2 y1
y1 y2 −ax1 x2
1+dx1 x2 y1 y2 , 1−dx1 x2 y1 y2
Ea,d has points at infinity Ω1 = [1, 0, 0] and Ω2 = [0, 1, 0].
The neutral element is O = (0, 1) and −(x, y ) = (−x, y ).
• The same formulas compute additions and doublings.
• If
√
a ∈ Fq and
√
d 6∈ Fq , the formulas are complete.
• Arithmetic is very efficient (see the Explicit-Formulas Database).
The trace zero subgroup
Let Fq ⊂ Fqn with n prime, Ea,d a twisted Edwards curve defined over Fq .
Definition
The Frobenius endomorphism is
We have a trace map
ϕ : Ea,d −→ Ea,d
(x, y ) 7−→ (x q , y q ),
Ωi 7−→ Ωi .
Tr : Ea,d (Fqn ) −→ Ea,d (Fq )
P 7−→ P + ϕ(P) + . . . + ϕn−1 (P).
The trace zero subgroup is Tn = ker Tr ⊂ Ea,d (Fqn ).
The trace zero subgroup
Let Fq ⊂ Fqn with n prime, Ea,d a twisted Edwards curve defined over Fq .
Definition
The Frobenius endomorphism is
We have a trace map
ϕ : Ea,d −→ Ea,d
(x, y ) 7−→ (x q , y q ),
Ωi 7−→ Ωi .
Tr : Ea,d (Fqn ) −→ Ea,d (Fq )
P 7−→ P + ϕ(P) + . . . + ϕn−1 (P).
The trace zero subgroup is Tn = ker Tr ⊂ Ea,d (Fqn ).
Tn was proposed for use in cryptography by Frey.
Why the trace zero subgroup?
• Arithmetic in Tn is very efficient thanks to ϕ (Lange).
Why the trace zero subgroup?
• Arithmetic in Tn is very efficient thanks to ϕ (Lange).
• Useful in pairing-based cryptography, where they provide more
flexibility in the security parameter (Rubin-Silverberg).
Why the trace zero subgroup?
• Arithmetic in Tn is very efficient thanks to ϕ (Lange).
• Useful in pairing-based cryptography, where they provide more
flexibility in the security parameter (Rubin-Silverberg).
• We have a short exact sequence
Tr
0 −→ Tn −→ Ea,d (Fqn ) −→ Ea,d (Fq ) −→ 0.
Hence the DLP in Tn and in Ea,d (Fqn ) have the same complexity.
Why the trace zero subgroup?
• Arithmetic in Tn is very efficient thanks to ϕ (Lange).
• Useful in pairing-based cryptography, where they provide more
flexibility in the security parameter (Rubin-Silverberg).
• We have a short exact sequence
Tr
0 −→ Tn −→ Ea,d (Fqn ) −→ Ea,d (Fq ) −→ 0.
Hence the DLP in Tn and in Ea,d (Fqn ) have the same complexity.
Tn is the group of Fq -rational points of an (n − 1)-dimensional abelian
variety called trace zero variety.
Goal: Finding an optimal representation R : Tn −→ Fn−1
q .
Elliptic curves in Weierstrass form
Theorem (G., Massierer)
E elliptic curve in Weierstrass form, n ≥ 3 prime, P ∈ Tn ⊂ E (Fqn ).
Then Tr(P) − nO = P + ϕ(P) + . . . + ϕn−1 (P) − nO = (hP ) with hP ∈ Fq [x, y ]
n−1
hP (x, y ) = hP,1 (x) + yhP,2 (x), hP,1 =
2
X
n−5
γi x i , hP,2 = x
i=0
−→
7−→
Fn−1
q
(γ0 , . . . , γ n−1 , β0 , . . . , β n−5 )
2
such that R−1 (R(P)) = {P, ϕ(P), . . . , ϕn−1 (P)}.
+
2
X
i=0
Hence we have an optimal representation
R : Tn
P
n−3
2
2
βi x i .
Elliptic curves in Weierstrass form
Theorem (G., Massierer)
E elliptic curve in Weierstrass form, n ≥ 3 prime, P ∈ Tn ⊂ E (Fqn ).
Then Tr(P) − nO = P + ϕ(P) + . . . + ϕn−1 (P) − nO = (hP ) with hP ∈ Fq [x, y ]
n−1
hP (x, y ) = hP,1 (x) + yhP,2 (x), hP,1 =
2
X
n−5
γi x i , hP,2 = x
i=0
n−3
2
+
2
X
βi x i .
i=0
Hence we have an optimal representation
R : Tn
P
−→
7−→
Fn−1
q
(γ0 , . . . , γ n−1 , β0 , . . . , β n−5 )
2
2
such that R−1 (R(P)) = {P, ϕ(P), . . . , ϕn−1 (P)}.
Remark
For n = 3 we have hP,2 = 1 and hP (x, y ) is the line through P, ϕ(P), ϕ2 (P).
Divisors on Edwards curves
Problem: hP ∈ Fq (Ea,d ) with (hP ) = Tr(P) − nO is not a polynomial.
Divisors on Edwards curves
Problem: hP ∈ Fq (Ea,d ) with (hP ) = Tr(P) − nO is not a polynomial.
Lemma (Bianco, G.)
√
Let c =
ad −1 (∈ Fq ), f ∈ Fq (Ea,d ). Then
f (x, y ) =
f1 (y ) + xf2 (y )
(y − c)u (y + c)v f3 (y )
where fi ∈ Fq [y ], gcd{f1 , f2 , f3 } = 1, f3 (±c) 6= 0, and u, v ≥ 0.
If in addition f has poles only at Ω1 , Ω2 , then f3 (y ) = 1.
Divisors on Edwards curves
Problem: hP ∈ Fq (Ea,d ) with (hP ) = Tr(P) − nO is not a polynomial.
Lemma (Bianco, G.)
√
Let c =
ad −1 (∈ Fq ), f ∈ Fq (Ea,d ). Then
f (x, y ) =
f1 (y ) + xf2 (y )
(y − c)u (y + c)v f3 (y )
where fi ∈ Fq [y ], gcd{f1 , f2 , f3 } = 1, f3 (±c) 6= 0, and u, v ≥ 0.
If in addition f has poles only at Ω1 , Ω2 , then f3 (y ) = 1.
Caveat: The curve has singularities at Ω1 , Ω2 , and these points correspond
to four points in the desingularization. So we have distinct functions with
the same divisor on Ea,d , e.g. (y − c) = (y + c) = 2Ω1 − 2Ω2 .
A representation for trace zero points
Theorem (Bianco, G.)
Ea,d twisted Edwards curve, n ≥ 3 prime, P ∈ Tn , Pi = P + ϕ(P) + . . . + ϕi (P).
Let hi be the horizontal line through Pi , φi be the conic with
(φi ) = Pi−1 + ϕi (P) + (−Pi ) + O0 − 2Ω1 − 2Ω2 , where O0 = (0, −1). Define
qP (x, y ) =
φ1 · · · φn−2 (a − dy 2 )
h1 · · · hn−3 (1 + y )
n−3
2
n−3
2
∈ Ea,d (Fq ).
Then (qP ) = Tr(P) + O0 − 2Ω1 − (n − 1)Ω2 . Moreover, qP ∈ Fq [x, y ] and
n−3
qP (x, y ) = (1 + y )q1 (y ) + xq2 (y ), q1 (y ) =
2
X
n−1
i
ai y , q2 (y ) =
i=0
i=0
Hence we have an optimal representation
R : Tn
P
−→
7−→
Fn−1
⊕ F2
q
(a0 , . . . , a n−3 , b0 , . . . , b n−1 )
such that R−1 (R(P)) = {P, . . . , ϕn−1 (P)}.
2
2
X
2
bi y i 6= 0.
Inverting the representation
Special case
For n = 3, qP is the conic with (qP ) = P + ϕ(P) + ϕ2 (P) + O0 − 2Ω1 − 2Ω2 .
Then qP (x, y ) = a0 (1 + y ) + x(b1 y + b0 ) = φ1 , b1 ∈ {0, 1}.
We have a precise operation count for the complexity of computing R, R−1 ,
which is not as good as for elliptic curves in short Weierstrass form.
Inverting the representation
Special case
For n = 3, qP is the conic with (qP ) = P + ϕ(P) + ϕ2 (P) + O0 − 2Ω1 − 2Ω2 .
Then qP (x, y ) = a0 (1 + y ) + x(b1 y + b0 ) = φ1 , b1 ∈ {0, 1}.
We have a precise operation count for the complexity of computing R, R−1 ,
which is not as good as for elliptic curves in short Weierstrass form.
Proposition (Bianco, G.)
Ea,d twisted Edwards curve, n ≥ 3 prime, O =
6 P = (x, y ) ∈ Tn ,
R(P) = (a0 , . . . , a n−3 , b0 , . . . , b n−1 ). Then the Frobenius conjugates of y are
2
2
exactly the roots of
 n−3
2
 n−1
2
2
2
X
X
(a − dt 2 )(1 + t) 
ai t i  + (t − 1) 
bi t i 
i=0
i=0
)q1 (y )
and x = − (1+y
.
q2 (y )
The complexity of computing R−1 is that of computing a root of a polynomial of
degree n, comparable to elliptic curves in short Weierstrass form.