Let ${\displaystyle K}$  be a field and let ${\displaystyle a\in K}$ . Then, the Doubling-oriented Doche–Icart–Kohel curve with parameter a in affine coordinates is represented by:

${\displaystyle y^{2}=x^{3}+ax^{2}+16ax}$ 

Equivalently, in projective coordinates:

${\displaystyle ZY^{2}=X^{3}+aZX^{2}+16aXZ^{2},}$ 

with ${\displaystyle x={\frac {X}{Z}}}$  and ${\displaystyle y={\frac {Y}{Z}}}$ .

Notice that, since this curve is a special case of Weierstrass form, transformations to the most common form of elliptic curve (Weierstrass form) are not needed.

It is interesting to analyze the group law in elliptic curve cryptography, defining the addition and doubling formulas, because these formulas are necessary to compute multiples of points [n]P (see Exponentiation by squaring). In general, the group law is defined in the following way: if three points lies in the same line then they sum up to zero. So, by this property, the group laws are different for every curve shape.

In this case, since these curves are special cases of Weierstrass curves, the addition is just the standard addition on Weierstrass curves. On the other hand, to double a point, the standard doubling formula can be used, but it would not be so fast. In this case, the neutral element is ${\displaystyle \theta =(0:1:0)}$  (in projective coordinates), for which ${\displaystyle \theta =-\theta }$ . Then, if ${\displaystyle P=(x,y)}$  is a non-trivial element (${\displaystyle P!=O}$ ), then the inverse of this point (by addition) is –P=(x,-y).

Addition edit

In this case, affine coordinates will be used to define the addition formula:

(x₁,y₁)+(x₂,y₂)=(x₃,y₃) where

x₃ = (-x₁³+(x₂-a)x₁²+(x₂²+2ax₂)x₁+(y₁²-2y₂y₁+(-x₂³-ax₂²+y₂²)))/(x₁²-2x₂x₁+x₂²)

y₃ = ((-y₁+2y₂)x₁³+(-ay₁+(-3y₂x₂+ay₂))x₁²+((3x₂²+2ax₂)y₁-2ay₂x₂)x₁+(y₁³-3y₂y₁²+(-2x₂³-ax₂²+3y₂²)y₁+(y₂x₂³+ay₂x₂²-y₂³)))/(-x₁³+3x₂x₁²-3x₂²x₁+x₂³)

Doubling edit

2(x₁,y₁)=(x₃,y₃)

x₃ = 1/(4y₁²)x₁⁴-8a/y₁²x₁²+64a2/y₁²

y₃ = 1/(8y₁³)x₁⁶+((-a²+40a)/(4y₁³))x₁⁴+((ay₁²+(16a³-640a²))/(4y₁³))x₁²+((-4a²y₁²-512a³)/y₁³)

Addition edit

The fastest addition is the following one (comparing with the results given in: http://hyperelliptic.org/EFD/g1p/index.html), and the cost that it takes is 4 multiplications, 4 squaring and 10 addition.

A = Y₂-Y₁

AA = A²

B = X₂-X₁

CC = B²

F = X₁CC

Z₃ = 2CC

D = X₂Z₃

ZZ₃ = Z₃²

X₃ = 2(AA-F)-aZ₃-D

Y₃ = ((A+B)²-AA-CC)(D-X₃)-Y₂ZZ₃

Example edit

Let ${\displaystyle K=\mathbb {Q} }$ . Let P=(X₁,Y₁)=(2,1), Q=(X₂,Y₂)=(1,-1) and a=1, then

A=2

AA=4

B=1

CC=1

F=2

Z₃=4

D=4

ZZ₃=16

X₃=-4

Y₃=336

Thus, P+Q=(-4:336:4)

Doubling edit

The following algorithm is the fastest one (see the following link to compare: http://hyperelliptic.org/EFD/g1p/index.html), and the cost that it takes is 1 multiplication, 5 squaring and 7 additions.

A = X₁²

B = A-a16

C = a₂A

YY = Y₁²

YY₂ = 2YY

Z₃ = 2YY₂

X₃ = B²

V = (Y₁+B)2-YY-X₃

Y₃ = V(X₃+64C+a(YY₂-C))

ZZ₃ = Z₃²

Example edit

Let ${\displaystyle K=\mathbb {Q} }$  and a=1. Let P=(-1,2), then Q=[2]P=(x3,y3) is given by:

A=1

B=-15

C=2

YY=4

YY₂=8

Z₃=16

X₃=225

V=27

Y₃=9693

ZZ₃=256

Thus, Q=(225:9693:16).

The addition and doubling computations should be as fast as possible, so it is more convenient to use the following representation of the coordinates:

${\displaystyle x,y}$  are represented by ${\displaystyle X,Y,Z,ZZ}$  satisfying the following equations:

${\displaystyle x={\frac {X}{Z}}}$ 

${\displaystyle y={\frac {Y}{ZZ}}}$ 

${\displaystyle ZZ=Z^{2}}$ 

Then, the Doubling-oriented Doche–Icart–Kohel curve is given by the following equation:

${\displaystyle Y^{2}=ZX^{3}+aZ^{2}X^{2}+16aZ^{3}X}$ .

In this case,${\displaystyle P=(X:Y:Z:ZZ)}$  is a general point with inverse ${\displaystyle -P=(X:-Y:Z:ZZ)}$ . Furthermore, the points over the curve satisfy: ${\displaystyle (X:Y:Z:Z^{2})=(\lambda X:\lambda ^{2}Y:\lambda Z:\lambda ^{2}Z^{2})}$  for all ${\displaystyle \lambda }$  nonzero.

Faster doubling formulas for these curves and mixed-addition formulas were introduced by Doche, Icart and Kohel; but nowadays, these formulas are improved by Daniel J. Bernstein and Tanja Lange (see below the link of EFD).

For more information about the running-time required in a specific case, see Table of costs of operations in elliptic curves

• Christophe Doche, Thomas Icart and David R. Kohel (2006). "Efficient Scalar Multiplication by Isogeny Decompositions". Public Key Cryptography - PKC 2006. Lecture Notes in Computer Science. Vol. 3958. Springer Berlin / Heidelberg. pp. 191–206. doi:10.1007/11745853_13. ISBN 978-3-540-33851-2.

• Daniel J. Bernstein and Tanja Lange (2008). Analysis and optimization of elliptic-curve single scalar multiplication. ISBN 9780821857892.

• http://hyperelliptic.org/EFD/g1p/index.html
• http://www.hyperelliptic.org/EFD/g1p/auto-2dik.html