Elliptic Curve Mathematics

Projective Coordinates in Elliptic Curves

By: Cailyn Yong and Bryan Wee

Previously, we were introduced to elliptic curves and point operations. So far, the elliptic curves we have seen are represented in the affine space, where points can be represented as $(x, y) (x, y)$ coordinates. Affine group operations, as we will soon see, are costly as they require field divisions. In this article, we will see how projective coordinates can be used to sidestep these costs and achieve greater efficiency.

Since we are concerned with computational efficiency, we will only be studying curves that are restricted to prime fields. Hence, for all equations below, all field arithmetic is modulo arithmetic.

Cost of Affine Coordinates

Let us consider 2 affine coordinates, $P = (x_{1}, y_{1}), Q = (x_{2}, y_{2}) P =(x_1, y_1), Q = (x_2, y_2)$ , where $P \neq Q P \neq Q$ , and recall how point addition is computed.

If either point is $O O$ , then $P + Q P+Q$ is given by the other point.
Else if $x_{1} = x_{2} x_1 = x_2$ , then $P + Q = O P+Q=O$ .
Else:
• Let $m = (y_{1} - y_{2}) / (x_{1} - x_{2}) m = (y_1 - y_2)/(x_1-x_2)$
• Then, $x_{3} = m^{2} - x_{1} - x_{2} x_3 = m^2 - x_1 - x_2$ and $y_{3} = m (x_{1} - x_{3}) - y_{1} y_3 = m(x_1 - x_3) - y_1$

Notice that in its worst case, point addition requires 2 multiplications, 6 additions/subtractions, and 1 division.

Let us recall how point doubling can be performed as well. To compute $2 P = (x_{2}, y_{2}) 2P = (x_2, y_2)$ , where $P = (x_{1}, y_{1}) P = (x_1,y_1)$ :

If $P = O P=O$ or $y_{1} = 0 y_1 = 0$ , then $2 P = O 2P = O$
Else:
• Let $m = ({3 x_{1}}^{2} + a) / (2 y_{1}) m = ({3x_1}^2+a)/(2y_1)$
• Then, $x_{2} = m^{2} - 2 x_{1} x_2 = m^2 - 2x_1$ and $y_{2} = m (x_{1} - x_{2}) - y_{1} y_2 = m(x_1-x_2)-y_1$

Point doubling involves 7 multiplications, 4 additions/subtractions, and 1 division.

Both point addition and doubling require 1 field division, which for prime fields, means modular division. This form of division requires the non-trivial act of finding a modular inverse, making it very expensive.

Projective Coordinates

Costs can be reduced by adopting a new coordinate system that avoids field division entirely. Given an affine coordinate $(x, y) (x, y)$ , we can transform it into a projective coordinate $(X, Y, Z) (X, Y, Z)$ by taking an arbitrary non-zero value $Z Z$ and assigning $(X, Y, Z) = (x Z, y Z, Z) (X, Y, Z) = (xZ, yZ, Z)$ .

For instance, $(2, 3) (2, 3)$ can be mapped to $(4, 6, 2) (4, 6, 2)$ or $(8, 12, 4) (8, 12, 4)$ , with $Z = 2 Z = 2$ or $Z = 4 Z = 4$ respectively. Usually, $z z$ is chosen to be $11$ for convenience; affine coordinates $(x, y) (x,y)$ would be transformed to $(x, y, 1) (x,y,1)$ .

Projecting an entire elliptic curve yields the following curve equation.

$Y^{2} Z = X^{3} + a X Z^{2} + b Z^{3} Y^2Z = X^3+aXZ^2+bZ^3$

The diagram below visualizes how a projected curve might look like.

To convert projective coordinates $(X, Y, Z) (X, Y, Z)$ back to affine coordinates $(x, y) (x, y)$ , all we have to do is divide the projective coordinate by $Z Z$ .

$(x, y) = (X / Z, Y / Z) (x, y) = (X/Z, Y/Z)$

With projective coordinates, the formulae for point addition and point doubling require no field division. Take $P = (X_{1}, Y_{1}, Z_{1}) P = (X_1, Y_1, Z_1)$ , $Q = (X_{2}, Y_{2}, Z_{2}) Q = (X_2, Y_2, Z_2)$ , and $P \neq Q P \neq Q$ . Let us see how we can compute $P + Q = (X_{3}, Y_{3}, Z_{3}) P + Q = (X_3, Y_3, Z_3)$ .

If either point is $O O$ , then $P + Q P + Q$ is given by the other point.
Else, let:
• $u = Y_{2} Z_{1} - Y_{1} Z_{2} u = Y_2Z_1 - Y_1Z_2$
• $v = X_{2} Z_{1} - X_{1} Z_{2} v = X_2Z_1 - X_1Z_2$
• $A = u^{2} Z_{1} Z_{2} - v^{3} - 2 v^{2} X_{1} Z_{2} A = u^2Z_1Z_2 - v^3 - 2v^2X_1Z_2$
To perform point addition,
• $X_{3} = v A X_3 = vA$
• $Y_{3} = u (v^{2} X_{1} Z_{2} - A) - v^{3} Y_{1} Z_{2} Y_3 = u(v^2X_1Z_2 - A) - v^3Y_1Z_2$
• $Z_{3} = v^{3} Z_{1} Z_{2} Z_3 = v^3Z_1Z_2$

Next, given $P = (X_{1}, Y_{1}, Z_{1}) P = (X_1, Y_1, Z_1)$ , how can compute $2 P = (X_{2}, Y_{2}, Z_{2}) 2P = (X_2, Y_2, Z_2)$ ?

Let:
• $w = a {Z_{1}}^{2} + 3 {X_{1}}^{2} w = a{Z_1}^2 + 3{X_1}^2$
• $s = Y_{1} Z_{1} s = Y_1Z_1$
• $B = X_{1} Y_{1} s B = X_1Y_1s$
• $h = w^{2} - 8 B h = w^2 - 8B$
To perform point doubling:
• $X_{2} = 2 h s X_2 = 2hs$
• $Y_{2} = w (4 B - h) - 8 s^{2} {Y_{1}}^{2} Y_2 = w(4B-h)-8s^2{Y_1}^2$
• $Z_{2} = 8 s^{3} f Z_2 = 8s^3f$

Both operations require more addition and multiplication than before, but demand zero divisions! Knowing this, we can much more efficiently manipulate elliptic curve points by:

Converting affine coordinates to projective coordinates.
Perform the required computation.
Converting the results back to affine coordinates. (Only this step requires division)

Now, only two field divisions are required for any amount of consecutive point addition and doubling. This, in turn, saves a drastic amount of computation for elliptic curves over finite fields.

Jacobian Coordinates

A modified form of projective coordinates is Jacobian coordinates. For Jacobian coordinates, instead of multiplying $x x$ and $y y$ with $Z Z$ like we did in the standard form of projective coordinates, we map affine coordinates $(x, y) (x, y)$ to $(X, Y, Z) = (x * Z^{2}, y * Z^{3}, Z) (X, Y, Z) = (x*Z^2, y*Z^3, Z)$ .

Using Jacobian coordinates, elliptic curves adopt the following equation.

$Y^{2} = X^{3} + a X Z^{4} + b Z^{6} Y^2 = X^3 + aXZ^4 + bZ^6$

Here is the formula for point addition, assuming $P \neq Q P \neq Q$ :

If either point is $O O$ , then $P + Q P + Q$ is given by the other point.
Else, let:
• $U_{1} = X_{1} {Z_{2}}^{2} U_1 = X_1{Z_2}^2$ and $U_{2} = X_{2} {Z_{1}}^{2} U_2 = X_2{Z_1}^2$
• $s = S_{1} = Y_{1} {Z_{2}}^{3} s = S_1 = Y_1{Z_2}^3$ and $S_{2} = Y_{2} {Z_{1}}^{3} S_2 = Y_2{Z_1}^3$
• $H = U_{2} - U_{1} H = U_2 - U_1$
• $r = S_{2} - S_{1} r = S_2 - S_1$
To perform point addition
• $X_{3} = r^{2} - H^{3} - 2 U_{1} H^{2} X_3 = r^2 - H^3 - 2U_1H^2$
• $Y_{3} = r (U_{1} H^{2} - X_{3}) - S_{1} H^{3} Y_3 = r(U_1H^2-X_3) - S_1H^3$
• $Z^{3} = H Z_{1} Z_{2} Z^3 = HZ_1Z_2$

...and the formula for point doubling.

If $Y_{1} = 0, Y_1 = 0,$ then $2 P = O 2P = O$ .
Else, let:
• $S = 4 X_{1} {Y_{1}}^{2} S = 4X_1{Y_1}^2$
• $M = 3 {X_{1}}^{2} + a {Z_{1}}^{4} M = 3{X_1}^2 + a{Z_1}^4$
• $T = M^{2} - 2 S T = M^2 - 2S$
To perform point doubling:
• $S = X_{2} = T S = X_2 = T$
• $Y_{2} = M (S - T) - 8 {Y_{1}}^{4} Y_2 = M(S-T) - 8{Y_1}^4$
• $Z_{2} = 2 Y_{1} Z_{1} Z_2 = 2Y_1Z_1$

Like before, these operations do not require field division. Jacobian coordinates offer a slight edge compared to standard projective coordinates because they trade multiplication for more addition/subtraction which tends to be cheaper.

Jacobian Coordinates ⇌ Affine Coordinates

Each instance of affine point addition/doubling requires one field division. This becomes extremely expensive once we consider consecutive curve operations (e.g., scalar multiplication). On the other hand, Jacobian coordinates demand no field divisions. We can exploit this fact to support affine point manipulation by:

1. Converting affine points to Jacobian points, with $z = 1 z = 1$ .

$(x, y) \to (x, y, 1) (x, y) \rightarrow (x, y, 1)$

2. Performing all necessary operations in Jacobian space.

3. Converting Jacobian points back to affine space. Let $z^{- 1} z^{-1}$ be the modular inverse of $z z$ .

$(x, y, z) \to (x * (z^{- 1})^{2}, y * (z^{- 1})^{3}) (x, y, z) \rightarrow (x * (z^{-1})^2, y * (z^{-1})^3)$

This way, we only require one modular inversion for an arbitrary number of elliptic curve operations, saving a significant amount of computation!

Conclusion

In the previous article, we learned about the elliptic curve and the discrete logarithm problem. We then restricted the curve such that it can be computed by a computer with finite memory.

In this article, we transformed the curve onto a projective space and saw how it optimizes point arithmetic. After much math, we have arrived at a version of elliptic curves that is optimal for computers, and now have the necessary impetus to learn about elliptic curve cryptography.

If only I could read these glyphs a little faster...