Efficient Arithmetic on Hessian Curves [chapter]

Reza R. Farashahi, Marc Joye
2010 Lecture Notes in Computer Science  
This paper considers a generalized form for Hessian curves. The family of generalized Hessian curves covers more isomorphism classes of elliptic curves. Over a finite filed Fq, it is shown to be equivalent to the family of elliptic curves with a torsion subgroup isomorphic to Z/3Z. This paper provides efficient unified addition formulas for generalized Hessian curves. The formulas even feature completeness for suitably chosen parameters. This paper also presents extremely fast addition formulas
more » ... for generalized binary Hessian curves. The fastest projective addition formulas require 9M + 3S, where M is the cost of a field multiplication and S is the cost of a field squaring. Moreover, very fast differential addition and doubling formulas are provided that need only 5M + 4S when the curve is chosen with small curve parameters. Overviews can be found in [2, 9] . Moreover, complete addition formulas that work for all pairs of inputs have been presented for Edwards curves over odd characteristic fields [5] , and for binary Edwards curves [6]. A Hessian curve over a field F is defined by a symmetric cubic equation where d ∈ F and d 3 = 27. The use of Hessian curves in cryptography has been studied in [13, 23, 33, 21, 22] . The Hessian addition formulas, the so-called Sylvester formulas, can also be used for point doubling after a permutation of input coordinates, providing a weak form of unification. Moreover, the same formulas can be used to double, add, and subtract points, which makes Hessian curves interesting against side-channel attacks [23] . In this paper, we consider the family of curves, referred to as generalized Hessian curves, over a field F defined by the equation where c, d ∈ F, c = 0 and d 3 = 27c. Clearly, this family covers more isomorphism classes of elliptic curves than Hessian curves. Notice that the Sylvester addition formulas work for the family of generalized Hessian. But these formulas are not unified. From the Sylvester formulas and after suitable transformation of inputs coordinates, we present fast and efficient unified addition formulas for generalized Hessian curves. Nevertheless, the unified formulas for Hessian curves are not complete. In other words, there are some exceptional cases where the formulas fail to give the output. We study the exceptional cases of the addition formulas for generalized Hessian curves. We observe that the unified formulas are complete for many generalized Hessian curves, i.e., the addition formulas work for all pairs of inputs. In particular, the group of F-rational points on a generalized Hessian curve has complete addition formulas if and only if c is not a cube in F. Also, the unified formulas are valid for all input points in rational subgroups H of generalized Hessian curves over finite fields F q whenever gcd(#H, 3) = 1. For generalized binary Hessian curves, the unified addition formulas are the fastest known addition formulas on binary elliptic curves; for example 9M + 3S for extended projective addition, 8M + 3S for extended mixed affine-projective addition, and 5M + 4S for mixed addition and doubling, when curves are chosen with small parameters. As usual, we use M to denote a field multiplication and S to denote a field squaring. Furthermore, the addition formulas are complete for generalized Hessian curves over F 2 n when c is not a cube in F 2 n . The mixed differential addition and doubling formulas are also complete. Note. In [7], Bernstein, Kohel, and Lange define the twisted Hessian form. The twisted form is similar to the above form up to the order of the coordinates. Both forms present advantages. The neutral element on the twisted form is a finite point. In affine coordinates, the generalized form is fully symmetric and features a simpler inverse. See also [12, Exerc. 6.2].
doi:10.1007/978-3-642-13013-7_15 fatcat:hh45ydg65ncrjgc4zp7cwwdd5i