4

I try to add two points on an elliptic curve over a prime field, converting these points from affine/to-affine coordinates, but do not manage to get a correct result (the curve I am testing has a=0). Anyone can see what's wrong?

// From Affine
BigInteger X1=P.x;
BigInteger Y1=P.y;
BigInteger Z1=BigInteger.ONE;

BigInteger X2=Q.x;
BigInteger Y2=Q.y;
BigInteger Z2=BigInteger.ONE;

// Point addition in Jacobian coordinates for a=0
// see http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
BigInteger Z1Z1 = Z1.multiply(Z1);
BigInteger Z2Z2 = Z2.multiply(Z2);
BigInteger U1   = X1.multiply(Z2Z2);
BigInteger U2   = X2.multiply(Z1Z1);
BigInteger S1   = Y1.multiply(Z2).multiply(Z2Z2);
BigInteger S2   = Y2.multiply(Z1).multiply(Z1Z1);
BigInteger H    = U2.subtract(U1);
BigInteger I    = H.add(H).multiply(H.add(H));
BigInteger J    = H.multiply(I);
BigInteger r    = S2.subtract(S1).add(S2.subtract(S1));
BigInteger V    = U1.multiply(I);
BigInteger X3   = r.multiply(r).subtract(J).subtract(V.add(V)).mod(FIELD);
BigInteger Y3   = r.multiply(V.subtract(X3)).subtract(S1.add(S1).multiply(J)).mod(FIELD);
BigInteger Z3   = Z1.add(Z2).multiply(Z1.add(Z2)).subtract(Z1Z1).subtract(Z2Z2).multiply(H).mod(FIELD);

//To affine
BigInteger Z3Z3 = Z3.multiply(Z3);
BigInteger Z3Z3Z3 = Z3Z3.multiply(Z3);

return new Point(X3.divide(Z3Z3),Y3.divide(Z3Z3Z3));
user1454590
  • 71
  • 1
  • 3
  • To verify... `BigInteger.ONE == 1`, is that correct? So `Z1Z1 = Z1^2=1=Z2Z2=Z2^2=1`... Then `U1=X1`, `U2=X2`, `S1=Y1`, and so on... am I missing something? – abiessu Jan 30 '14 at 17:18
  • 4
    The division can't be right. You need to compute the multiplicative inverse modulo `FIELD`. This operation is quite expensive, and should only be performed once at the end of a scalar multiplication, not after each doubling/addition. Use `z^{-1} = ModPow(z, FIELD-2, FIELD)` – CodesInChaos Jan 30 '14 at 17:24
  • 1
    Yes, BigIntegerOne == 1. Indeed, the multiplicative inverse should be used instead of the division. Good catch. I'll try it out and report what happens. – user1454590 Jan 30 '14 at 19:39
  • Works ! Thank you CodesInChaos. – user1454590 Jan 31 '14 at 08:58
  • @CodesInChaos Pretty please with sugar on top, post your comment as an answer. Your answers are always right to the point, unfortunately they are without fail hiding as comments. This leaves the question open while it has already been answered. Maybe I should make an automated "codes" answer generator 'As Codes said in his comments: "The division can't be right. You need to compute the multiplicative inverse modulo FIELD. This operation is quite expensive, and should only be performed once at the end of a scalar multiplication, not after each doubling/addition.'... :) – Maarten Bodewes Feb 01 '14 at 11:52

1 Answers1

1

CodesInChaos said:

The division can't be right. You need to compute the multiplicative inverse modulo FIELD. This operation is quite expensive, and should only be performed once at the end of a scalar multiplication, not after each doubling/addition. Use z^{-1} = ModPow(z, FIELD-2, FIELD).

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263