Elliptic curves in Huff’s model∗

Hongfeng Wu1 , Rongquan Feng2

1 College of Sciences, North China University of Technology, Beijing 100144, China

[email protected]

2 LMAM, School of Mathematical Sciences, Peking University, Beijing 100871, China

[email protected]

Abstract
The general Huff curves which contains Huff’s model as a special
case is introduced in this paper. It is shown that every elliptic curve
with three points of order 2 is isomorphic to a general Huff curve. Some
fast explicit formulae for general Huff curves in projective coordinates
are presented. These explicit formulae for addition and doubling are
almost as fast as they are for the Huff curves in [9]. Finally, the
number of isomorphism classes of general Huff curves defined over a
finite field is enumerated.

Keywords: elliptic curve, Huff curve, isomorphism classes, scalar multi-

plication, cryptography

1 Introduction
The elliptic curve cryptosystem was independently proposed by Koblitz [10]
and Miller [12] which relies on the difficulty of discrete logarithmic problem in
the group of rational points on an elliptic curve. One of the main operations
and challenges in elliptic curve cryptosystems is the scalar multiplication.
∗
Supported by NSF of China (No. 10990011)

1
The speed of scalar multiplication plays an important role in the efficiency
of the whole system. Elliptic curves can be represented in different forms.
To obtain faster scalar multiplications, various forms of elliptic curves have
been extensively studied in the last two decades. Some important elliptic
curve families include Jacobi intersections, Edward curves, Jacobi quartics,
Hessian curves etc.. Details of previous works can be found in [1, 3, 9].
Recently, Joye, Tibouchi, and Vergnaud [9] revisit a model for elliptic curves
over Q introduced by Huff [8] in 1948. They presented fast explicit formulae
for point addition and doubling on Huff curves. They also addresses in [9]
the problem of the efficient evaluation of pairings over Huff curves such as
completeness and independence of the curve parameters.
In order to study the elliptic curve cryptosystem, one need first to answer
how many curves there are up to isomorphism, because two isomorphic ellip-
tic curves are the same in the point of cryptographic view. So it is natural to
count the isomorphism classes of some kinds of elliptic curves. Some formu-
lae about counting the number of the isomorphism classes of general elliptic
curves over a finite field can be found in literatures, such as [6, 11, 13, 14].
In this paper, the general Huff curves x(ay 2 − 1) = y(bx2 − 1) which
contains Huff curves ax(y 2 − 1) = by(x2 − 1) as a special case is introduced.
We show that every elliptic curve with three points of order 2 is isomorphic
to a general Huff curve. Some fast explicit formulae for general Huff curves
in projective coordinates are presented. These explicit formulae for addition
and doubling are almost as fast in the general case as they are for the Huff
curves. Finally, the number of isomorphism classes of general Huff curves
and Huff curves defined over a finite field is enumerated.
Throughout this paper, K will be a filed and Fq a finite field with q
elements. The algebraic closure of K is denoted by K.

2 General Huff curves

In [9], Joye, Tibouchi, and Vergnaud developed an elliptic curve model intro-
duced by Huff [8] in 1948 to study a diophantine problem. The Huff’s model
for elliptic curves is given by the equation ax(y 2 − 1) = by(x2 − 1). They
also presented addition formula on Huff curves. Using (0, 0, 1) as the neutral
element, the addition formula was given by
 
(x1 + x2 )(1 + x1 x2 ) (y1 + y2 )(1 + x1 x2 )
(x1 , y1 ) + (x2 , y2 ) = ,
(1 + x1 x2 )(1 − y1 y2 ) (1 − x1 x2 )(1 + y1 y2 )

2
in affine coordinates. Moreover, this addition law is unified, that is, it can be
used to double a point. Actually, curve families ax(y 2 − 1) = by(x2 − 1) are
included in curve families x(ay 2 − 1) = y(bx2 − 1). We call the curve with the
equation x(ay 2 − 1) = y(bx2 − 1) the general Huff curve. For the general Huff
curve Ha,b : x(ay 2 − 1) = y(bx2 − 1), if a = µ2 and b = ν 2 are square elements
of the field K, and let x0 = νx and y 0 = µy, then µx0 (y 02 − 1) = νy 0 (x02 − 1).
That is, curve families ax(y 2 − 1) = by(x2 − 1) are part of curve families
x(ay 2 − 1) = y(bx2 − 1) with a, b are square elements of the field K. Note
that Ha,b : x(ay 2 − 1) = y(bx2 − 1) is a smooth elliptic curve if ab(a − b) 6= 0.
Let F (X, Y, Z) := aXY 2 − bX 2 Y − XZ 2 + Y Z 2 , then the Hessian of the
curve F (X, Y, Z) = 0 is
   
 FXX FXY FXZ 
 

 −bY (aY − bX) Z 

H(F ) =  FY X FY Y FY Z  = 8  (aY − bX)
   aX −Z ,

 FZX FZY FZZ   Z −Z (X − Y ) 

where FXY is the second partial derivative of the polynomial F with respect
to X and Y . Since the general Huff curve is smooth, the inflection points of
F are the intersection points of F and H(F ). Hence, it is clear that (0, 0, 1)
is an inflection point and there is no inflection points with Z = 0.
Theorem 2.1. Let K be a field of characteristic 6= 2, and let a, b ∈ K with
a 6= b. Then the curve

Ha,b : X(aY 2 − Z 2 ) = Y (bX 2 − Z 2 )

is isomorphic to the elliptic curve

V 2 W = U (U + aW )(U + bW )

via the change of variables ϕ(X, Y, Z) = (U, V, W ), where

U = bX − aY, V = (b − a)Z, and W = Y − X.

The inverse change is ψ(U, V, W ) = (X, Y, Z), where

X = U + aW, Y = U + bW, and Z = V.

Proof. From U = bX − aY, V = (b − a)Z, and W = Y − X, we have

V 2 W = (b−a)2 (Y −X)Z 2 and U (U +aW )(U +bW ) = (b−a)2 XY (bX −aY ).
Therefore, V 2 W = U (U + aW )(U + bW ) since X(aY 2 − Z 2 ) = Y (bX 2 − Z 2 ).

3
 On the other hand, since V 2 W = U (U +aW )(U +bW ), X = U +aW, Y =
−bX
U + bW , and Z = V , we have W = X−Y a−b
and U = aYa−b . Therefore,
Z 2 (X −Y ) = XY (aY −bX), that is, X(aY 2 −Z 2 ) = Y (bX 2 −Z 2 ). Obviously,
the maps ϕ and ψ are mutually inverse to each other.

For the affine edition, the general Huff curve x(ay 2 − 1) = y(bx2 − 1)
is isomorphic to y 2 = x(x + a)(x + b) over K. Tt was proposed in [7]
that an elliptic curve E over an algebraic number field K contains a copy
of Z/2Z × Z/2Z if and only if E admits one of the normal forms y 2 =
x(x − a)(x − b), where a, b ∈ K and ab(a − b) 6= 0, and E over K contains
a copy of Z/2Z × Z/4Z if and only if E admits one of the normal forms
y 2 = x(x2 + 2(a2 + 1)x + (a2 − 1)2 )), where a ∈ K and a 6= 0, ±1. Noting
that y 2 = x(x2 + 2(a2 + 1)x + (a2 − 1)2 )) = x(x + (a + 1)2 )(x + (a − 1)2 ), E
contains a copy of Z/2Z × Z/4Z if and only if E admits one of the normal
forms y 2 = x(x + t2 )(x + (t + 2)2 ), where t ∈ K and t 6= 0, −1, −2. For
2 2a t
any a, b ∈ K with a 6= b, let u = and t = , then = a and
b−a b−a u
t+2 y
= b. Since y 2 = x(x + t2 )(x + (t + 2)2 ) is isomorphic to ( 3 )2 =
u u
x x t 2 x t+2 2
( +( ) )( 2 +( ) ), and then is isomorphic to y = x(x+a )(x+b2 ),
2 2
u2 u2 u u u
E contains a copy of Z/2Z × Z/4Z if and only if E is isomorphic over K to
a Huff curve ax(y 2 − 1) = by(x2 − 1). Therefore we give another proof of
Theorem 2 in [9]. Note that the j-invariant of the curve x(ay 2 −1) = y(bx2 −1)
(a2 − ab + b2 )3
is 28 2 2 , and the j-invariant of the curve ax(y 2 − 1) = by(x2 − 1)
a b (a − b)2
(a4 − a2 b2 + b4 )3
is j = 28 4 4 2 .
a b (a − b2 )2

2.1 Huff curves and twisted Jacobi intersections curves

Twisted Jacobi intersections elliptic curves were introduced in [5]. A twisted
Jacobi intersections elliptic curve over the field K is defined by the affine
equations au2 + v 2 = 1, bu2 + w2 = 1 or by the projective equations aU 2 +
V 2 = Z 2 , bU 2 + W 2 = Z 2 , where a, b ∈ K with ab(a − b) 6= 0. In [5],
it was shown that a twisted Jacobi intersections curve Ea,b : au2 + v 2 =
1, bu2 + w2 = 1 with ab(a − b) 6= 0 is a smooth curve and is isomorphic
to an elliptic curve y 2 = x(x − a)(x − b) over K. However, every elliptic
curve over K having three K-rational points of order 2 is isomorphic to

4
a twisted Jacobi intersections curve. Since the general Huff curve Ha,b :
x(ay 2 − 1) = y(bx2 − 1) is isomorphic to y 2 = x(x + a)(x + b) over K, the
general Huff curve Ha,b : x(ay 2 − 1) = y(bx2 − 1) is isomorphic to a twisted
Jacobi intersections curve −au2 + v 2 = 1, − bu2 + w2 = 1. Especially, a Huff
curve ax(y 2 − 1) = by(x2 − 1) is isomorphic to a twisted Jacobi intersections
curve −a2 u2 + v 2 = 1, − b2 u2 + w2 = 1. Actually, as proposed in [9], Huff [8]
considered rational distance sets S with some forms. Such a point must then
satisfy the equations x2 +a2 = u2 and x2 +b2 = v 2 with u, v ∈ Q. The system
of associated homogeneous equations x2 +a2 z 2 = u2 and x2 +b2 z 2 = v 2 defines
a curve of genus 1 in P3 . This homogeneous equations is just a twisted Jacobi
intersections curve

−a2 z 2 + u2 = x2 , −b2 z 2 + v 2 = x2 .

It is smooth if and only if a2 6= b2 and ab 6= 0 according to Theorem 1 in [5].

2.2 Huff curves and twisted Edwards curves

In [2] it is proved that every Edwards curve Ed : x2 + y 2 = 1 + dx2 y 2 is
birationally equivalent to a Montogomery curve MA,B : By 2 = x3 + Ax2 + x
via  
x x−1
ϕ : M 2(1+d) , d → Ed with (x, y) 7→ , .
1−d 1−d y x+1
The map is not defined everywhere. However, this maps can be extended
to give an everywhere-defined isomorphism between the respective desingu-
larized projective models. The extended map takes the neutral element to
the neutral element, hence, ϕ and ϕ−1 commute with the group structures.
Moreover, the twisted Edwards curve Ea,d : ax2 +y 2 = 1+dx2 y 2 is isomorphic
to M 2(a+d) , 4 . Since the Huff curve ax(y 2 − 1) = by(x2 − 1) is isomorphic
(a−d) (a−d)
1 2 2 2
to M a2 +b2 , 1 : ab
y = x3 + a ab
+b
x2 + x, the Huff curve ax(y 2 − 1) = by(x2 − 1)
ab ab
is isomorphic to the Edwards curve E( a−b )2 : x2 + y 2 = 1 + ( a−b
a+b
)2 x2 y 2 .
a+b

3 Enumeration of isomorphism classes

Let E be an elliptic curve over a field K given by a Weierstrass equation

E : Y 2 = X 3 + a2 X 2 + a4 X + a6

5
with a2 , a4 , a6 ∈ K. An admissible change of variables defined over an exten-
sion field L/K in a Weierstrass equation is one of the form
X 0 = u2 X + r and Y 0 = u3 Y
with u, r ∈ L and u 6= 0. The elliptic curves E1 /K and E2 /K are said to be
isomorphic over L, denote by E1 ∼ =L E2 , if there is an admissible change of
variables defined over L transforming E1 to E2 .
0
Let E1 /K : Y 2 = X 3 + a2 X 2 + a4 X + a6 and E2 /K : Y 2 = X 3 + a2 X 2 +
0 0
a4 X + a6 be two elliptic curves defined over K. It is well known from the
definition that E1 ∼
=L E2 if and only if there exists u, r ∈ L and u 6= 0 satisfy
the following equations
 2 0
 u a2 = a2 + 3r,
0
u4 a4 = a4 + 2ra2 + 3r2 , (1)
 6 0 2 3
u a6 = a6 + ra4 + r a2 + r .
Note that E1 and E2 are isomorphic over K if and only if j(E1 ) = j(E2 ).
If K = Fq is a finite field, then the statement is not true. We have only
j(E1 ) = j(E2 ) if E1 and E2 are isomorphic over Fq . The reader is referred to
[15] for more results on the isomorphism of elliptic curves.
The Legendre elliptic curve over K is defined as
Eλ : y 2 = x(x − 1)(x − λ),
where λ ∈ K. It is clear that the Legendre curve Eλ is nonsingular for
λ 6= 0, 1. The points O, (0, 0), (1, 0), and (λ, 0) are all the 2-division points,
2 −λ+1)3
that is, the points of order 2. The j-invariant of Eλ is j(Eλ ) = 28 (λλ2 (λ−1) 2 .

In this section, let K = Fq . It is clear that any general Huff elliptic curve
is isomorphic to a Legendre curve over the algebraic closure Fq . From the
enumeration result of the isomorphism classes of Legendre curves over Fq
([6]), we have the following theorem.
Theorem 3.1. Suppose Fq is a finite field with q elements and char(Fq ) 6=
2, 3. Let N q denote the number of Fq -isomorphism classes of general Huff
curves Ha,b : x(ay 2 − 1) = y(bx2 − 1)(which is the same as the Huff curves
ax(y 2 − 1) = by(x2 − 1)) defined over Fq with ab(a − b) 6= 0. Then
 q+5
 , if q ≡ 1, 7 (mod 12),
6

Nq =
 q + 1,

if q ≡ 5, 11 (mod 12).
6

6
3.1 Fq -isomorphism classes of Huff curves
Since ax(y 2 − 1) = by(x2 − 1) is Fq -isomorphic to y 2 = x(x + a2 )(x + b2 ), it is
also Fq -isomorphic to y 2 = x(x − 1)(x − (1 − t2 )) by (x, y) → (x/a2 + 1, y/a3 ),
where t = b/a.
Lemma 3.2. The Huff curves ax(y 2 − 1) = by(x2 − 1) with a, b ∈ Fq and
ab(a − b) 6= 0 (or curves y 2 = x(x − 1)(x − (1 − t2 )) with t ∈ Fq and t 6= 0, 1)
are isomorphic to Legendre curves y 2 = x(x − 1)(x − λ) with at least one of
λ, 1 − λ is a square element over Fq .
The following lemma can be gotten easily.
Lemma 3.3. Suppose that Fqisa finite field
 with
 char(Fq ) > 3. Let N (s, t)
be the number of a ∈ Fq with aq = s and 1−a q
= t. Then
 q−1
 , if q ≡ 1(mod 4),
4

N (−1, −1) =
 q + 1,

if q ≡ 3(mod 4).
4
Firstly, assume that q ≡ 1(mod 4). According to [6], we can divide the
Legendre elliptic curves Eb : y 2 = x(x − 1)(x − b) with b 6= 0, 1, into the
following 4 disjoint sets H1 , H2 , H3 and H4 , where
n     o
2 b 1−b
H1 = y = x(x − 1)(x − b)| q = q = 1 ,
n     o
2 b 1−b
H2 = y = x(x − 1)(x − b)| q = 1, q = −1 ,
n     o
H3 = y 2 = x(x − 1)(x − b)| qb = −1, 1−b = 1 ,
n    q  o
H4 = y 2 = x(x − 1)(x − b)| qb = −1, 1−b q
= −1 .

From Lemma 3.3, we get that |H1 | = q−5

4
and |H2 | = |H3 | = |H4 | = q−1
4
.
Therefore, We know from [6] the Legendre curves from the 3 distinct sets
H1 , H2 ∪ H3 and H4 can not be Fq -isomorphic to each other. let Nq,H4 be
the number of Fq -isomorphism classes of Legendre elliptic curves H4 . Then
we have ([6])
 q−1
 , if q ≡ 1, 17 (mod 24),
8

Nq,H4 =
 q + 3,

if q ≡ 5, 13 (mod 24).
8
7
 Secondly, assume that q ≡ 3(mod 4). The number of Legendre curves
Eλ : y 2 = x(x − 1)(x − b) with b and 1 − b are non-square elements equals
to q+1
4
. From [6], the number of curves isomorphic to a given curve with
both b and 1 − b are non-square elements equals to 3 if the j-invariant j 6= 0,
and equals to 2 otherwise. But j = 0 occurs only when q ≡ 7(mod 12).
Therefore, the number of Fq -isomorphism classes of Huff curves equals to
 q+1 q+5
 (
 − 2)/3 + 1 = , if q ≡ 7 (mod 12),
4 12
 ( q + 1 )/3 = q + 1 ,

if q ≡ 11 (mod 12).
4 12
By subtracting above numbers from the number of Fq -isomorphism classes
of Legendre curves ([6]), we have the following enumeration result.
Theorem 3.4. Suppose Fq is a finite field with q elements and char(Fq ) > 3.
Let Nq be the number of Fq -isomorphism classes of Huff curves ax(y 2 − 1) =
by(x2 − 1) defined over Fq with ab(a − b) 6= 0. Then
q+5


 , if q ≡ 1 (mod 12),



 6

 q+1
, if q ≡ 5 (mod 12),


6

Nq =
q+1
if q ≡ 7 (mod 12),


 ,



 4
 q − 3,


if q ≡ 11 (mod 12).

4

3.2 Fq -isomorphism classes of general Huff curves

In order to enumerate the Fq -isomorphism classes of general Huff curves, it
is sufficient to count the Fq -isomorphism classes of elliptic curves of the form
Ba,b : y 2 = x(x−a)(x−b). For any elliptic curve y 2 = x3 +ax+b defined over
Fq , the number of elliptic curves which are Fq -isomorphic to y 2 = x3 + ax + b
equals to ([11])
q−1


 , if a = 0 and q ≡ 1 ( mod 3),
 6


q−1
, if b = 0 and q ≡ 1 ( mod 4),
 4
 q − 1,


otherwise.

2
8
Let E be an elliptic curve with at least one order 2 point then by moving this
point to (0, 0) it can be changed to the form Ea,b : y 2 = x3 + ax2 + bx. The
2 −3b)3
j-invariant of Ea,b is 256(a
b2 (a2 −4b)
. Note that j(Ea,b ) = 0 if and only if a2 = 3b,
and j(Ea,b ) = 1728 if and only if a(9b − 2a2 ) = 0 since Ea,b is isomorphic
to the elliptic curve y 2 = x2 − (a2 − 3b)x + (1/2)a(9b − 2a2 ). Every order
2 point admits this change, hence, the number of elliptic curves which is Fq
isomorphic to Ea,b equals to
q−1


 , if j = 0 and q ≡ 1 (mod 3),

 2
3(q − 1)

, if j = 1728 and q ≡ 1 (mod 4),
 4
 3(q − 1) ,


otherwise.

2
if the curve has three order 2 points.
The number of elliptic curves with three order 2 points equals to (q−1)(q−2) 2
since they admit the normal forms y 2 = x(x − a)(x − b). Hence, the number
of elliptic curves with only one order 2 points equals to q(q − 1) − (q−1)(q−2) 2
−
q(q−1) 2 3 2
(q − 1) = 2 . The number of elliptic curves Ea,b : y = x + ax + bx with
j(Ea,b ) = 0 equals to q − 1 since j(Ea,b ) = 0 if and only if a2 = 3b. Thus, if
it possess three order 2 points then
 2     
a − 4b −b −3
1= = = .
q q q
Hence, the number of elliptic curves Ea,b : y 2 = x3 + ax2 + bx possess three
order 2 points with j(Ea,b ) = 0 equals to (q − 1) if q ≡ 1 (mod 3), and equals
to 0 if q ≡ 2 (mod 3). Similarly, j(Ea,b ) = 1728 if and only if a(9b − 2a2 ) = 0
and then if and only if b = 2(a/3)2 . Therefore, the number of elliptic curves
Ea,b : y 2 = x3 + ax2 + bx with j(Ea,b ) = 1728 equals to (q − 1) + (q − 1) =
2(q − 1). Thus, if it possess three order 2 points then a2 − 4b is a square
element in Fq . From 9b = 2a2 we have a2 − 4b = b/2 = (a/3)2 . Hence,
the number of elliptic curves Ea,b : y 2 = x3 + ax2 + bx possess three order
2 points with j(Ea,b ) = 1728 equals to 3(q−1)2
. Thus, the number of elliptic
curves Ea,b : y 2 = x3 + ax2 + bx which possess three order 2 points with
j(Ea,b ) 6= 0, 1728 equals to

 (q − 1)(q − 7) ,

if q ≡ 1 (mod 3),
2
 (q − 1)(q − 5) ,

if q ≡ 2 (mod 3).
2
9
 By the above argument, the number of Fq -isomorphism classes of elliptic
curves Ba,b : y 2 = x(x − a)(x − b) defined over Fq equals to

3(q − 1) (q − 1)(q − 7)
q−1 2 2 q+5
+ + =
q−1 3(q − 1) 3(q − 1) 3
2 4 2
if q ≡ 1 (mod 12). Other cases can be computed similarly. Therefore we
have the following theorem.

Theorem 3.5. Let Fq be a finite field with q elements and char(Fq ) > 3. Let
Nq0 denote the number of Fq -isomorphism classes of x(ay 2 − 1) = y(bx2 − 1)
defined over Fq with ab(a − b) 6= 0. Then

q+5


 , if q ≡ 1 (mod 12),



 3

 q+1
, if q ≡ 5 (mod 12),


3

0
Nq =
q+2
if q ≡ 7 (mod 12),


 ,



 3
 q − 2,


if q ≡ 11 (mod 12).

3

4 Arithmetic on general Huff curves

Let C be a nonsingular cubic curve defined over a field K, and let O be a
point on C(K). For any two points P and Q, the line through P and Q
meets the cubic curve C at one more point, denoted by P Q. With a point
O as zero element and the chord-tangent composition P Q we can define the
group law P + Q by P + Q = O(P Q) on C(K) making C(K) into an abelian
group with O as zero element and −P = P (OO). If O is an inflection point
then −P = P O and OO = O.

4.1 The addition law on general Huff curves

Let the line joining P = (x1 , y1 ) and Q = (x2 , y2 ) be y = y1 + λ(x − x1 ) =
λx + µ, where λ is the slope of the line. Substituting this expression for y

10
into the Huff equation x(ay 2 − 1) = y(bx2 − 1), we get x(a(λx + µ)2 − 1) =
(λx + µ)(bx2 − 1), that is,

(aλ2 − bλ)x3 + (2aλµ − bµ)x2 + (aµ2 + λ − 1)x + µ = 0.

Let P Q = (x3 , y3 ), then

2aλµ − bµ
x1 + x2 + x3 = − .
aλ2 − bλ
Hence,

[2a(y2 − y1 ) − b(x2 − x1 )](x2 y1 − x1 y2 )

−x3 = x1 + x2 + .
(y2 − y1 )(a(y2 − y1 ) − b(x2 − x1 ))

Noting that

(a(y2 − y1 ) − b(x2 − x1 ))(x2 + x1 )y1 y2

= (a(x1 y2 + x1 y2 − x2 y1 − x1 y1 ) − bx22 + bx21 ) y1 y2
= (ax2 y22 − bx2 y2 )y1 − (ax1 y12 − bx21 y1 )y2 + a(x1 y2 − x2 y1 )y1 y2
= (x2 − y2 )y1 − (x1 − y1 )y2 + a(x1 y2 − x2 y1 )y1 y2
= (x1 y2 − x2 y1 )(ay1 y2 − 1),

we have
a(x1 + x2 )y1 y2 (a(y2 − y1 ) − b(x2 − x1 ))(x2 + x1 )y1 y2
−x3 = x1 + x2 − +
ay1 y2 − 1 (y1 − y2 )(ay1 y2 − 1)
x1 y2 − x2 y1 a(x1 + x2 )y1 y2
= x1 + x2 + −
y1 − y2 ay1 y2 − 1
x1 y1 − x2 y2 a(x1 + x2 )y1 y2
= − .
y1 − y2 ay1 y2 − 1
(2)
From
(y1 − y2 ) (ax1 x2 (y1 + y2 ) + (x1 + x2 ))
= (ax1 y12 + y1 )x2 − (ax2 y22 + y2 )x1 + (x1 y1 − x2 y2 )
= (bx21 y1 + x1 )x2 − (bx2 y22 + x2 )x1 + (x1 y1 − x2 y2 )
= bx1 x2 ((x1 y1 − x2 y2 )) + (x1 y1 − x2 y2 )
= (x1 y1 − x2 y2 )(bx1 x2 + 1),
we get
x1 y 1 − x2 y 2 ax1 x2 (y1 + y2 ) + (x1 + x2 )
= .
y1 − y2 bx1 x2 + 1

11
Furthermore, from formula (2) we get
ax1 x2 (y1 + y2 ) + (x1 + x2 ) a(x1 + x2 )y1 y2
−x3 = −
bx1 x2 + 1 ay1 y2 − 1
(ax1 x2 (y1 + y2 ) + (x1 + x2 ))(ay1 y2 − 1) − a(x1 + x2 )y1 y2 (bx1 x2 + 1)
= .
(bx1 x2 + 1)(ay1 y2 − 1)
(3)
Again from

(ax1 x2 (y1 + y2 ) + (x1 + x2 ))(ay1 y2 − 1) − a(x1 + x2 )y1 y2 (bx1 x2 + 1)

= a2 x1 x2 (y1 + y2 )y1 y2 − ax1 x2 (y1 + y2 ) − (x1 + x2 ) − ab(x1 + x2 )x1 x2 y1 y2
= a(ax1 y12 x2 y2 + ax2 y22 x1 y1 − bx21 y1 x2 y2 − bx22 y2 x1 y1 ) − ax1 x2 (y1 + y2 ) − (x1 + x2 )
= a((x1 − y1 )x2 y2 + (x2 − y2 )x1 y1 ) − ax1 x2 (y1 + y2 ) − (x1 + x2 )
= −ax2 y1 y2 − ax1 y1 y2 − (x1 + x2 )
= −(x1 + x2 )(1 + ay1 y2 ),
(4)
we have
(x1 + x2 )(ay1 y2 + 1)
x3 = .
(bx1 x2 + 1)(ay1 y2 − 1)
Similarly, by symmetry we have
(y1 + y2 )(bx1 x2 + 1)
y3 = .
(bx1 x2 − 1)(ay1 y2 + 1)
we claim that the third intersection point (x3 , y3 ) of the tangent line at P
has coordinates
2x1 (ay12 + 1) 2y1 (bx21 + 1)
x3 = , and y3 = .
(bx21 + 1)(ay12 − 1) (bx21 − 1)(ay12 + 1)
Note that the slope of the tangent line at P is
ay12 − 2bx1 y1 − 1
λP = 2 .
bx1 − 2ax1 y1 − 1
In order to prove the claim we need only to check
2y1 (bx21 + 1)
− y1
ay12 − 2bx1 y1 − 1 (bx21 − 1)(ay12 + 1)
= .
bx21 − 2ax1 y1 − 1 2x1 (ay12 + 1)
− x1
(bx21 + 1)(ay12 − 1)

12
This is true since the right side of the above equation is

2y1 (bx21 + 1) − y1 (bx21 − 1)(ay12 + 1) (bx21 + 1)(ay12 − 1)

2x1 (ay12 + 1) − x1 (bx21 + 1)(ay12 − 1) (bx21 − 1)(ay12 + 1)

y1 (bx21 + ay12 − abx21 y12 + 3) (bx21 + 1)(ay12 − 1)

=
x1 (bx21 + ay12 − abx21 y12 + 3) (bx21 − 1)(ay12 + 1)

y1 (bx21 + 1)(ay12 − 1) (ay12 − 1)(−y1 (bx21 + 1))

= =
x1 (bx21 − 1)(ay12 + 1) (bx21 − 1)(−x1 (ay12 + 1))

(ay12 − 1)(y1 (bx21 − 1) − 2bx21 y1 ) (ay12 − 1)(x1 (ay12 − 1) − 2bx21 y1 )

= =
(bx21 − 1)(x1 (ay12 − 1) − 2ax1 y12 ) (bx21 − 1)(y1 (bx21 − 1) − 2ax1 y12 )

(ay12 − 1)(x1 (ay12 − 2bx1 y1 − 1)) x1 (ay12 − 1)(ay12 − 2bx1 y1 − 1)

= =
(bx21 − 1)(y1 (bx21 − 2ax1 y1 − 1)) y1 (bx21 − 1)(bx21 − 2ax1 y1 − 1)

ay12 − 2bx1 y1 − 1
= = λP .
bx21 − 2ax1 y1 − 1

Let Ha,b be a general Huff curve X(aY 2 − Z 2 ) = Y (bX 2 − Z 2 ). We know

that (0, 0, 1) is an inflection point and (1, 0, 0), (0, 1, 0) and (a, b, 0) are exactly
the three infinite points from Section 2. For any two points P = (X1 , Y1 , Z1 )
and Q = (X2 , Y2 , Z2 ), the third intersection point (U3 , V3 , W3 ) of the line
joining P and Q has coordinates

 U3 = (X1 Z2 + X2 Z1 )(bX1 X2 − Z1 Z2 )(aY1 Y2 + Z1 Z2 )2 ,
V3 = (Y1 Z2 + Y2 Z1 )(aY1 Y2 − Z1 Z2 )(bX1 X2 + Z1 Z2 )2 ,
W3 = (b2 X12 X22 − Z12 Z22 )(a2 Y12 Y22 − Z12 Z22 ).


Firstly, choose O = (1, 0, 0) as then neutral element. Then for any

point P = (X1 , Y1 , Z1 ) with X1 Y1 Z1 6= 0 on the curve, the point OP =
(−Z12 , bX1 Y1 , bX1 Z1 ). Furthermore OO = (0, 0, 1), O(a, b, 0) = (0, 1, 0),
O(0, 1, 0) = (a, b, 0), O(0, 0, 1) = (1, 0, 0), and −(X1 , Y1 , Z1 ) = (X1 , Y1 , −Z1 ).
Hence, let P + Q = (X3 , Y3 , Z3 ), then

 X3 = (bX1 X2 − Z1 Z2 )(bX1 X2 + Z1 Z2 )(Z1 Z2 − aY1 Y2 ),
Y3 = b(X1 Z2 + X2 Z1 )(bX1 X2 + Z1 Z2 )(Y1 Z2 + Y2 Z1 ), (5)
Z3 = b(X1 Z2 + X2 Z1 )(bX1 X2 − Z1 Z2 )(aY1 Y2 + Z1 Z2 ).


13
The affine addition formula is
 
(bx1 x2 + 1)(1 − ay1 y2 ) (y1 + y2 )(bx1 x2 + 1)
(x1 , y1 ) + (x2 , y2 ) = , .
b(x1 + x2 )(1 + ay1 y2 ) (1 + ay1 y2 )(bx1 x2 − 1)
Secondly, choose O = (0, 1, 0) as the neutral element. Then for any
point P = (X1 , Y1 , Z1 ) with X1 Y1 Z1 6= 0 on the curve, the point OP =
(aX1 Y1 , −Z12 , aY1 Z1 ). We also have OO = (0, 0, 1), O(a, b, 0) = (1, 0, 0),
O(1, 0, 0) = (a, b, 0), O(0, 0, 1) = (0, 1, 0), and −(X1 , Y1 , Z1 ) = (X1 , Y1 , −Z1 ).
Hence, letP + Q = (X3 , Y3 , Z3 ), then

 X3 = a(X1 Z2 + X2 Z1 )(Y1 Z2 + Y2 Z1 )(aY1 Y2 + Z1 Z2 ),
Y3 = (Z1 Z2 − bX1 X2 )(aY1 Y2 − Z1 Z2 )(aY1 Y2 + Z1 Z2 ), (6)
Z3 = a(bX1 X2 + Z1 Z2 )(aY1 Y2 − Z1 Z2 )(Y1 Z2 + Y2 Z1 ).


The affine addition formula is

 
(x1 + x2 )(1 + ay1 y2 ) (1 − bx1 x2 )(1 + ay1 y2 )
(x1 , y1 ) + (x2 , y2 ) = , .
(1 + bx1 x2 )(ay1 y2 − 1) a(y1 + y2 )(bx1 x2 + 1)
Thirdly, choose O = (0, 0, 1) as the neutral element. Then for any
point P = (X1 , Y1 , Z1 ) with X1 Y1 Z1 6= 0 on the curve, the point OP =
(aX1 Y1 , −Z12 , aY1 Z1 ). Now OO = (0, 0, 1) and −(X1 , Y1 , Z1 ) = (X1 , Y1 , −Z1 ).
Hence, let P + Q = (X3 , Y3 , Z3 ), then

 X3 = (X1 Z2 + X2 Z1 )(aY1 Y2 + Z1 Z2 )2 (Z1 Z2 − bX1 X2 ),
Y3 = (Y1 Z2 + Y2 Z1 )(bX1 X2 + Z1 Z2 )2 (Z1 Z2 − aY1 Y2 ), (7)
Z3 = (b2 X12 X22 − Z12 Z22 )(a2 Y12 Y22 − Z12 Z22 ).


The affine addition formula is

 
(x1 + x2 )(ay1 y2 + 1) (y1 + y2 )(1 + bx1 x2 )
(x1 , y1 ) + (x2 , y2 ) = , .
(1 + bx1 x2 )(1 − ay1 y2 ) (1 + ay1 y2 )(1 − bx1 x2 )

The Addition Law on the Huff curve ax(y 2 − 1) = by(x2 − 1). Let
us consider the curve aX(Y 2 − Z 2 ) = bY (X 2 − Z 2 ). For any two points
P = (X1 , Y1 , Z1 ) and Q = (X2 , Y2 , Z2 ) on the curve, the third intersection
point (U3 , V3 , W3 ) of the line joining P and Q has coordinates ([9])

 U3 = (X1 Z2 + X2 Z1 )(X1 X2 − Z1 Z2 )(Y1 Y2 + Z1 Z2 )2 ,
V3 = (Y1 Z2 + Y2 Z1 )(Y1 Y2 − Z1 Z2 )(X1 X2 + Z1 Z2 )2 ,
W3 = (X12 X22 − Z12 Z22 )(Y12 Y22 − Z12 Z22 ).


14
 Choose O = (1, 0, 0) as the neutral element. Then for any point P =
(X1 , Y1 , Z1 ) with X1 Y1 Z1 6= 0 on the curve, the point OP = (−Z12 , X1 Y1 , X1 Z1 ).
Furthermore OO = (0, 0, 1), O(a, b, 0) = (0, 1, 0), O(0, 1, 0) = (a, b, 0), O(0, 0, 1) =
(1, 0, 0) and −(X1 , Y1 , Z1 ) = (X1 , Y1 , −Z1 ). Hence, let P + Q = (X3 , Y3 , Z3 )
then

 X3 = (X1 X2 − Z1 Z2 )(X1 X2 + Z1 Z2 )(Z1 Z2 − Y1 Y2 ),
Y3 = (X1 Z2 + X2 Z1 )(X1 X2 + Z1 Z2 )(Y1 Z2 + Y2 Z1 ), (8)
Z3 = (X1 Z2 + X2 Z1 )(X1 X2 − Z1 Z2 )(Z1 Z2 + Y1 Y2 ).


Similarly, choose O = (0, 1, 0) as the neutral element Then for any

point P = (X1 , Y1 , Z1 ) with X1 Y1 Z1 6= 0 on the curve, the point OP =
(X1 Y1 , −Z12 , Y1 Z1 ). Now we have OO = (0, 0, 1), O(a, b, 0) = (1, 0, 0), O(1, 0, 0) =
(a, b, 0), O(0, 0, 1) = (0, 1, 0), and −(X1 , Y1 , Z1 ) = (X1 , Y1 , −Z1 ). Hence, let
P + Q = (X3 , Y3 , Z3 ) then ([9])

 X3 = (X1 Z2 + X2 Z1 )(Y1 Z2 + Y2 Z1 )(Y1 Y2 + Z1 Z2 ),
Y3 = (X1 X2 − Z1 Z2 )(Z1 Z2 − Y1 Y2 )(Y1 Y2 + Z1 Z2 ), (9)
Z3 = (X1 X2 + Z1 Z2 )(Y1 Y2 − Z1 Z2 )(Y1 Z2 + Y2 Z1 ).


Now we choose O = (0, 0, 1) as the neutral element. Let P + Q =

(X3 , Y3 , Z3 ) then ([9])

 X3 = (X1 Z2 + X2 Z1 )(Y1 Y2 + Z1 Z2 )2 (Z1 Z2 − X1 X2 ),
Y3 = (Y1 Z2 + Y2 Z1 )(X1 X2 + Z1 Z2 )2 (Z1 Z2 − Y1 Y2 ), (10)
Z3 = (Z12 Z22 − X12 X22 )(Z12 Z22 − Y12 Y22 ).


4.2 Algorithms
Noting that formula (5) and (6) are symmetric to each other, we need only
to consider the formula (5) in algorithms.
Addition on X(aY 2 − Z 2 ) = Y (bX 2 − Z 2 ). By formula (5), the following
algorithm compute (X3 : Y3 : Z3 ) = (X1 : Y1 : Z1 ) + (X2 : Y2 : Z2 ) in
11M +3D costs, i.e., 11 field multiplications and 3D constant multiplications
by a, b and 1/b respectively.
A = X1 X2 ; B = Y1 Y2 ; D = Z1 Z2 ; E = bA; F = aB;
G = (X1 + Z1 )(X2 + Z2 ) − A − D;
H = (Y1 + Z1 )(Y2 + Z2 ) − B − D;
X3 = (1/b) · (E + D)(E − D)(D − F );
Y3 = GH(E + D);
Z3 = G(E − D)(F + D).

15
By formula (7), the following algorithm compute (X3 : Y3 : Z3 ) = (X1 : Y1 :
Z1 )+(X2 : Y2 : Z2 ) in 12M +2D costs, where 2D are constant multiplications
by a and b respectively.

A = X1 X2 ; B = Y1 Y2 ; D = Z1 Z2 ; E = bA; F = aB;
G = (X1 + Z1 )(X2 + Z2 ) − A − D;
H = (Y1 + Z1 )(Y2 + Z2 ) − B − D;
L = (D − E)(D + F ); M = (D + E)(D − F );
X3 = GL(D + F ); Y3 = HM (D + E); Z3 = LM.

Doubling on X(aY 2 − Z 2 ) = Y (bX 2 − Z 2 ). By formula (5), the following

algorithm compute (X3 : Y3 : Z3 ) = 2(X1 : Y1 : Z1 ) costs 6M + 5S + 3D,
where 3D are constant multiplications by a, b and 1/b respectively.

A = X12 ; B = Y12 ; C = Z12 ; D = bA; E = aB;

F = (X1 + Z1 )2 − A − C;
G = (Y1 + Z1 )2 − B − C;
X3 = (D − C)(D + C)(C − E);
Y3 = F G(C + D);
Z3 = F (D − C)(C + E).

By formula (7), the following algorithm compute (X3 : Y3 : Z3 ) = 2(X1 : Y1 :

Z1 ) in 7M + 5S + 2D costs, where 2D are constant multiplications by a and
b respectively.

A = X12 ; B = Y12 ; C = Z12 ; D = bA; E = aB;

F = (X1 + Z1 )2 − A − C;
G = (Y1 + Z1 )2 − B − C;
L = (E + C)(C − D); M = (C + D)(C − E);
X3 = LF (C + E); Y3 = GM (C + D); Z3 = LM.

The costs of addition and doubling on the Huff curve aX(Y 2 − Z 2 ) =

bY (X 2 − Z 2 ) are 11M and 7M + 5S, respectively in [9]. Therefore, the addi-
tion in general Huff curves X(aY 2 − Z 2 ) = Y (bX 2 − Z 2 ) are almost as fast as
that in the curves aX(Y 2 − Z 2 ) = bY (X 2 − Z 2 ), but the general Huff curves
possess more curves.

Tripling on X(aY 2 − Z 2 ) = Y (bX 2 − Z 2 ).

We can get the tripling formula from addition formula when using O =

16
(1, 0, 0) as the neutral element. Assuming that (X3 : Y3 : Z3 ) = 3(X1 : Y1 :
Z1 ), then

X3 = X1 (abX12 Y12 − aY12 Z12 − bX12 Z12 − 3Z14 )(abX12 Y12 + 3aY12 Z12 + Z14 − bX12 Z12 )2 ;
Y3 = Y1 (abX12 Y12 − aY12 Z12 − bX12 Z12 − 3Z14 )(abX12 Y12 + 3bX12 Z12 + Z14 − aY12 Z12 )2 ;
Z3 = Z1 (abX12 Y12 + 3aY12 Z12 + Z14 − bX12 Z12 )(abX12 Y12 + 3bX12 Z12 + Z14 − aY12 Z12 )
· (3abX12 Y12 + aY12 Z12 + bX12 Z12 − Z14 ).

This algorithm compute (X3 : Y3 : Z3 ) = 3(X1 : Y1 : Z1 ) costs 10M + 6S by

using temporary variables X12 , Y12 , Z12 , Z14 , X12 Y12 , Y1 Z12 , X1 Z12 .
Similarly, we can also get the tripling formula from addition formula when
using O = (0, 0, 1) as the neutral element. Assuming that (X3 : Y3 : Z3 ) =
3(X1 : Y1 : Z1 ), then

X3 = X1 (Z14 − bX12 Z12 + 3aY12 Z12 + abX12 Y12 )2 (3Z14 + bX12 Z12 + aY12 Z12 − abX12 Y12 );
Y3 = Y1 (Z14 + 3bX12 Z12 − aY12 Z12 + abX12 Y12 )2 (3Z14 + bX12 Z12 + aY12 Z12 − abX12 Y12 );
Z3 = Z1 (Z14 + 3bX12 Z12 − aY12 Z12 + abX12 Y12 )(Z14 − bX12 Z12 − aY12 Z12 − 3abX12 Y12 )
· (Z14 − bX12 Z12 + 3aY12 Z12 + abX12 Y12 ).

The following formula can be used to triple the points on general Huff curves
which is independent with the curve parameter a and b.

X3 = X1 (Z14 − X12 Z12 + 3Y12 Z12 + X12 Y12 )2 (3Z14 + X12 Z12 + Y12 Z12 − X12 Y12 );
Y3 = Y1 (Z14 + 3X1 Z1 − Y12 Z12 + X12 Y12 )2 (3Z14 + X12 Z12 + Y12 Z12 − X12 Y12 );
Z3 = Z1 (Z14 + 3X1 Z1 − Y12 Z12 + X12 Y12 )(Z14 − X12 Z12 − Y12 Z12 − 3X12 Y12 )
· (Z14 − X12 Z12 + 3Y12 Z12 + X12 Y12 ).

This algorithm compute (X3 : Y3 : Z3 ) = 3(X1 : Y1 : Z1 ) in 10M + 6S + 3D

costs by using temporary variables X12 , Y12 , Z12 , Z14 , X12 Y12 , Y1 Z12 , X1 Z12 .

References
[1] D. J. Bernstein, and T. Lange, Explicit-formulae database. URL:
http://www.hyperelliptic.org/EFD.

[2] D. J. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters,

Twisted Edwards curves, In AFRICACRYPT 2008, LNCS 5023, 389-
405, Springer, 2008.

17
 [3] D. J. Bernstein and T. Lange, Analysis and optimization of elliptic-
curve single-scalar multiplication, Cryptology ePrint Archive, Report
2007/455.
[4] W. Castryck, S.D. Galbraith and R. Rezaeian Farashahi, Efficient arith-
metic on elliptic curves using a mixed Edwards-Montgomery represen-
tation, eprint 2008/218.
[5] R. Feng, M. Nie and F. Wu, Twisted Jacobi intersections curvesTAMC
2010, LNCS, 6108, pp 199-210, Springer, 2010. Cryptology ePrint
Archive, Report 2009/597.
[6] R. Feng and H. Wu, On the isomorphism classes of Legendre elliptic
curves over finite fields, arXiv:1001.2871, 2010.
[7] G. Fung, H. Ströher, H. Williams and H. Zimmer, Torsion groups of
elliptic curves with integral j-invariant over pure cubic fields, Journal of
Number Theory, Volume 36, Issue 1, September 1990, Pages 12-45.
[8] G. B. Huff, Diophantine problems in geometry and elliptic ternary forms.
Duke Math. J., 15:443-453, 1948.
[9] Marc Joye, Mehdi Tibouchi, and Damien Vergnaud, Huff’s model for
elliptic curves, In G.Hanrot, F.Morain and E. Thomé, Eds, Algorithmic
Number Theory (ANTS-IX), LNCS 6197, pp. 234-250, Springer, 2010.
[10] N. Koblitz, Elliptic curve cryptosystems, Math. Comp., 48(177), (1987),
203-209.
[11] A.J. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Aca-
demic Publishers, 1993.
[12] V.S. Miller, Use of elliptic curves in cryptography, Advances in
Cryptology-Crypto 1985, Lecture Notes in Comp. Sci., vol. 218,
Springer-Verlag, 1986, 417-426.
[13] R. Rezaeian Farashahi and I. E. Shparlinski. On the number of distinct
elliptic curves in some families, Designs, Codes and Cryptography, 83-
99, Vol.54, No.1, 2010.
[14] R. Schoof, Nonsigular plane cubic curves over finite field, J. Combine,
Theory Ser. A 46(1987), 183-211.

18
[15] J.H. Silverman, The Arithmetic of Elliptic Curves, volume 106 of Grad-
uate Texts in Mathematics, Springer-Verlag, 1986.

19