Isogenies on twisted Hessian curves

Fouazou Lontouo Perez Broon; Thinh Dang; Emmanuel Fouotsa; Dustin Moody

doi:10.1515/jmc-2020-0037

Open Access Published by De Gruyter March 16, 2021

Isogenies on twisted Hessian curves

Fouazou Lontouo Perez Broon , Thinh Dang , Emmanuel Fouotsa and Dustin Moody

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2020-0037

Abstract

Elliptic curves are typically defined by Weierstrass equations. Given a kernel, the well-known Vélu's formula shows how to explicitly write down an isogeny between Weierstrass curves. However, it is not clear how to do the same on other forms of elliptic curves without isomorphisms mapping to and from the Weierstrass form. Previous papers have shown some isogeny formulas for (twisted) Edwards, Huff, and Montgomery forms of elliptic curves. Continuing this line of work, this paper derives explicit formulas for isogenies between elliptic curves in (twisted) Hessian form. In addition, we examine the numbers of operations in the base field to compute the formulas. In comparison with other isogeny formulas, we note that our formulas for twisted Hessian curves have the lowest costs for processing the kernel and our X-affine formula has the lowest cost for processing an input point in affine coordinates.

Keywords: Elliptic curves; Isogeny; Hessian curves; Vélu's formulas

MSC 2010: 14H52; 14K02

1 Introduction

An elliptic curve is defined as a nonsingular irreducible projective curve of genus one, with a specified point as additive identity on the curve. An elliptic curve is said to be defined over a field k if the curve is defined over k and the specified point additive identity is k-rational.

Let E be an elliptic curve defined over k with the specified point additive identity O. It is well known that there exist functions x, y ∈ k(E) such that the rational map ϕ defined over k by ϕ = (x : y : 1) is an isomorphism from E to an elliptic curve in Weierstrass form:

Y2Z+a1XYZ+a3YZ2=X3+a2X2Z+a4XZ2+a6Z3

and ϕ (O) = (0 : 1 : 0), where a₁, a₂, . . . , a₆ ∈ k (see [1, III.3.1]). Therefore, elliptic curves are typically identified with curves defined by such a Weierstrass equation with the specified point additive identity (0 : 1 : 0).

Let E and E^′ be elliptic curves with specified point additive identities O and O^′ respectively. An isogeny from E to E^′ is defined as a morphism ϕ : E → E^′ such that ϕ (O) = O^′. It is a theorem (see [1, III.4.8]) that an isogeny is also a group homomorphism. As a corollary, the kernel of an isogeny is a finite subgroup of the domain. Conversely, if F is a finite subgroup of E, there exists an elliptic curve E^′ and a separable isogeny ϕ : E → E^′ such that the kernel of ϕ is F (see [1, III.4.12]). Given E and F, Vélu's formula in [2] shows an explicit expression for ϕ and E^′, where E and E^′ are both in Weierstrass form.

However, the Weierstrass equation is only one way to represent an elliptic curve. Other forms of elliptic curves are possible and have been proposed, some with applications in cryptography. Examples include Montgomery curves in [3, 4], (twisted) Edwards curves in [5, 6, 7], Huff curves in [8, 9], and (twisted) Hessian curves in [10]. The first formulas for isogenies defined directly for non-Weierstrass curves was for (twisted) Edwards curves and Huff curves [11]. Shortly thereafter, similar work, [12] and [13], showed formulas for computing isogenies on Montgomery curves. In this paper, we derive a formula for isogenies on twisted Hessian curves and consider the computational cost of computing image points. Furthermore, in our main proof, we make explicit and rigorous the techniques and justifications that are required but omitted in proving isogeny formulas in previous works. Compared to other isogeny formulas, we note that our formulas for twisted Hessian curves have the lowest costs for preprocessing the kernel points to determine the rational map prior to input evaluation, and our X-affine formula has the lowest cost for processing an input point in affine coordinates.

Isogenies have found applications in counting the number of points on an elliptic curve over a finite field (e.g. see [14, 15]), analyzing the complexity of elliptic-curve discrete logarithms in [16], and cryptographic constructions (e.g. [17, 18, 19]). More efficient isogeny formulas could lead to performance benefits in the above applications.

The organization of the paper is as follows. Section 2 introduces Hessian curves and their generalization called twisted Hessian curves. A summary of the point addition formulas on twisted Hessian curves is included. Section 3 derives formulas for 3-isogenies. Section 4 states and proves the main result for isogenies with a kernel of size ℓ ≢ 0 (mod 3). Finally, Section 5 examines the main formula's computational cost of computing image points. Some open problems and directions for future work are given in Section 6.

2 Twisted Hessian Curves

A Hessian curve in projective coordinates is defined by the equation

X3+Y3+Z3=dXYZ

with 27 − d³ ≠ 0. The Hessian form of elliptic curves has been studied, for example, in [20, 21, 22, 23], to optimize point addition and scalar multiplication formulas, as well as to optimize pairing computations. In addition, as a step towards resistance against side-channel attacks, the Sylvester addition formula (described below) on Hessian curves can also be used for point doubling and subtraction after a permutation of input coordinates [24]. A generalization of Hessian curves, called twisted Hessian curves, is defined by the equation

aX3+Y3+Z3=dXYZ

with a(27a − d³) ≠ 0. Twisted Hessian curves were used in [10] to provide a complete unified addition formula and improve efficiency for point doubling and tripling over fields of arbitrary characteristic. Other works that optimized arithmetic on (twisted) Hessian curves include [25, 26, 27].

Definition 1

A twisted Hessian curve over a field k is a projective curve H(a, d) defined by the polynomial aX³ + Y³ + Z³ = dXYZ with the specified point (0 : −1 : 1) as additive identity in the projective space ℙ(k)², with a, d ∈ k and a(27a − d³) ≠ 0. If a = 1, the curve is called a Hessian curve.

As an elliptic curve, each twisted Hessian curve must be isomorphic over k to a curve given by a Weierstrass equation. Over a finite field of characteristic not equal to 3, we can find an explicit isomorphism from any twisted Hessian curve to a Weierstrass curve, and conversely, from any Weierstrass curve with a k-rational point of order 3 to a twisted Hessian curve. Such isomorphisms are given in [10, Theorem 5.3 and 5.4] and [28].

For convenience, we summarize below the formulas for point addition on twisted Hessian curves. Let (X₁ : Y₁ : Z₁) and (X₂ : Y₂ : Z₂) be points on H(a, d). The inverse of (X₁ : Y₁ : Z₁) is

−(X1:Y1:Z1)=(X1:Z1:Y1).

The (Sylvester) standard addition formula is given by:

X3=X12Y2Z2−X22Y1Z1,Y3=Z12X2Y2−Z22X1Y1,Z3=Y12X2Z2−Y22X1Z1.

If (X₃, Y₃, Z₃) ≠ (0, 0, 0), then (X₁ : Y₁ : Z₁) + (X₂ : Y₂ : Z₂) = (X₃ : Y₃ : Z₃). Another addition formula, called rotated addition, is defined by the formula:

X3′=Z22X1Z1−Y12X2Y2,Y3′=Y22Y1Z1−aX12X2Z2,Z3′=aX22X1Y1−Z12Y2Z2.

If (X3′,Y3′,Z3′)≠(0,0,0) , then (X1:Y1:Z1)+(X2:Y2:Z2)=(X3′:Y3′:Z3′). . The completeness follows because (X₃, Y₃, Z₃) ≠ (0, 0, 0) or (X3′,Y3′,Z3′)≠(0,0,0) by [10, Theorem 4.7]. Moreover, if a is not a cube in k, then (X3′,Y3′,Z3′)≠(0,0,0) [10, Theorem 4.5].

3 3-isogenies

In this section, we show how to compute 3-isogenies on twisted Hessian curves, and in the next section, we provide a formula for ℓ-isogenies with ℓ ≢ 0 (mod 3). To compute an isogeny with kernel of size divisible by 3, we can write the kernel as an internal product of a subgroup of size ℓ not divisible by 3 and one or more subgroups of size 3, and compose the formulas for each factor. Together, these formulas are sufficient for kernels of any size. In particular, to obtain an isogeny with kernel of size 3^rℓ where ℓ ≢ 0 (mod 3), we can compose an ℓ-isogeny with r isogenies of degree 3.

To derive the result for 3-isogenies, we begin by characterizing all points of order 3 on a twisted Hessian curve. Let c be a cubic root of a. It can be easily verified that the point (1 : 0 : −c) and its inverse (1 : −c : 0) both have order 3. In addition, if ω³ = 1 and ω ≠ 1, then (0 : −ω : 1) and its inverse (0 : 1 : −ω) have order 3. The verification has been done in [10, Theorem 5.1]. In fact, based on the cardinality of the 3-torsion on elliptic curves (e.g. see [29, Theorem 3.2]), these are the only points of order 3 on a twisted Hessian curve. Moreover, using the defining equation of H(a, d), it can be easily verified that the 3-torsion is the precisely the set of points (X : Y : Z) such that XYZ = 0.

We now turn to formulas for 3-isogenies of twisted Hessian curves. As seen in the preceding paragraph, a kernel of size 3 is either generated by (0 : −ω : 1) with ω³ = 1 and ω ≠ 1 or by (1 : −c : 0) with c³ = a. First, we consider 3-isogenies with their kernel generated by (0 : −ω : 1). Such a map can be obtained by composing the 3-isogeny given in [10, Theorem 5.4] from a twisted Hessian curve to a Weierstrass curve of the form Y²Z + a₁XYZ + a₃YZ² = X³ with the isomorphism given in [10, Theorem 5.4] between such a Weierstrass curve and a twisted Hessian curve. The result of such composition is stated in Theorem 1.

Theorem 1

Let ω³ = 1 and ω ≠ 1. The map

(X:Y:Z)↦(XYZ:aX3+ω2Y3+ωZ3:aX3+ωY3+ω2Z3)

is an isogeny from H(a, d) to H(d³ − 27a, 3d) with the kernel

〈(0:−ω:1)〉=〈(0:−ω2:1)〉={(0:−1:1),(0:−ω:1),(0:−ω2:1)}.

Proof

We leave the straightforward verification to the reader.

Next, we consider 3-isogenies with kernel generated by the point (1 : −c : 0) with c³ = a. The only formula for such isogenies that we are aware of is given in [30, Proposition 4] for Hessian curves over characteristic 3. We restate the result here.

Theorem 2

Let k have characteristic 3. The map σ : H(1, d^3ⁱ⁺¹) → H(1, d^3ⁱ) defined by

σ(X:Y:Z)=(d2⋅3iXYZ:Y2Z+X2Y+XZ2:XY2+X2Z+YZ2)

is an isogeny. Moreover, f : H(1, d^3ⁱ) → H(1, d^3ⁱ⁺¹) defined by f (X : Y : Z) = (X³ : Y³ : Z³) is an isogeny, and f ○ σ (P) = 3P for each P on H(1, d^3ⁱ⁺¹). The kernel of σ is {(0 : −1 : 1), (−1 : 1 : 0), (−1 : 0 : 1)}.

We generalize Theorem 2 to 3-isogenies on twisted Hessian curves H(a, d) over any characteristic with kernel 〈(1 : −c : 0)〉, where c³ = a.

Theorem 3

The rational map

ϕ=(XYZ:c2X2Z+cXY2+YZ2:c2X2Y+cXZ2+Y2Z).

is an isogeny from H(a, d) to H(A, D), where c³ = a,

A=d2c+3dc2+9a and D=d+6c

with kernel

〈(1:−c:0)〉=〈(1:0:−c)〉={(0:−1:1),(1:−c:0),(1:0:−c)}.

Proof

Let f = xy, g = c²x² + cxy² + y, and h = c²x²y + cx + y² be the dehomogenized coordinate maps of ϕ. Also let A and D be as given in the theorem statement. Then,

Af3+g3+h3−Dfgh=(ax3y3−cdx2y2+ax3+y3)(ax3+y3+1−dxy).

This shows that the range of the rational map ϕ is indeed H(A, D). It remains to check that the kernel is as claimed. Let P = (X : Y : Z) and suppose ϕ (P) = (0 : −1 : 1), then XYZ = 0.

If X = 0, then YZ² = −Y²Z, i.e. Z = −Y and P = (0 : −1 : 1).
If Y = 0, then c²X²Z = −cXZ², i.e. cX = −Z and P = (1 : 0 : −c).
If Z = 0, then cXY² = −c²X²Y, i.e. Y = −cX and P = (1 : −c : 0).

Conversely, by straightforward calculation, we see that ϕ (P) = (0 : −1 : 1) for each such P.

4 Isogenies of degree ℓ ≢ 0 (mod 3)

In this section, we look at the ℓ-isogeny formulas, where ℓ ≢ 0 (mod 3). One approach for obtaining such an ℓ-isogeny between twisted Hessian curves is to compose the isogeny given by Vélu's formula with isomorphisms to and from Weierstrass curves. This approach, however, doesn’t lead to a simple formula. Moreover, the resulting codomain twisted Hessian curve is dependent on the choice of point of order 3 on the codomain Weierstrass curve produced by Vélu's formula. We prove our main twisted Hessian isogeny result as follows.

Theorem 4

Let F={(0:−1:1)}∪{(si:ti:1)}i=1n be a finite subgroup of H(a, d) of size ℓ = n + 1, where ℓ is not divisible by 3. Then, F is the kernel of an isogeny from H(a, d) to H(A, D) defined by

ϕ(P)=(∏R∈FX(P+R):∏R∈FY(P+R):∏R∈FZ(P+R)).

where A = a^ℓ and

D=(1−2n)d+6∑i=1n1/(siti)∏i=1nsi.

Note that in the equation for ϕ, for each point P + R, the choice of representative of P + R in projective coordinates does not affect the result ϕ (P). Moreover, s_it_i ≠ 0 for each i ∈ {1, 2, . . ., n}.

Proof

Without loss of generality, let k be algebraically closed. We start by writing down a rational form of the map ϕ given in the theorem, which is derived from the standard addition formula. Let

ϕY:=yx∏i=1nxy−sitisi2y−tix2 and ϕZ:=1x∏i=1nti2x−siy2si2y−tix2.

That is, ϕ (x : y : 1) = (1 : ϕ_Y : ϕ_Z). Define

G=A+ϕY3+ϕZ3−DϕYϕZ∈k(H),

where A, D ∈ k are to be determined.

Our goal is show that G = 0 for A, D ∈ k as stated in the theorem. To this end, by Proposition [1, II.1.2], it suffices to show that G has no poles and G(Q) = 0 for some Q on H. By the definitions of ϕ_Y and ϕ_Z, if P is a pole of G, then X(ϕ (P)) = 0, which is equivalent to X(P + R) = 0 for some R ∈ F. Let Q = P + R. From the formula of ϕ, it can be seen that ϕ is invariant under translation by any point in F. So ϕ (P) = ϕ (Q) and X(Q) = 0. Therefore, if G has a pole at some point P, then G also has a pole at some point Q with X(Q) = 0. By subsituting X = 0 into the defining equation of H, we find that the only points Q with X(Q) = 0 are {(0 : −ω : 1) | ω³ = 1}.

Let P = (0 : −ω : 1) with ω³ = 1. We’ll show that P is not a pole of G for some A and D in k and hence by the arguments in the preceding paragraph, G has no pole at all and thus is constant.

First, we assume that the characteristic of k is not 3. We need the following facts:

k[H]_P is a discrete valuation ring and x is a uniformizer of k[H]_P by [31, Theorem 1 of Chapter 3]. – k[H]_P has the unique maximal ideal M_P := {q ∈ k[H]_P | q(P) = 0} (see [31, Section 2.4]).
k(H) is the field of quotients of k[H]_P.
The field k is a subring of k[H]_P, and the map b ↦ b + M_p from k to k[H]_p/M_P is a field isomorphism.

We can conclude that the function that maps each element in k(H) to its Laurent series expansion in k((x)) is a one-to-one ring homomorphism [31, Problem 2.32]. We write f=∑i=mrcixi where m ∈ ℤ and r ∈ ℤ ∪ {∞} to mean that f has the Laurent series expansion ∑i=mrcixi . We also denote by O(xⁿ) any unspecified series of order at least n.

Next, we find the series expansion of y in terms of x. The order of y at P is ord_P(y) = 0, since y is defined and is nonzero at P. Thus y has a power series expansion y=∑i=0∞cixi . As ax³ + y³ + 1 − dxy is zero in k(H) and the function that maps each element in k(H) to its Laurent series expansion is a one-to-one ring homomorphism,

ax3+(∑i=0∞cixi)3+1−dx(∑i=0∞cixi)=0.

Since y − c₀ vanishes at P, we have c₀ = −ω. Then, solving for c₁ and c₂ gives

y=−ω−d3ωx+O(x3).

Then,

xy−sitisi2y−tix2=tiωsi+(3−dsiti3si2)x+(9ti2−d2si2ti9ω2si3)x2+O(x3),ti2x−siy2si2y−tix2=ωsi+(3t2−ds3ωs2)x+(dsiti2−3t3si3)x2+O(x3).

Note that by the characterization of the 3-torsion in the preceding section, that the kernel does not contain a point of order 3 is equivalent to s_it_i ≠ 0. In the remainder of the proof, we use the definition S:=∏i=1nsi , and since −(s_i : t_i : 1) = (s_i/t_i : 1/t_i : 1), we have

(1) ∏i=1nti=1, ∑i=1nti2si=∑i=1n1siti, and∑1≤i<j≤nti2tj2sisj=∑1≤i<j≤n1sisjtitj.

Moreover, we also use the following formula for the product of power series:

∏i=1nci(0)+ci(1)x+ci(2)x2+O(x3) =∏i=1nci(0)+(∏i=1nci(0))(∑i=1nci(1)ci(0))x +(∏i=1nci(0))(∑i=1nci(2)ci(0)+∑1≤i<j≤nnci(1)cj(1)ci(0)cj(0))x2+O(x3),

assuming ∏i=1nci(0)≠0 .

Thus, we have

∏i=1nxy−sitisi2y−tix2=U0+U1x+U2x2+O(x3),

where

U0=∏i=1ntiωsi=1ωnS,U1=(∏i=1ntiωsi)∑i=1n(ωsiti−d3)=1ωn−1S(−nd3+∑i=1n1siti),U2=∏i=1ntiωsi(∑i=1n(d29ω−tiωsi2)+∑1≤i<j≤n(ω2(3−dsiti)(3−dsjtj)9sisjtitj))=1ωnS(∑i=1n(d29ω−tiωsi2)+∑1≤i<j≤n(d2ω29−dω23siti−dω23sjtj+ω2sisjtitj))=1ωn+1S(n(n+1)2d29−∑i=1ntisi2−(n−1)d3∑i1siti+∑1≤i<j≤n1sisjtitj).

Moreover,

∏i=1nti2x−siy2si2y−tix2=V0+V1x+V2x2+O(x3),

where

V0=∏i=1nωsi=ωnS,V1=ωnS∑i=1nd3ω2−ti2ω2si=ωn−2S(nd3−∑i=1nti2si),V2=ωnS(∑i=1n(dti23ωsi−tiωsi2)+∑1≤i<j≤n(dsi−3ti2)(dsj−3tj2)9ω4sisj)=ωnS(∑i=1n(dti23ωsi−tiωsi2)+∑1≤i<j≤nd29ω−dti23ωsi−dtj23ωsj+ti2tj2ωsisj)=ωn−1S(n(n−1)2d29−∑i=1ntisi2+(2−n)d3∑i=1nti2si+∑1≤i<j≤nti2tj2sisj).

Substitution into G, with some additional simplifying using (1), yields

G=G−3x−3+G−2x−2+G−1x−1+O(1),

where

G−3=0,G−2=ωS3((2n−1)d−6∑i=1n1siti+DS),G−1=ω2d3S3((2n−1)d−6∑i=1n1siti+DS).

Hence, G₋₂ = G₋₁ = 0 if

D=(1−2n)d+6∑i=1n1sitiS;

i.e. G has no pole and thus is constant.

Finally, we consider the case when k has characteristic 3. In particular, x is not a uniformizer for k[H]_P. Instead, ω = 1, and u = y + 1 is a uniformizer for k[H]_P. Since x is defined and vanishes at P, i.e. ord_P(x) ≥ 1, x has a power series expansion x=∑i=0∞biui with b₀ = 0. Hence,

a(∑i=0∞biui)3+(u−1)3+1−d(∑i=0∞biui)(u−1)=0.

Solving for b₁, b₂, . . . , we get

x=−1d(u3+u4+…+u8)+a−d3d4(u9+…+u11)+−a−d3d4(u12+u13+u14)+O(u15).

Note that in characteristic 3, by the definition of twisted Hessian curves, d ≠ 0. Then,

(xy−sitisi2y−tix2)3=ti3si3(1+u3+u6)+O(u9), (ti2x−siy2si2y−tix2)3=1si3(1−u3)+O(u9),xy−sitisi2y−tix2⋅ti2x−siy2si2y−tix2=1si2(ti+ti3+2dsiu3+ti3dsiu6)+O(u9).

Therefore,

∏i=1n(xy−sitisi2y−tix2)3=1S3(1+nu3+n(n+1)2u6)+O(u9), ∏i=1n(ti2x−siy2si2y−tix2)3=1S3(1−nu3+n(n−1)2u6)+O(u9),∏i=1nxy−sitisi2y−tix2⋅ti2x−siy2si2y−tix2=1S2(1+∑i=1nti3+2dsitiu3)+O(u6).

Using the identities in (1), since

∑i=1n(ti3+2)dsiti=1d(∑i=1nti2si−∑i=1n1siti)=0,

we obtain the simplified expression

∏i=1nxy−sitisi2y−tix2⋅ti2x−siy2si2y−tix2=1S2+O(u6).

Substitution into the definition of G, with additional simplification in characteristic 3, yields

G=d2DS+(2n−1)d3S3u−6+−d2DS+(1−2n)d3S3u−3+O(1).

Therefore, if D = (1 − 2n)d/S, G = O(1) and thus is constant.

We have proved that for the value of D stated in theorem, G is constant. So if G(Q) = 0 for some Q, then G = 0. Next, we find A ∈ k such that G vanishes at Q = (1 : −c : 0) ∈ H where c³ = a. By [10, Theorem 4.1], i.e. (X : Y : Z) + (1 : −c : 0) = (Y : cZ : c²X),

ϕ(Q)=(∏R∈FX(Q+R):∏R∈FY(Q+R):∏R∈FZ(Q+R))=(∏R∈FY(R):cℓ∏R∈FZ(R):c2ℓ∏R∈FX(R))=(∏R∈FY(R)/Z(R):cℓ:0)=(−1:cℓ:0).

So G(Q) = A − c^3ℓ = A − a^ℓ. Solving G(Q) = 0 for A gives A = a^ℓ.

It remains to check that the kernel of ϕ is indeed F. It's clear that ϕ (P) = (0 : −1 : 1) if P ∈ F. For the converse, suppose ϕ (P) = (0 : −1 : 1). Then X(Q) = 0 where Q = P + R for some R ∈ F. So Q = (0 : −1 : 1) or Q = (0 : −ω : 1) for some ω ≠ 1 such that ω³ = 1. If Q = (0 : −1 : 1), P = −R ∈ F. Else, by [10, Theorem 4.6],

ϕ(Q)=ϕ(0:−ω:1)=(0:−ωℓ:1)≠(0:−1:1)

since 3 ∤ ℓ. However, this contradicts ϕ (Q) = ϕ (P) = (0 : −1 : 1). That concludes the proof.

5 Rational-map representations

In this section, we derive efficient rational-map representations of the isogeny in Theorem 4 and examine their computational complexity by counting the number of multiplications, squarings, and inversions. We denote by S, M, M_a, and I the cost of squaring, multiplication, multiplication by a, and inversion respectively.

In general, the computational cost depends on many factors, for examples, how the points are represented: projective, affine, or both (mixed), how much we want to avoid inversions, how the coordinate maps are represented (e.g. polynomials or rational functions), and the particular applications and their amortized running time. In our analysis, we will work with purely affine coordinates or purely projective coordinates, and allow up to one inversion operation. Furthermore, we separate the computation into two parts: one that involves only the kernel and one that requires the input point.

5.1 Affine coordinates

Due to the symmetry between the Z and Y coordinates, we have a choice whether to work with the X-affine and Z-affine patch. We will analyze both cases.

5.1.1 Z-affine coordinates

Lemma 1

If ax³ + y³ + 1 = dxy and aα³ + β³ + 1 = dαβ, then,

(2) (xy−αβ)(β2xy−α)=(βy2−aα2x)(βx2−α2y),

(3) (β2y−aαx2)(y−aαβx2)=(βy2−aα2x)(β−aα2xy),

(4) (αy2−β2x)(αβy2−x)=(α2y−βx2)(aα2xy−β).

Proof

The lemma is implied by the following polynomial identities:

(xy−αβ)(β2xy−α)−(βy2−aα2x)(βx2−α2y)=α2β(ax3+y3+1−dxy)−αxy(aα3+β3+1−dαβ),(β2y−aαx2)(y−aαβx2)−(βy2−aα2x)(β−aα2xy)=aα2βx(ax3+y3+1−dxy)−aαx2y(aα3+β3+1−dαβ),(αy2−β2x)(αβy2−x)−(α2y−βx2)(aα2xy−β)=α2βy(ax3+y3+1−dxy)−αxy2(aα3+β3+1−dαβ).

Corollary 1

Let F={(0,−1)}∪{(α˜i,1)}i=1r∪{(αi,βi),(αi/βi,1/βi)}i=1s be a subgroup of H(a, d) and |F| ≢ 0 (mod 3), where (α_i, β_i) has order greater than 2 and (α˜i,1) has order 2. Let ϕ be the isogeny in Theorem 4 with kernel F. Then,

(5) ϕ=(x∏i=1rα˜i−xyaα˜ix2−y∏i=1sβix2−αi2yβi−aαi2xy,y∏i=1ry2−aα˜i2xaα˜ix2−y∏i=1sβiy2−aαi2xβi−aαi2xy)

(6) =(x∏i=1rα˜i2y−x2x−α˜iy2∏i=1sαi2y−βix2aαi2xy−βi,y∏i=1rxy−α˜ix−α˜iy2∏i=1saαi2x−βiy2aαi2xy−βi).

Proof

Equation (5) follows from Theorem 4, the rotated addition formula, and simplification using equations (2) and (3) in Lemma 1. Equation (6) follows from Theorem 4, the standard addition formula, and simplification using equations (2) and (4) in Lemma 1.

In counting the number of operations, we separate the computation into two parts: one that involves only the kernel and one that requires the input point. First, we look at (5).

To process the kernel, we compute the following values: {αi2,aαi,aαi2}i=1s and {aα˜i,aα˜i2}i=1r . This step takes sS + (2s + r)M_a + rM.
Then, we compute xy, x², y² for 2S + 1M.
Next, we compute {βix2−αi2y,βiy2−aαi2x,βi−aαi2xy}i=1s and {y2−aα˜i2x,aα˜ix2−y}i=1r for (5s + 2r)M
The products x(∏i=1rα˜i−xy)(∏i=1sβix2−αi2y) , y(∏i=1ry2−aα˜i2x)(∏i=1sβiy2−aαi2x) and (∏i=1raα˜ix2−y)(∏i=1sβi−aαi2xy) take additional (3r + 3s − 1)M.
A final step takes 2M + 1I.

In total, processing the kernel takes sS + (2s + r)M_a + rM and the input point takes 2S + (8s + 5r + 2)M + 1I. By similar counting, using (6), processing the kernel takes (r + s)S + 2sM_a and the input point takes 2S + (8s + 5r + 2)M + 1I.

5.1.2 X-affine coordinates

Lemma 2

If a + y³ + z³ = dyz and a + β³ + γ³ = dβγ, then,

(7) (γ2yz−aβ)(β2yz−aγ)=(az−βγy2)(ay−βγz2),

(8) (γ2y−βz2)(β2y−γz2)=(az−βγy2)(yz−βγ),

(9) (β2z−γy2)(γ2z−βy2)=(yz−βγ)(ay−βγz2).

Proof

(γ2yz−aβ)(β2yz−aγ)−(ax−βγy2)(ay−βγz2)=aβγ(a+y3+z3−dyz)−ayz(a+β3+γ3−dβγ),(γ2y−βz2)(β2y−γz2)−(ax−βγy2)(yz−βγ)=βγz(a+y3+z3−dyz)−yz2(a+β3+γ3−dβγ),(β2z−γy2)(γ2z−βy2)−(yz−βγ)(ay−βγz2)=βγy(a+y3+z3−dyz)−y2z(a+β3+γ3−dβγ).

Corollary 2

Let F=O∪{(β˜i,β˜i)}i=1r∪{(βi,γi),(γi,βi)}i=1s be a subgroup of H(a, d) and |F| ≢ 0 (mod 3), where (β_i, γ_i) has order greater than 2 and (β˜i,β˜i) has order 2. Let ϕ be the isogeny in Theorem 4 with kernel F. Then,

(10) ϕ=(y∏i=1rβ˜i2y2−azβ˜i(z2−β˜iy)∏i=1saz−βiγiy2yz−βiγi,z∏i=1ra−β˜iyzz2−β˜iy∏i=1say−βiγiz2yz−βiγi)

(11) =(y∏i=1rβ˜i2y−β˜iz2yz−β˜i2∏i=1saz−βiγiy2yz−βiγi,z∏i=1rβ˜i2z−β˜iy2yz−β˜i2∏i=1say−βiγiz2yz−βiγi).

Moreover, using the notation of Theorem 4,

D=∏i=1rβ˜i(∏i=1sβiγi((1−2r+2s)d+6∑i=1rβ˜i)−6a∑i=1s∏j≠iβjγj).

Note that the expression for D doesn’t involve any inversion.

Proof

Equation (10) follows from Theorem 4, the rotated addition formula, and simplification using equations (7) and (8) in Lemma 2. Equation (11) follows from Theorem 4, the standard addition formula, and simplification using equations (8) and (9) in Lemma 2. The expression for D follows because, using the notation in Theorem 4,

∏i=1n1siti=∑i=1sβi3+γi3βiγi+∑i=1rβ˜i=∑i=1sdβiγi−aβiγi+∑i=1rβ˜i=sd−a∑i=1s1βiγi+∑i=1rβ˜i,1/∏i=1nsi=∏i=1sβiγi∏i=1rβ˜i.

By rewriting (10) and (11) as

(12) ϕ=(y∏i=1r1β˜i∏i=1rβ˜i2y2−azz2−β˜iy∏i=1saz−βiγiy2yz−βiγi,z∏i=1rβ˜iβ˜i∏i=1ra−β˜iyzz2−β˜iy∏i=1say−βiγiz2yz−βiγi)

(13) =(y∏i=1rβ˜i∏i=1rβ˜iy−z2yz−β˜i2∏i=1saz−βiγiy2yz−βiγi,z∏i=1rβ˜i∏i=1rβ˜iz−y2yz−β˜i2∏i=1say−βiγiz2yz−βiγi)

and straightforward counting as before, the costs of (12) and (13) are given in Table 1.

Table 1

Computational cost of our isogeny formulas on twisted Hessian curves.

	Process kernel	Process input point
Z-affine (5)	sS + rM + (r + 2s)M_a	2S + (8s + 5r + 2)M + 1I
Z-affine (6)	(r + s)S + 2sM_a	2S + (8s + 5r + 2)M + 1I
X-affine (12)	rS + (r + s − 1)M	2S + (6r + 5s + 4)M + 2M_a + 1I
X-affine (13)	rS + (r + s − 1)M	2S + (5r + 5s + 4)M + 2M_a + 1I
Projective (14)	(2r + s)S + (r + s)M + (s + 2r)M_a	3S + (9s + 9r + 3)M
Projective (15)	(2r + s)S + (r + s)M + sM_a	3S + (9s + 9r + 3)M

5.2 Projective coordinates

Corollary 3

Let F=O∪{(α˜i:β˜i:β˜i)}i=1r∪{(αi:βi:γi),(αi:γi:βi)}i=1s be a subgroup of H(a, d) and |F| ≢ 0 (mod 3), where (α_i : β_i : γ_i) has order greater than 2 and (α˜i:β˜i:β˜i) has order 2. Let ϕ be the isogeny in Theorem 4 with kernel F. Then,

(14) ϕ=(X∏i=1rβ˜i2XY−α˜iβ˜iZ2∏i=1sαi2YZ−βiγiX2: Y∏i=1raα˜i2XZ−β˜i2Y2∏i=1saαi2XZ−βiγiY2: Z∏i=1rβ˜i2YZ−aα˜iβ˜iX2∏i=1saαi2XY−βiγiZ2)

(15) =(X∏i=1rα˜i2YZ−β˜i2X2∏i=1sαi2YZ−βiγiX2: Y∏i=1rβ˜i2XY−α˜iβ˜iZ2∏i=1saαi2XZ−βiγiY2: Z∏i=1rβ˜i2XZ−α˜iβ˜iY2∏i=1saαi2XY−βiγiZ2)

Proof

The corollary follows by projectivizing the expressions in previous corollaries.

By straightforward counting, (15) takes (2r + s)S + (r + s)M + sM_a to process the kernel and (9s + 9r + 3)M + 3S for the input point, and (14) takes additional 2rM_a for processing the kernel. The results are summarized in Table 1.

5.3 Comparison with other formulas

For comparison, consider the isogeny formula from [11] for Edwards curves, which is the most efficient to our knowledge so far. We note that the authors reported the cost of (6s + 1)M + 2S + I in affine coordinates or (6s + 3)M + 4S in mixed coordinates (the kernel is in affine coordinates and the input point is in projective coordinates), for computing an image point. However, in each case, up to sI were required for preprocessing the kernel points. Here, we consider a different approach that avoids inversions entirely in the projective case and uses only 1 inversion in the affine case. First, we consider the projective case. Suppose the kernel is

F={(0:1:1)}∪{(αi:βi:γi)}i=1s∪{(−αi:βi:γi)}i=1s.

The isogeny is

(x:y:z)↦(x∏i=1sβi2γi4x2z2−αi2γi4y2z2: y∏i=1sβi2γi4y2z2−αi2γi4x2z2: z∏i=1sβi2γi4z4−d2αi2βi4x2y2).

For processing the kernel, one can compute βi2γi4 , αi2γi4 and d2αi2βi4 , for all i, with (5s + 1)S + 4sM. For computing the image point, x²z², y²z², x²y², and z⁴, take 3M and 4S. If the characteristic is not 2, By the definition of (twisted) Edwards curves, the characteristic is not 2, and we can compute each pair of 2(βi2γi4x2z2−αi2γi4y2z2) and 2(βi2γi4y2z2−αi2γi4x2z2) for the x and y coordinates with only 2M using the identities:

2(ax−by)=(a−b)(x+y)+(a+b)(x−y) and2(ay−bx)=(a−b)(x+y)−(a+b)(x−y).

Each factor βi2γi4z4−d2αi2βi4x2y2 in the z coordinate takes 2M, and let cost(2^s) be the cost of computing 2^s. Multiplication of all the factors in the x and y coordinates takes 2sM, and multiplication of the factors in the z coordinate including 2^s takes (s + 1)M. Therefore, the total cost of computing an image point is 4S + (7s + 4)M + cost(2^s).

Similarly, in affine coordinates, we can compute the Edwards isogeny map

(x,y)↦(x∏i=1sβi2x2−αi2y2βi2−d2αi2βi4x2y2,y∏i=1sβi2y2−αi2x2βi2−d2αi2βi4x2y2)

using (3s + 1)S + 2sM for processing the kernel and (6s + 1)M + 2S + I + cost(2^s) for the input point.

The comparison is summarized in Table 2, where we assume the kernel size is odd and 1S = 0.8M. We note that our formulas for twisted Hessian curves have the lowest costs for processing the kernel and our X-affine formula has the lowest cost for processing an input point in affine coordinates.

Table 2

Comparison of the computational costs for various isogeny formulas. We denote by cost(2^s) the cost of computing 2^s.

Formula	Process kernel	Process input point
twisted Hessian (Z-affine) [this work]	0.8sM + 2sM_a	(8s + 3.6)M + 1I
twisted Hessian (X-affine) [this work]	(s − 1)M	(5s + 5.6)M + 2M_a + 1I
twisted Hessian (projective) [this work]	1.8sM + sM_a	(9s + 5.4)M
Edwards (affine) [11] + [this work]	(4.4s + 0.8)M	(6s + 2.6)M + 1I + cost(2^s)
Edwards (projective) [11] + [this work]	(8s + 0.8)M	(7s + 7.2)M + cost(2^s)
Huff (affine) [11]	(3.6s + 1.6)M	(6s − 0.4)M + 2I
Vélu's [2]	9.8M	(13s + 1.8)M + 1I

6 Conclusion

In this work we looked at computing isogenies between elliptic curves represented as twisted Hessian curves. There still exist other models of curves for which direct isogeny formulas are not known, such as Jacobi quartics and Jacobi intersections [32, 33]. It would be interesting to see if simple isogeny formulas exist for these models. We note that the original Velu isogeny formulas are expressed as a sum, while the more recent Edwards, Hessian, and Montgomery formulas all involve a product of expressions involving the kernel points. Is there a multiplicative version of Velu's formulas? Or additive expressions for isogenies of the alternate models of elliptic curves?

We leave it as future work to further optimize the formulas presented and integrate them into specific applications. For example, this could include efficient computation of low degree isogenies. Low-degree isogenies are used in post-quantum cryptographic isogeny schemes, and if optimized formulas can be found, they may lead to implementing these isogeny cryptosystems using twisted Hessian curves. In particular, it may be interesting to compute the 9-isogeny formulas for Hessian curves, similar to the work on 4-isogenies over Montgomery and Edwards models [19, 34].

It would also be interesting to use low degree isogenies to compute scalar multiplication formulas on Hessian curves for small scalars like 2, 3, and 5, as done in [35, 36], especially for curves with j-invariant zero.

Emmanuel Fouotsa This author is supported by the PREMA project in Subsaharan Africa sponsoserd by The Simons Foundation

References

[1] J. H. Silverman, The arithmetic of elliptic curves. Graduate Texts in Mathematics, Springer, 2nd ed., 2009.10.1007/978-0-387-09494-6Search in Google Scholar

[2] J. Vélu, “Isogénies entre courbes elliptiques,” CR Acad. Sci. Paris, Séries A, vol. 273, pp. 305–347, 1971.Search in Google Scholar

[3] P. L. Montgomery, “Speeding the Pollard and elliptic curve methods of factorization,” Mathematics of Computation, vol. 48, no. 177, pp. 243–264, 1987.10.1090/S0025-5718-1987-0866113-7Search in Google Scholar

[4] K. Okeya, H. Kurumatani, and K. Sakurai, “Elliptic curves with the Montgomery-form and their cryptographic applications,” in International Workshop on Public Key Cryptography, pp. 238–257, Springer, 2000.10.1007/978-3-540-46588-1_17Search in Google Scholar

[5] H. Edwards, “A normal form for elliptic curves,” Bulletin of the American Mathematical Society, vol. 44, no. 3, pp. 393–422, 2007.10.1090/S0273-0979-07-01153-6Search in Google Scholar

[6] D. J. Bernstein and T. Lange, “Faster addition and doubling on elliptic curves,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 29–50, Springer, 2007.10.1007/978-3-540-76900-2_3Search in Google Scholar

[7] D. J. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters, “Twisted Edwards curves,” in International Conference on Cryptology in Africa, pp. 389–405, Springer, 2008.10.1007/978-3-540-68164-9_26Search in Google Scholar

[8] M. Joye, M. Tibouchi, and D. Vergnaud, “Huff’s model for elliptic curves,” in International Algorithmic Number Theory Symposium, pp. 234–250, Springer, 2010.10.1007/978-3-642-14518-6_20Search in Google Scholar

[9] H. Wu and R. Feng, “Elliptic curves in Huff’s model,” Wuhan University Journal of Natural Sciences, vol. 17, no. 6, pp. 473–480, 2012.10.1007/s11859-012-0873-9Search in Google Scholar

[10] D. J. Bernstein, C. Chuengsatiansup, D. Kohel, and T. Lange, “Twisted Hessian curves,” in International Conference on Cryptology and Information Security in Latin America, pp. 269–294, Springer, 2015.10.1007/978-3-319-22174-8_15Search in Google Scholar

[11] D. Moody and D. Shumow, “Analogues of Vélu’s formulas for isogenies on alternate models of elliptic curves,” Mathematics of Computation, vol. 85, no. 300, pp. 1929–1951, 2016.10.1090/mcom/3036Search in Google Scholar

[12] C. Costello and H. Hisil, “A simple and compact algorithm for SIDH with arbitrary degree isogenies,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 303–329, Springer, 2017.10.1007/978-3-319-70697-9_11Search in Google Scholar

[13] J. Renes, “Computing isogenies between Montgomery curves using the action of (0, 0),” in The Eighth International Conference on Post-Quantum Cryptography, PQCrypto, pp. 229–247, Springer, 2017.10.1007/978-3-319-79063-3_11Search in Google Scholar

[14] T. Izu, J. Kogure, M. Noro, and K. Yokoyama, “Efficient implementation of Schoof’s algorithm,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 66–79, Springer, 1998.10.1007/3-540-49649-1_7Search in Google Scholar

[15] R. Lercier and F. Morain, “Computing isogenies between elliptic curves over Fpn using Couveignes’s algorithm,” Mathematics of Computation, vol. 69, no. 229, pp. 351–370, 2000.10.1090/S0025-5718-99-01081-9Search in Google Scholar

[16] D. Jao, S. D. Miller, and R. Venkatesan, “Do all elliptic curves of the same order have the same difficulty of discrete log?,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 21–40, Springer, 2005.10.1007/11593447_2Search in Google Scholar

[17] E. Teske, “An elliptic curve trapdoor system,” Journal of Cryptology, vol. 19, no. 1, pp. 115–133, 2006.10.1007/s00145-004-0328-3Search in Google Scholar

[18] D. X. Charles, K. E. Lauter, and E. Z. Goren, “Cryptographic hash functions from expander graphs,” Journal of Cryptology, vol. 22, no. 1, pp. 93–113, 2009.10.1007/s00145-007-9002-xSearch in Google Scholar

[19] L. De Feo, D. Jao, and J. Plût, “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies,” Journal of Mathematical Cryptology, vol. 8, no. 3, pp. 209–247, 2014.10.1515/jmc-2012-0015Search in Google Scholar

[20] N. P. Smart, “The Hessian form of an elliptic curve,” in International Workshop on Cryptographic Hardware and Embedded Systems, pp. 118–125, Springer, 2001.10.1007/3-540-44709-1_11Search in Google Scholar

[21] H. Hisil, G. Carter, and E. Dawson, “New formulae for efficient elliptic curve arithmetic,” in International Conference on Cryptology in India, pp. 138–151, Springer, 2007.10.1007/978-3-540-77026-8_11Search in Google Scholar

[22] H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson, “Faster group operations on elliptic curves,” in Proceedings of the Seventh Australasian Conference on Information Security, vol. 98, pp. 7–20, Australian Computer Society, Inc., 2009.Search in Google Scholar

[23] E. Fouotsa, “Parallelizing pairings on Hessian elliptic curves,” Arab Journal of Mathematical Sciences, vol. 25, no. 1, pp. 29 – 42, 2019.10.1016/j.ajmsc.2018.06.001Search in Google Scholar

[24] M. Joye and J.-J. Quisquater, “Hessian elliptic curves and side-channel attacks,” in International Workshop on Cryptographic Hardware and Embedded Systems, pp. 402–410, Springer, 2001.10.1007/3-540-44709-1_33Search in Google Scholar

[25] R. R. Farashahi and M. Joye, “Efficient arithmetic on Hessian curves,” in International Workshop on Public Key Cryptography, pp. 243–260, Springer, 2010.10.1007/978-3-642-13013-7_15Search in Google Scholar

[26] R. R. Farashahi, H. Wu, and C.-A. Zhao, “Efficient arithmetic on elliptic curves over fields of characteristic three,” in International Conference on Selected Areas in Cryptography, pp. 135–148, Springer, 2012.10.1007/978-3-642-35999-6_10Search in Google Scholar

[27] D. Kohel, “The geometry of efficient arithmetic on elliptic curves,” Arithmetic, Geometry, Coding Theory and Cryptography, vol. 637, pp. 95–109, 2015.10.1090/conm/637/12751Search in Google Scholar

[28] D. Moody and H. Wu, “Families of elliptic curves with rational 3-torsion,” Journal of Mathematical Cryptology, vol. 5, no. 3–4, pp. 225–246, 2012.10.1515/jmc-2011-0013Search in Google Scholar

[29] L. C. Washington, Elliptic curves: number theory and cryptography. CRC press, 2008.10.1201/9781420071474Search in Google Scholar

[30] T. S. Gustavsen and K. Ranestad, “A simple point counting algorithm for Hessian elliptic curves in characteristic three,” Applicable Algebra in Engineering, Communication and Computing, vol. 17, no. 2, pp. 141–150, 2006.10.1007/s00200-006-0013-xSearch in Google Scholar

[31] W. Fulton, Algebraic curves: An introduction to algebraic geometry. 2008. http://www.math.lsa.umich.edu/~wfulton/CurveBook.pdf.Search in Google Scholar

[32] O. Billet and M. Joye, “The Jacobi model of an elliptic curve and side-channel analysis,” in Applied Algebra, Algebraic Algorithms and Error-Correcting Codes (M. Fossorier, T. Høholdt, and A. Poli, eds.), (Berlin, Heidelberg), pp. 34–42, Springer Berlin Heidelberg, 2003.10.1007/3-540-44828-4_5Search in Google Scholar

[33] P. Y. Liardet and N. P. Smart, “Preventing SPA/DPA in ECC systems using the Jacobi form,” in Cryptographic Hardware and Embedded Systems — CHES 2001 (Ç. K. Koç, D. Naccache, and C. Paar, eds.), (Berlin, Heidelberg), pp. 391–401, Springer Berlin Heidelberg, 2001.10.1007/3-540-44709-1_32Search in Google Scholar

[34] S. Kim, K. Yoon, Y. Park, and S. Hong, “Optimized method for computing odd-degree isogenies on Edwards curves,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 273–292, Springer, 2019.10.1007/978-3-030-34621-8_10Search in Google Scholar

[35] C. Doche, T. Icart, and D. R. Kohel, “Efficient scalar multiplication by isogeny decompositions,” in International Workshop on Public Key Cryptography, pp. 191–206, Springer, 2006.10.1007/11745853_13Search in Google Scholar

[36] D. Moody, “Using 5-isogenies to quintuple points on elliptic curves,” Information Processing Letters, vol. 111, no. 7, pp. 314–317, 2011.10.1016/j.ipl.2010.12.014Search in Google Scholar

Received: 2020-09-10

Accepted: 2021-01-05

Published Online: 2021-03-16

This work is licensed under the Creative Commons Attribution 4.0 International License.

Isogenies on twisted Hessian curves

Abstract

1 Introduction

2 Twisted Hessian Curves

Definition 1

3 3-isogenies

Theorem 1

Proof

Theorem 2

Theorem 3

Proof

4 Isogenies of degree ℓ ≢ 0 (mod 3)

Theorem 4

Proof

5 Rational-map representations

5.1 Affine coordinates

5.1.1 Z-affine coordinates

Lemma 1

Proof

Corollary 1

Proof

5.1.2 X-affine coordinates

Lemma 2

Proof

Corollary 2

Proof

5.2 Projective coordinates

Corollary 3

Proof

5.3 Comparison with other formulas

6 Conclusion

References

Journal and Issue

Articles in the same Issue