Napkin Math: Elliptic Curve Addition in terms of Field Operations

Objective
This note aims to analyze the cost of elliptic curve addition in terms of operations in the underlying field.

Summary
We find that adding two points requires the following field operations:

one inverse operation
four multiply operations
6 adds/subtract operations

Since one inverse operation requires

\log (p)

multiplications, that cost will dominate.

Problem Statement

Let

F_{p}

be a field, and let

G

be the elliptic curve group defined by

\begin{matrix} (1) & y^{2} = x^{3} + a x + b \end{matrix}

for some

a, b \in F_{p}

. Let

A_{1}

and

A_{2}

be points in

G

, where

x_{1} \neq x_{2}

.^[1]

The objective of this note is to count the number of field operations necessary to compute

$A_{3} = A_{1} + A_{2}$ .

Addition in Affine Coordinates

We write

A_{1} = (x_{1}, y_{1})

and

A_{2} = (x_{2}, y_{2})

We proceed as follows:

construct the line
$L$ connecting
$A_{1}$ and
$A_{2}$
use a clever observation to find
$x_{3}$ , the
$x$ coordinate of the point of intersection of
$L$ and
$G$ (and the
$x$ -coordinate of
$A_{3}$ )
find
$y_{3}$ , the
$y$ coordinate of
$A_{3}$

We first write the line connecting

A_{1} = (x_{1}, y_{1})

and

A_{2} = (x_{2}, y_{2})

. Denoting the slope of the line as

m = \frac{y_{2} - y_{1}}{x_{2} - x_{1}}

, we find

b = - m x_{1} + y_{1}

. Then, we can write the equation for

L

\begin{matrix} (2) & y = m x - m x_{1} + y_{1} \end{matrix}

Computing

m

requires 2 subtractions, finding one inverse, and one multiplication. Computing

b

requires one multiplication and one subtraction.

Cost for constructing

$L$ is 1 inverse, 2 multiplications, and three subtractions.

AFAIK, Fermat's Little Theorem is the most efficient approach to computing multiplicative inverses. Using repeated squaring, computing

x^{p - 2}

using takes ~

\log (p)

multiplications.

Finding
$(x_{3}, y_{3})$

Substituting equation (2) into equation (1) yields:

\begin{matrix} (3) & (m x - m x_{1} + y_{1})^{2} = x^{3} - a x + b \end{matrix}

Bringing all terms to the right-hand side, we find

\begin{matrix} (4) & 0 = x^{3} + m^{2} x^{2} + (2 m (y_{1} - m x_{1}) - a) x + b - (y_{1} - m x_{1})^{2} \end{matrix}

Now, we make a clever^[1] observation: since

x_{1}, x_{2},

and

x_{3}

are solutions to equation (3), we can also write equation (3) in the form

\begin{matrix} (5) & 0 = (x - x_{1}) (x - x_{2}) (x - x_{3}) \end{matrix}

By comparing the coefficient of

x^{2}

in equations (4) and (5), we can deduce that

x_{1} + x_{2} + x_{3} = m^{2}

. It follows that:

x_{3} = m^{2} - x_{1} - x_{2}

Cost for computing

$x_{3}$ is one multiplication and two subtractions.

Now we can the

y

coordinate of the point of intersection by substituting into equation (2). After reflecting across the

x

-axis, we find the

y

coordinate of

A_{3}

y_{3} = m (x_{1} - x_{3}) - y_{1}

Cost for computing

$y_{3}$ is one multiplication and one subtraction.

Addition in Projective Coordinates

The previous approach requires computing an inverse in order to add elliptic curve points. Writing our points in projective coordinates allows us to avoid that cost.

We write

P_{1} = [\frac{x_{1}}{z_{1}} : \frac{y_{1}}{z_{1}} : 1]

and

P_{2} = [\frac{x_{2}}{z_{2}} : \frac{y_{2}}{z_{2}} : 1]

.
Assume

z_{1}

is non-zero and

x_{1} \neq x_{2}

.
We aim to compute

P_{3} = P_{1} + P_{2}

We continue to follow the approach in Section 2.2 here:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

It folllows from the previous section that we can write the sum as

P_{3} = [m^{2} - \frac{x_{1}}{z_{1}} - \frac{x_{2}}{z_{2}} : m (\frac{x_{1}}{z_{1}} - x_{3}) : 1]

Substituting in our expression for

x_{3}

= [m^{2} - \frac{x_{1}}{z_{1}} - \frac{x_{2}}{z_{2}} : m (\frac{x_{1}}{z_{1}} - (m^{2} - \frac{x_{1}}{z_{1}} - \frac{x_{2}}{z_{2}})) : 1]

Now we can clear denominators:

= [m^{2} z_{1} z_{2} - x_{1} z_{2} - x_{2} z_{1} : m (x_{1} z_{2} - (m^{2} z_{1} z_{2} - x_{1} z_{2} - x_{2} z_{1})) : z_{1} z_{2}]

= [m^{2} z_{1} z_{2} - x_{1} z_{2} - x_{2} z_{1} : m x_{1} z_{2} - m^{3} z_{1} z_{2} - m x_{1} z_{2} - m x_{2} z_{1} : z_{1} z_{2}]

Now, we simultaneously substitute

m = \frac{y_{2} z_{1} - y_{1} z_{2}}{x_{2} z_{1} - x_{1} z_{2}}

, and multiply through by

(x_{2} z_{1} - x_{1} z_{2})^{3}

to clear denominators:

= [(y_{2} z_{1} - y_{1} z_{2})^{2} z_{1} z_{2} - x_{1} z_{2} - x_{2} z_{1}) (x_{2} z_{1} - x_{1} z_{2}) : - (y_{2} z_{1} - y_{1} z_{2})^{3} z_{1} z_{2} - (y_{2} z_{1} - y_{1} z_{2}) (x_{2} z_{1} - x_{1} z_{2})^{2} x_{2} z_{1} : z_{1} z_{2} (x_{2} z_{1} - x_{1} z_{2})^{3}]

Warning: Likely contains algebra errors, but it gets the idea across.

The reference notes suggest that with careful accounting it's possible to compute

P_{3}

in 12 additions if

P_{1} \neq P_{2}

and 14 additions for point doubling.

Addition in Montgomery Form

Details omitted. See Moon Math Manual for details.

Advantage here is constant time scalar multiplication. Note that even though it's "constant time," there's still a slight difference in the computational approach depending on whether

P_{1} = P_{2}

, and whether one of the points is a point at infinity.

Addition in Twisted Edwards Form

Details omitted. See Moon Math Manual for details.

Advantage here is all additions use exactly the same computational approach: no branching necessary in your computational logic.

But, it seems this approach requires computing 2 inverses?!

Footnotes

[1]: For the case where

A_{1} = A_{2}

we proceed similarly using the tangent line for

L

. We can write find the tangent line using implicit differentiation. We find

m = \frac{d y}{d x} = \frac{3 x_{1}^{2} + a}{2 y_{1}}

; the computation in this case requires one additional multiplication and one less addition. The remaining case is that

A_{1}

is the reflection of

A_{2}

across the

x

-axis. In this case, the sum is defined to be the point at infinity.
[2]: See Section 2.2 here

Napkin Math: Elliptic Curve Addition in terms of Field Operations

Problem Statement

Addition in Affine Coordinates

Finding (x3,y3)

Addition in Projective Coordinates

Addition in Montgomery Form

Addition in Twisted Edwards Form

Footnotes

Read more

Translating FRI Soundness to Unique Decoding Radius

[Depreated] Translating FRI Soundness to Unique Decoding Radius

Napkin Math for Communication Complexity

Finding
$(x_{3}, y_{3})$