# American Institute of Mathematical Sciences

February  2019, 13(1): 41-66. doi: 10.3934/amc.2019003

## Connecting Legendre with Kummer and Edwards

 1 iCIS Lab, Department of Computer Science, University of Calgary, Canada 2 Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata, India

* Corresponding author

Received  January 2018 Revised  August 2018 Published  December 2018

Scalar multiplication on suitable Legendre form elliptic curves can be speeded up in two ways. One can perform the bulk of the computation either on the associated Kummer line or on an appropriate twisted Edwards form elliptic curve. This paper provides details of moving to and from between Legendre form elliptic curves and associated Kummer line and moving to and from between Legendre form elliptic curves and related twisted Edwards form elliptic curves. Further, concrete twisted Edwards form elliptic curves are identified which correspond to known Kummer lines at the 128-bit security level which provide very fast scalar multiplication on modern architectures supporting SIMD operations.

Citation: Sabyasachi Karati, Palash Sarkar. Connecting Legendre with Kummer and Edwards. Advances in Mathematics of Communications, 2019, 13 (1) : 41-66. doi: 10.3934/amc.2019003
##### References:

show all references

##### References:
Double and differential addition in the square-only setting
 $\mathsf{dbl}(\mathsf{x}^2,\mathsf{z}^2)$ $\mathsf{diffAdd}(\mathsf{x}_1^2,\mathsf{z}_1^2,\mathsf{x}_2^2,\mathsf{z}_2^2,\mathsf{x}^2,\mathsf{z}^2)$ $\mathsf{s}_0 = \mathsf{B}^2(\mathsf{x}^2+\mathsf{z}^2)^2$; $\mathsf{s}_0 = \mathsf{B}^2(\mathsf{x}_1^2+\mathsf{z}_1^2)(\mathsf{x}_2^2+\mathsf{z}_2^2)$; $\mathsf{t}_0 = \mathsf{A}^2(\mathsf{x}^2-\mathsf{z}^2)^2$; $\mathsf{t}_0 = \mathsf{A}^2(\mathsf{x}_1^2-\mathsf{z}_1^2)(\mathsf{x}_2^2-\mathsf{z}_2^2)$; $\mathsf{x}_3^2 = \mathsf{b}^2(\mathsf{s}_0+\mathsf{t}_0)^2$; $\mathsf{x}_3^2 = \mathsf{z}^2(\mathsf{s}_0+\mathsf{t}_0)^2$; $\mathsf{z}_3^2 = \mathsf{a}^2(\mathsf{s}_0-\mathsf{t}_0)^2$; $\mathsf{z}_3^2 = \mathsf{x}^2(\mathsf{s}_0-\mathsf{t}_0)^2$; return $(\mathsf{x}_3^2,\mathsf{z}_3^2)$. return $(\mathsf{x}_3^2,\mathsf{z}_3^2)$.
 $\mathsf{dbl}(\mathsf{x}^2,\mathsf{z}^2)$ $\mathsf{diffAdd}(\mathsf{x}_1^2,\mathsf{z}_1^2,\mathsf{x}_2^2,\mathsf{z}_2^2,\mathsf{x}^2,\mathsf{z}^2)$ $\mathsf{s}_0 = \mathsf{B}^2(\mathsf{x}^2+\mathsf{z}^2)^2$; $\mathsf{s}_0 = \mathsf{B}^2(\mathsf{x}_1^2+\mathsf{z}_1^2)(\mathsf{x}_2^2+\mathsf{z}_2^2)$; $\mathsf{t}_0 = \mathsf{A}^2(\mathsf{x}^2-\mathsf{z}^2)^2$; $\mathsf{t}_0 = \mathsf{A}^2(\mathsf{x}_1^2-\mathsf{z}_1^2)(\mathsf{x}_2^2-\mathsf{z}_2^2)$; $\mathsf{x}_3^2 = \mathsf{b}^2(\mathsf{s}_0+\mathsf{t}_0)^2$; $\mathsf{x}_3^2 = \mathsf{z}^2(\mathsf{s}_0+\mathsf{t}_0)^2$; $\mathsf{z}_3^2 = \mathsf{a}^2(\mathsf{s}_0-\mathsf{t}_0)^2$; $\mathsf{z}_3^2 = \mathsf{x}^2(\mathsf{s}_0-\mathsf{t}_0)^2$; return $(\mathsf{x}_3^2,\mathsf{z}_3^2)$. return $(\mathsf{x}_3^2,\mathsf{z}_3^2)$.
Scalar multiplication on Kummer line using a ladder
 $\mathsf{scalarMult}(\mathsf{P},n)$ $\mathsf{ladder}(\mathsf{R},\mathsf{S},\mathfrak{b})$ input: $\mathsf{P}\in{\mathcal K}_{\mathsf{a}^2,\mathsf{b}^2}$; if ($\mathfrak{b}=0$) $\ell$-bit scalar $n=(1,n_{\ell-2},\ldots,n_0)$; $\mathsf{S}=\mathsf{diffAdd}(\mathsf{R},\mathsf{S},\mathsf{P})$; output: $n\mathsf{P}$; $\mathsf{R}=\mathsf{dbl}(\mathsf{R})$; set $\mathsf{R}=\mathsf{P}$ and $\mathsf{S}=\mathsf{dbl}(\mathsf{P})$; else for $i=\ell-2,\ell-3,\ldots,0$ do $\mathsf{R}=\mathsf{diffAdd}(\mathsf{R},\mathsf{S},\mathsf{P})$; $(\mathsf{R},\mathsf{S})=\mathsf{ladder}(\mathsf{R},\mathsf{S},n_i)$; $\mathsf{S}=\mathsf{dbl}(\mathsf{S})$; return $(\mathsf{R},\mathsf{S})$. return $(\mathsf{R},\mathsf{S})$.
 $\mathsf{scalarMult}(\mathsf{P},n)$ $\mathsf{ladder}(\mathsf{R},\mathsf{S},\mathfrak{b})$ input: $\mathsf{P}\in{\mathcal K}_{\mathsf{a}^2,\mathsf{b}^2}$; if ($\mathfrak{b}=0$) $\ell$-bit scalar $n=(1,n_{\ell-2},\ldots,n_0)$; $\mathsf{S}=\mathsf{diffAdd}(\mathsf{R},\mathsf{S},\mathsf{P})$; output: $n\mathsf{P}$; $\mathsf{R}=\mathsf{dbl}(\mathsf{R})$; set $\mathsf{R}=\mathsf{P}$ and $\mathsf{S}=\mathsf{dbl}(\mathsf{P})$; else for $i=\ell-2,\ell-3,\ldots,0$ do $\mathsf{R}=\mathsf{diffAdd}(\mathsf{R},\mathsf{S},\mathsf{P})$; $(\mathsf{R},\mathsf{S})=\mathsf{ladder}(\mathsf{R},\mathsf{S},n_i)$; $\mathsf{S}=\mathsf{dbl}(\mathsf{S})$; return $(\mathsf{R},\mathsf{S})$. return $(\mathsf{R},\mathsf{S})$.
Some properties of the group of $\mathbb{F}_p$-rational points of the Legendre form elliptic curves $E_{1a}$, $E_{1b}$, $E_2$ and $E_3$
 $E_{1a}$ $E_{1b}$ $E_2$ $E_3$ $p$ $2^{251}-9$ $2^{251}-9$ $2^{255}-19$ $2^{266}-3$ $(\lg\ell,\lg\ell_T)$ $(248,248)$ $(248,248)$ $(251.4,252)$ $(262.4,263)$ $(h,h_T)$ $(8,8)$ $(8,8)$ $(12,8)$ $(12,8)$ $(k,k_T)$ $\left(\ell-1,\frac{\ell_T-1}{7}\right)$ $\left(\ell-1,\ell_T-1\right)$ $\left(\ell-1,\ell_T-1\right)$ $\left(\frac{\ell-1}{2},\ell_T-1\right)$ $\lg (-D)$ $246.3$ $249.8$ $255$ $266$ $\mathsf{KL}$ base pt $[64:1]$ $[19:1]$ $[31:1]$ $[2:1]$
 $E_{1a}$ $E_{1b}$ $E_2$ $E_3$ $p$ $2^{251}-9$ $2^{251}-9$ $2^{255}-19$ $2^{266}-3$ $(\lg\ell,\lg\ell_T)$ $(248,248)$ $(248,248)$ $(251.4,252)$ $(262.4,263)$ $(h,h_T)$ $(8,8)$ $(8,8)$ $(12,8)$ $(12,8)$ $(k,k_T)$ $\left(\ell-1,\frac{\ell_T-1}{7}\right)$ $\left(\ell-1,\ell_T-1\right)$ $\left(\ell-1,\ell_T-1\right)$ $\left(\frac{\ell-1}{2},\ell_T-1\right)$ $\lg (-D)$ $246.3$ $249.8$ $255$ $266$ $\mathsf{KL}$ base pt $[64:1]$ $[19:1]$ $[31:1]$ $[2:1]$
Conversions from Kummer line to Legendre form elliptic curves and vice versa. Here $\alpha_0 = \mathsf{a}^2$ and $\alpha_1 = \mathsf{b}^2$ are precomputed quantities
 KL to Legendre Legendre to KL $\widehat{\psi}([\mathsf{x}^2:\mathsf{z}^2])$ $\widehat{\psi}^{-1}(X:\cdot:Z)$ $X=\alpha_0\mathsf{z}^2$; $\mathsf{x}^2=\alpha_0(X-Z)$; $t_1=\alpha_1\mathsf{x}^2$; $\mathsf{z}^2=\alpha_1X$; $Z=X-t_1$; return $[\mathsf{x}^2:\mathsf{z}^2]$. return $(X:\cdot:Z)$.
 KL to Legendre Legendre to KL $\widehat{\psi}([\mathsf{x}^2:\mathsf{z}^2])$ $\widehat{\psi}^{-1}(X:\cdot:Z)$ $X=\alpha_0\mathsf{z}^2$; $\mathsf{x}^2=\alpha_0(X-Z)$; $t_1=\alpha_1\mathsf{x}^2$; $\mathsf{z}^2=\alpha_1X$; $Z=X-t_1$; return $[\mathsf{x}^2:\mathsf{z}^2]$. return $(X:\cdot:Z)$.
Base points for $E_{1a}$, $E_{1b}$, $E_2$ and $E_3$ corresponding to $\mathsf{KL}_{1a}$, $\mathsf{KL}_{1b}$, $\mathsf{KL}_{2}$ and $\mathsf{KL}_{3}$
 $p$ $\mathsf{a}^2$ $\mathsf{b}^2$ $[\mathsf{x}^2:\mathsf{z}^2]$ $(x,y)$ $2^{251}-9$ $81$ $20$ $[64:1]$ $(-81/1199,\mathfrak{y}_1)$ $2^{251}-9$ $186$ $175$ $[19:1]$ $(-186/3139,\mathfrak{y}_2)$ $2^{255}-19$ $82$ $77$ $[31:1]$ $(-82/2305,\mathfrak{y}_3)$ $2^{266}-3$ $260$ $139$ $[2:1]$ $(-260/18,\mathfrak{y}_4)$
 $p$ $\mathsf{a}^2$ $\mathsf{b}^2$ $[\mathsf{x}^2:\mathsf{z}^2]$ $(x,y)$ $2^{251}-9$ $81$ $20$ $[64:1]$ $(-81/1199,\mathfrak{y}_1)$ $2^{251}-9$ $186$ $175$ $[19:1]$ $(-186/3139,\mathfrak{y}_2)$ $2^{255}-19$ $82$ $77$ $[31:1]$ $(-82/2305,\mathfrak{y}_3)$ $2^{266}-3$ $260$ $139$ $[2:1]$ $(-260/18,\mathfrak{y}_4)$
Values of $x_1,y_1$ and $x_2$ which are solutions to (24)
 $x_2=0$ $x_1 = \sqrt{\mu}$ $y_1 = \pm\sqrt{-\mu^2 + 2\mu^{3/2} - \mu}$ $x_1 = -\sqrt{\mu}$ $y_1 = \pm\sqrt{-\mu^2 - 2\mu^{3/2} - \mu}$ $x_2=1$ $x_1 = 1 + \sqrt{1-\mu}$ $y_1 = \pm (-1+\mu-\sqrt{1-\mu})$ $x_1 = 1 - \sqrt{1-\mu}$ $y_1 = \pm (-1+\mu+\sqrt{1-\mu})$ $x_2=\mu$ $x_1 = \mu + \sqrt{\mu^2-\mu}$ $y_1 = \pm \left(2\mu^3 + 2\mu^2\sqrt{\mu^2-\mu}-3\mu^2-2\mu\sqrt{\mu^2-\mu}+\mu\right)^{1/2}$ $x_1 = \mu - \sqrt{\mu^2-\mu}$ $y_1 = \pm \left(2\mu^3 - 2\mu^2\sqrt{\mu^2-\mu}-3\mu^2+2\mu\sqrt{\mu^2-\mu}+\mu\right)^{1/2}$
 $x_2=0$ $x_1 = \sqrt{\mu}$ $y_1 = \pm\sqrt{-\mu^2 + 2\mu^{3/2} - \mu}$ $x_1 = -\sqrt{\mu}$ $y_1 = \pm\sqrt{-\mu^2 - 2\mu^{3/2} - \mu}$ $x_2=1$ $x_1 = 1 + \sqrt{1-\mu}$ $y_1 = \pm (-1+\mu-\sqrt{1-\mu})$ $x_1 = 1 - \sqrt{1-\mu}$ $y_1 = \pm (-1+\mu+\sqrt{1-\mu})$ $x_2=\mu$ $x_1 = \mu + \sqrt{\mu^2-\mu}$ $y_1 = \pm \left(2\mu^3 + 2\mu^2\sqrt{\mu^2-\mu}-3\mu^2-2\mu\sqrt{\mu^2-\mu}+\mu\right)^{1/2}$ $x_1 = \mu - \sqrt{\mu^2-\mu}$ $y_1 = \pm \left(2\mu^3 - 2\mu^2\sqrt{\mu^2-\mu}-3\mu^2+2\mu\sqrt{\mu^2-\mu}+\mu\right)^{1/2}$
Summary of the different twisted Edwards form curve. Here b.r. denotes birational equivalence and 2-iso denotes 2-isogeny
 Kummer Legendre twisted Edwards Legendre to twisted Edwards $\mathsf{KL2519}(81,20)$ $E_{1a}$ $\mathsf{Ed}_{1a,1}$ b.r. (Thm 4.4) $\mathsf{Ed}_{1a,2}$ b.r. (Thm 4.4) $\mathsf{KL2519}(186,175)$ $E_{1b}$ $\mathsf{Ed}_{1b,1}$ b.r. (Thm 4.4) $\mathsf{Ed}_{1b,2}$ b.r. (Thm 4.4) $\mathsf{Ed}_{1b,3}$ 2-iso (Thm 4.5) $\mathsf{KL25519}(82,77)$ $E_{2}$ $\mathsf{Ed}_{2}$ 2-iso (Thm 4.5) $\mathsf{KL2663}(260,139)$ $E_{3}$ $\mathsf{Ed}_{3}$ 2-iso (Thm 4.5)
 Kummer Legendre twisted Edwards Legendre to twisted Edwards $\mathsf{KL2519}(81,20)$ $E_{1a}$ $\mathsf{Ed}_{1a,1}$ b.r. (Thm 4.4) $\mathsf{Ed}_{1a,2}$ b.r. (Thm 4.4) $\mathsf{KL2519}(186,175)$ $E_{1b}$ $\mathsf{Ed}_{1b,1}$ b.r. (Thm 4.4) $\mathsf{Ed}_{1b,2}$ b.r. (Thm 4.4) $\mathsf{Ed}_{1b,3}$ 2-iso (Thm 4.5) $\mathsf{KL25519}(82,77)$ $E_{2}$ $\mathsf{Ed}_{2}$ 2-iso (Thm 4.5) $\mathsf{KL2663}(260,139)$ $E_{3}$ $\mathsf{Ed}_{3}$ 2-iso (Thm 4.5)
General $d$
 $A \leftarrow (V_1 - U_1 ) \cdot (V_2 - U_2 )$, $B \leftarrow (V_1 + U_1 ) \cdot (V_2 + U_2 )$, $C \leftarrow (2d) T_1 \cdot T_2$, $D \leftarrow 2W_1 \cdot W_2$, $E \leftarrow B - A$, $F \leftarrow D - C$, $G \leftarrow D + C$, $H \leftarrow B + A$, $U_3 \leftarrow E \cdot F$, $V_3 \leftarrow G \cdot H$, $T_3 \leftarrow E \cdot H$, $W_3 \leftarrow F \cdot G$.
 $A \leftarrow (V_1 - U_1 ) \cdot (V_2 - U_2 )$, $B \leftarrow (V_1 + U_1 ) \cdot (V_2 + U_2 )$, $C \leftarrow (2d) T_1 \cdot T_2$, $D \leftarrow 2W_1 \cdot W_2$, $E \leftarrow B - A$, $F \leftarrow D - C$, $G \leftarrow D + C$, $H \leftarrow B + A$, $U_3 \leftarrow E \cdot F$, $V_3 \leftarrow G \cdot H$, $T_3 \leftarrow E \cdot H$, $W_3 \leftarrow F \cdot G$.
$d = d_1/d_2$ with $d_1,d_2$ small
 $A \leftarrow (V_1 - U_1 ) \cdot (V_2 - U_2 )$, $B \leftarrow (V_1 + U_1 ) \cdot (V_2 + U_2 )$, $C \leftarrow (2d_1) T_1 \cdot T_2$, $D \leftarrow (2d_2) W_1 \cdot W_2$, $E \leftarrow d_2(B - A)$, $F \leftarrow D - C$, $G \leftarrow D + C$, $H \leftarrow d_2(B + A)$, $U_3 \leftarrow E \cdot F$, $V_3 \leftarrow G \cdot H$, $T_3 \leftarrow E \cdot H$, $W_3 \leftarrow F \cdot G$.
 $A \leftarrow (V_1 - U_1 ) \cdot (V_2 - U_2 )$, $B \leftarrow (V_1 + U_1 ) \cdot (V_2 + U_2 )$, $C \leftarrow (2d_1) T_1 \cdot T_2$, $D \leftarrow (2d_2) W_1 \cdot W_2$, $E \leftarrow d_2(B - A)$, $F \leftarrow D - C$, $G \leftarrow D + C$, $H \leftarrow d_2(B + A)$, $U_3 \leftarrow E \cdot F$, $V_3 \leftarrow G \cdot H$, $T_3 \leftarrow E \cdot H$, $W_3 \leftarrow F \cdot G$.
 [1] José Madrid, João P. G. Ramos. On optimal autocorrelation inequalities on the real line. Communications on Pure & Applied Analysis, 2021, 20 (1) : 369-388. doi: 10.3934/cpaa.2020271 [2] Tommi Brander, Joonas Ilmavirta, Petteri Piiroinen, Teemu Tyni. Optimal recovery of a radiating source with multiple frequencies along one line. Inverse Problems & Imaging, 2020, 14 (6) : 967-983. doi: 10.3934/ipi.2020044 [3] Hua Chen, Yawei Wei. Multiple solutions for nonlinear cone degenerate elliptic equations. Communications on Pure & Applied Analysis, , () : -. doi: 10.3934/cpaa.2020272 [4] M. S. Lee, H. G. Harno, B. S. Goh, K. H. Lim. On the bang-bang control approach via a component-wise line search strategy for unconstrained optimization. Numerical Algebra, Control & Optimization, 2021, 11 (1) : 45-61. doi: 10.3934/naco.2020014 [5] João Marcos do Ó, Bruno Ribeiro, Bernhard Ruf. Hamiltonian elliptic systems in dimension two with arbitrary and double exponential growth conditions. Discrete & Continuous Dynamical Systems - A, 2021, 41 (1) : 277-296. doi: 10.3934/dcds.2020138 [6] Yichen Zhang, Meiqiang Feng. A coupled $p$-Laplacian elliptic system: Existence, uniqueness and asymptotic behavior. Electronic Research Archive, 2020, 28 (4) : 1419-1438. doi: 10.3934/era.2020075 [7] Zedong Yang, Guotao Wang, Ravi P. Agarwal, Haiyong Xu. Existence and nonexistence of entire positive radial solutions for a class of Schrödinger elliptic systems involving a nonlinear operator. Discrete & Continuous Dynamical Systems - S, 2020  doi: 10.3934/dcdss.2020436 [8] Hoang The Tuan. On the asymptotic behavior of solutions to time-fractional elliptic equations driven by a multiplicative white noise. Discrete & Continuous Dynamical Systems - B, 2020  doi: 10.3934/dcdsb.2020318 [9] Shenglan Xie, Maoan Han, Peng Zhu. A posteriori error estimate of weak Galerkin fem for second order elliptic problem with mixed boundary condition. Discrete & Continuous Dynamical Systems - B, 2020  doi: 10.3934/dcdsb.2020340 [10] Yongxiu Shi, Haitao Wan. Refined asymptotic behavior and uniqueness of large solutions to a quasilinear elliptic equation in a borderline case. Electronic Research Archive, , () : -. doi: 10.3934/era.2020119 [11] Gongbao Li, Tao Yang. Improved Sobolev inequalities involving weighted Morrey norms and the existence of nontrivial solutions to doubly critical elliptic systems involving fractional Laplacian and Hardy terms. Discrete & Continuous Dynamical Systems - S, 2020  doi: 10.3934/dcdss.2020469

2019 Impact Factor: 0.734