Projective Short Weierstrass form

Let $F$ be a finite field of order $q$ and characteristic $> 3$, let $a, b ∈ F$ be two field elements such that $4a^3 + 27b^2 \mod q \neq 0$ and let $FP^2$ be the projective plane over $F$. Then a projective Short Weierstrass elliptic curve over $F$ is the set of all points $[X : Y : Z] ∈ FP^2$ from the projective plane that satisfy the cubic equation $Y^2 · Z = X^3 + a · X · Z^2 + b · Z^3$:

$$E(FP^2) = \{[X : Y : Z] \in FP^2 | Y^2 · Z = X^3 + a · X · Z^2 + b · Z^3\}.$$

In projective geometry, points at infinity are given by projective coordinates $[X : Y : 0]$. Inserting representatives $(x_1, y_1, 0) ∈ [X : Y : 0]$ from those coordinates into the defining cubic equation results in the following identity:

$$y_1^2 · 0 = x_1^3 + a · x_1 · 0^2 + b · 0^3 ⇔ 0 = x_1^3.$$

This implies $X = 0$, and shows that the only projective point at infinity that is also a point on a projective Short Weierstrass curve is the class $[0, 1, 0] = \{(0, y, 0) | y ∈ F\}$. The point $[0 : 1 : 0]$ is the projective representation of the point at infinity $O$ in the affine representation. The projective representation of a Short Weierstrass curve, therefore, has the advantage that it does not need a special symbol to represent the point at infinity from the affine definition.

Coordinate Transformations

From a mathematical point of view, projective and affine Short Weierstrass curves describe the same thing, as there is a one-to-one correspondence (an isomorphism) between both representations for any parameters $a$ and $b$.

Let $E(F)$ and $E(FP^2)$ be an affine and a projective Short Weierstrass curve defined for the same parameters $a$ and $b$. Then, the function that maps points from the affine representation to points from the projective representation of a Short Weierstrass curve is defined as follows:

$$I : E(F) → E(FP^2) : \begin{cases} (x, y) \to [x : y : 1] \\ O \to [0 : 1 : 0] \end{cases}.$$

This map is a $1 : 1$ correspondence, which means that it maps exactly one point from the affine representation onto one point from the projective representation. It is therefore possible to invert this map in order to map points from the projective representation to points from the affine representation of a Short Weierstrass curve. The inverse is given by the following map:

$$I^{−1} : E(FP^2) → E(F) : \begin{cases} [X : Y : Z] \to (X/Z, Y/Z) \text{ if }Z \neq 0 \\ O \text{ if }Z = 0 \end{cases}.$$

A key feature of $I$ and its inverse is that both maps respect the group structure, which means that the neutral element is mapped to the neutral element $I(O) = [0 : 1 : 0]$, and that $I((x_1, y_1) ⊕ (x_2, y_2))$ is equal to $I(x_1, y_1) ⊕ I(x_2, y_2)$. The same holds true for the inverse map $I^{−1}$. Maps with these properties are called group isomorphisms, and, from a mathematical point of view, the existence of function $I$ implies that the affine and the projective definition of Short Weierstrass elliptic curves are equivalent, and represent the same mathematical thing in just two different views. Implementations can therefore choose freely between these two representations.

The description above is the one type of projective representations called homogeneous projective coordinates. There are also other types of projective representations:

• Jacobian coordinates: $(X/Z^2,Y/Z^3)=\text{Affine}((X, Y, Z))$

• XYZZ coordinates

References:

• https://www.notion.so/Known-Optimizations-for-MSM-13042f29196544938d98e83a19934305#3cdc57c695924ec5a48f958280bfd741