2

I know that many similar questions exist but the nature of this question is more of theoretical rather being help in implementation.

I am reading Washington’s book Elliptic Curves, Number Theory and Cryptography. In which he mentions that formulas for addition and doubling are slow and needs to calculate inverse. Thus he writes:

Therefore, it is sometimes advantageous to avoid inversion in the formulas for point addition. In this section, we discuss a few alternative formulas where this can be done

Then he discuss the Jacobian Coordinate System in section 2.6.2 where he discusses a modification of formulas which I can’t understand. First he says that the curve now becomes

$$E_j : y^2 = x^3 + ax^2z^4 + bz^6 $$

What does this mean? From where this $z$ came?

Then he produce modified point operation formulas out of which I am only interested in doubling.

For coordinate $(x_1,y_1,z_1)$ let resulting coordinates be $(x_r, y_r, z_r)$the new formulae are:

$$v = 4x_1 y_1^2, \qquad w = 3x_1^2+az_1^4 \\ x_r = -2v + w^2, \qquad y_r = -8y_1^4 + (v - x_r)w, \qquad z_r = 2 y_1z_1$$

These formulas ease point doubling as there is no need to calculate inverses now. But are these the only way to add Jacobian coordinates? Across the web I have found multiple ways to do so.

It would be helpful if one can explain with the help of an example. A good example would be $E: y^2 = x^3 + 7$ over field $\mathbb{F}_{97}$. We have $ n= \#E(\mathbb{F}_{97}) = 79$ If you like to have a look on group law of this curve you can see here.

madhurkant
  • 830
  • 3
  • 18

1 Answers1

4

What does this mean? From where this came?

You can imagine $z$ as an additional axis which emerges from the projective space. This post gives a very good intuition and description of what is happening.

Essentially, you embed a 2d elliptic curve (affine coordinates) inside a 3d space (projective coordinates). This can provide some interesting properties, e.g. faster arithmetics.

In affine coordinates, the curve is defined as:

$$ y^2 = x^3 + ax + b $$

In Jacobian coordinates, points are represented as $(X, Y, Z)$ such that the affine coordinates can be recovered by:

$$ x = \frac{X}{Z^2}, \quad y = \frac{Y}{Z^3} $$

Substituting these into the original elliptic curve equation we get

$$ \left(\frac{Y}{Z^3}\right)^2 = \left(\frac{X}{Z^2}\right)^3 + a \left(\frac{X}{Z^2}\right) + b, $$

which gives us

$$ Y^2 = X^3 + aXZ^4 + bZ^6, $$

by multiplying through with $Z^6$.

But are these the only way to add Jacobian coordinates?

No, there are several ways to implement point doubling (and addition). These formulas are common because they do not need to compute inversions/divisions. There are a lot of reasons, why division is undesirable and it is quite a huge topic. I provide some notes on that here.

kodlu
  • 25,146
  • 2
  • 30
  • 63
Titanlord
  • 2,812
  • 13
  • 37