Application of Mordell–Weil lattices with large kissing numbers to acceleration of multiscalar multiplication on elliptic curves

Dmitrii Koshelev

doi:10.1515/jmc-2024-0034

Article Open Access

Application of Mordell–Weil lattices with large kissing numbers to acceleration of multiscalar multiplication on elliptic curves

Dmitrii Koshelev

Published/Copyright: April 14, 2025

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 19 Issue 1

Abstract

This article aims to speed up (the precomputation stage of) multiscalar multiplication (MSM) on ordinary elliptic curves of j-invariant 0 with respect to specific “independent” (also known as “basis”) points. For this purpose, the so-called Mordell–Weil lattices (up to rank 8) with large kissing numbers (up to 240) are employed. In a nutshell, the new approach consists in obtaining more efficiently a considerable number (up to 240) of certain elementary linear combinations of the “independent” points. By scaling the point (re)generation process, it is thus possible to obtain a significant performance gain. As usual, the resulting curve points can be then regularly used in the main stage of an MSM algorithm to avoid repeating computations. Seemingly, this is the first usage of lattices with large kissing numbers in cryptography, while such lattices have already found numerous applications in other mathematical domains. Without exaggeration, MSM is a widespread primitive (often the unique bottleneck) in modern protocols of real-world elliptic curve cryptography. Moreover, the new (re)generation technique is prone to further improvements by considering Mordell–Weil lattices with even greater kissing numbers.

Keywords: elliptic curves of j-invariant 0; kissing number; minimal points; Mordell–Weil lattices; multiscalar multiplication

MSC 2010: 14D10; 14G50; 14H52; 14J27; 14Q20; 94A60

1 Introduction

It is not a secret that elliptic curves E over finite fields F q of huge characteristics p are actively used in discrete logarithm cryptography. Multiscalar multiplication (MSM) in the F q -point group E ( F q ) is widely recognized as a very slow operation. To be more precise, it is about computing the sum ∑ i = 1 N n i P i for given “basis” points P i ∈ E ( F q ) and integers n i ∈ Z . At the same time, MSM is actually a ubiquitous primitive in advanced protocols of elliptic curve cryptography. Therefore, there is a vital need among implementers to speed it up.

As a confirmation of these words, one can mention the relatively recent ZPRIZE 2022 competition [1] (see also ZPRIZE 2023 [2]). Among its objectives was accelerating MSM on certain elliptic F q -curves E b : y 2 = x 3 + b (of j -invariant 0). The money rewards of this competition were quite tempting (the total prize was $4,415,000), which indicates the importance of the topic. As is well known, j = 0 curves are the most attractive in pairing-based cryptography. Furthermore, they enjoy the most efficient group operation (at least among prime-order curves). That is why curves E b are a popular choice for implementation of discrete logarithm-based protocols, even if they do not deal with pairings.

There are numerous algorithms of MSM (see [3–5] and the references therein). All of them in one way or another are reduced to precomputing auxiliary points of the form P v ≔ ∑ i = 1 N v i P i with various integer vectors v = ( v i ) i = 1 N . The points P v are then utilized (depending on the concrete n i ) in the main part of an MSM algorithm, allowing to avoid a lot of repeating elliptic curve additions. By the way, P i = P e i , where e i = ( 0 , … , 0 , 1 , 0 , … , 0 ) are the standard basis vectors of the lattice Z N .

In fact, the points P v become less useful whenever the vectors v are long with respect to a certain norm on Z N . In this situation, P v seem to be too redundant points in the sense that we cannot often apply them during MSM. The author decided to work with the 1-norm ∣ v ∣ 1 = ∑ i = 1 N ∣ v i ∣ to stay with small naturals. Besides, it is the most suitable to reflect the “complexity” of the points P v . Indeed, if ∣ v i ∣ ⩽ 2 and more frequently ∣ v i ∣ ⩽ 1 (as it turns out in this paper), then the 1-norm almost coincides with the minimal number of additions on E necessary for computing P v given v i and P i . Thus, it is sufficient to focus on vectors v ∈ Z N that lie in the ball of some small radius R ∈ N , i.e., ∣ v ∣ 1 ⩽ R . In particular, they have to possess maximum R nonzero coordinates.

For elliptic curves having an F q -endomorphism τ of degree close to 1, the famous GLV (Gallant–Lambert–Vanstone) decomposition can be applied in addition to accelerate MSM even more. As a consequence, MSM algorithms exploiting GLV are based rather on the auxiliary points

P ( v , u ) ≔ P v + τ ( P u ) = ∑ i = 1 N v i P i + u i τ ( P i )

with coefficients u i ∈ Z that equally constitute the short vector u ≔ ( u i ) i = 1 N . By abuse of notation, instead of P ( v , u ) , let’s write just P v with v ∈ Z 2 N such that v N + i = u i .

Of course, having a huge amount of available memory or a wide communication channel, the desired points P v can be found once and for all to regularly restore them from the given memory or channel. However, this solution is vulnerable to the constant danger that a malicious entity will perform a fault attack, somehow replacing one or several points in such a way that this breaks a cryptosystem. On the other hand, it is much easier to protect only basic information storing in a small piece of memory (or establish it over a reliable, but slow channel) from which every point P v can be safely (re)generated. It is clear that the described strategy, applied directly to the points, is too expensive in any sense of the word.

The recent works [6,7] are devoted to the problem of generating efficiently the “basis” points P i . In these works, it is suggested to express N = ( N div n ) n + ( N mod n ) for a little n ∈ N . Besides, we are given n linearly independent points P i ( t ) from the Mordell–Weil (MW) group ℰ ( F ) of a certain nontrivial twist ℰ of E over the function field F ≔ F q ( t ) . In the literature, ℰ is often called isotrivial elliptic surface. Then, n “basis” points can be obtained at once as the specialization of P i ( t ) at an element t ∈ F q . Transparently changing t ∈ F q , nothing prevents us from applying the same procedure N div n (plus one if n ∤ N ) times to obtain N points. In fact, ℰ ( F ) has the structure of a Euclidean lattice modulo the torsion subgroup ℰ ( F ) t o r . The corresponding (positive definite) quadratic form h ^ : ℰ ( F ) → Q ⩾ 0 is said to be canonical height. However, this lattice structure previously played only a minor role in the cryptographic context under consideration.

The present work extends the aforementioned generation method to a considerable proportion of the points P v , not exclusively P i . It is proposed to pick MW lattices (of rank r ) with large kissing (also known as Newton) number k . By definition, it is the number of the shortest (i.e., minimal) nonzero lattice points. The norm of the F -point P v ( t ) ≔ ∑ i = 1 r v i P i ( t ) , where v = ( v i ) i = 1 r ∈ Z r , is an indicator of how quickly P v ( t ) can be evaluated at elements of F q . Indeed, the degrees of the point coordinates are proportional to the norm. And the more minimal points we have, the greater performance gain takes place. That is why we are interested in large k with respect to r , that is, in maximizing the quantity δ ≔ log 2 ( k ) ⁄ r . It can be seen that the generation of P i from [6,7] corresponds to the case when ℰ ( F ) is realized as the trivial lattice Z r , because e i are its unique minimal vectors up to sign.

The task of constructing arbitrary lattices having large kissing numbers is one of the most classical tasks in mathematics. It has been carefully studied for several centuries. Established lower and upper bounds on k in the first dimensions can be found in any lattice database like [8,9]. In turn, asymptotic results as r → ∞ are well surveyed in [10,11]. In these articles, Vlăduţ constructs a k-asymptotically good family of lattices for which the kissing number grows exponentially, that is, lim sup r → ∞ δ > 0 . Unfortunately, this inequality probably does not hold for families of MW lattices, making them always k-asymptotically bad.

The last drawback is slightly mitigated for supersingular elliptic surfaces ℰ , because for them, δ decreases more slowly. In a series of articles [12–14], Elkies thoroughly studies MW lattices of such surfaces in characteristic 2. For moderate ranks, he (re)discovers lattices with the greatest known kissing numbers. Among the obtained lattices, there is in particular the 24-dimensional Leech lattice Λ 24 whose k = 196,560 , the optimal kissing number for r = 24 . Regarding an odd characteristic p , it is worth mentioning Shioda’s remarkable article [15] about certain supersingular surfaces ℰ p + 1 of j -invariant 0. Their MW lattices have the nonconstant parameters r = Θ ( p ) and k = Ω ( p 2 ) . Therefore, for p of a cryptographic size, k is an order of magnitude greater than r . However, we cannot employ the given results in discrete logarithm cryptography, because supersingular elliptic curves E are known to be weaker than ordinary ones, especially for little p .

Fortunately, at least for even ranks r ⩽ 8 , it is still possible to achieve the optimal kissing numbers through the MW lattices of ordinary elliptic surfaces, although we are forced to restrict ourselves to j = 0 . By the way, in the extreme case r = 8 , the largest k = 240 . It is about the classical root lattice E 8 , which is wonderful (in many senses) to the same extent as Λ 24 . For other constant ordinary j -invariants, the author does not find in the literature examples of elliptic surfaces whose MW lattices enjoy quite large kissing numbers, not to mention the optimal ones. The situation when k is not substantially greater than r does not merit separate attention. As a consequence, we do not lose much, dealing hereafter only with curves E b .

2 Preliminaries

We will freely use the basic notions and facts on MW lattices recalled in the previous studies [6,7], because it is assumed that the reader is aware of those articles, especially of the second. In turn, abstract lattices have already become paramount objects of (postquantum) cryptography, so they do not need any special introduction. Nonetheless, there may be some aspects of lattice theory that are not in widespread use by the cryptography society. If necessary, such knowledge gaps can be filled with the help of the manual book [16].

The notation k ( r ) will stand for the maximal kissing number among all (not necessarily MW) lattices of rank r . For convenience, Table 1 exhibits lower and upper bounds on k ( r ) for the first four even values r . Odd ranks are out of our interest, because MW ranks of isotrivial elliptic surfaces over finite fields are always even.

Table 1

Bounds on the optimal kissing numbers in small even dimensions

For the sake of simplicity, elliptic F q -curves y 2 = x 3 + b (of j -invariant 0) will be referred to just as E , i.e., without the index b . For the role of τ in the GLV decomposition on such curves, one usually chooses the order 3 automorphism [ ω ] ( x , y ) = ( ω x , y ) , where ω 2 + ω + 1 = 0 . Recall that ω ∈ F p whenever 0 is an ordinary j -invariant as in the article context.

As well as in [7, Sections 4, 5], we will work exclusively with the (rational) elliptic surfaces

ℰ m : y 2 = x 3 + t m + c ,

where 2 ⩽ m ⩽ 6 and c ∈ F q * is a certain constant depending on m . We will suppose everywhere without reminders that m ∣ q − 1 . This condition guarantees that F q is the splitting field of ℰ m , i.e., ℰ m ( F ) = ℰ m ( F q ¯ ( t ) ) , where F q ¯ is the algebraic closure of F q . In principle, it is possible to consider alternative j = 0 elliptic surfaces. Attractive candidates are briefly discussed in Section 5.2. They will be perhaps considered during further research, but the surfaces ℰ m are quite enough to demonstrate the article idea.

It is convenient that ℰ m ( F ) does not contain nonzero torsion points, that is, ℰ m ( F ) ≃ Z r as a group. We will refer to ℰ m ( F ) by means of L m if it is necessary to stress the lattice structure. The fact is that L m is never the trivial lattice Z r . As is conventional in lattice theory, the minimal norm of L m is denoted by λ 1 ∈ Q > 0 . As it turns out, each minimal point P ∈ L m (i.e., such that h ^ ( P ) = λ 1 ) is integral, i.e., P = ( x ( t ) , y ( t ) ) is a pair of polynomial coordinates, not just rational ones. Some useful information on the lattices L m is collected in Table 2 (cf. [7, Table 1]). Be careful, the symbol ≃ here stands for the congruence (also known as isometry) relation rather than the equivalence one as in the study by Conway and Sloane [16].

Table 2

Some parameters of the MW lattices L m = ℰ m ( F )

Note that A 2 * ≃ L 2 and D 4 * ≃ L 3 (along with their root sublattices A 2 , D 4 ) possess the maximal kissing numbers in their dimensions. The situation is different for the case m = 4 , because the value k of the lattice E 6 * ≃ L 4 (in contrast to E 6 ) is not maximal for r = 6 . That is why the sublattice E 6 is represented in a separate row of the table. Of course, we can likewise realize A 2 , D 4 as sublattices of L 2 , L 3 , respectively. However, the minimal norm of the former is slightly greater (namely, λ 1 = 2 ), which negatively influences the coordinate degrees of minimal points. Unlike E 6 , the lattices A 2 , D 4 thus do not provide any advantage in our context. Finally, E 8 ≃ L 5 ≃ L 6 is simply a self-dual (also known as unimodular) lattice.

As is well known, the automorphism group of both E , ℰ m is generated by the order 6 automorphism [ − ω ] = − [ ω ] of the form [ − ω ] ( x , y ) = ( ω x , − y ) . Given a point P on E or ℰ m , we lack the notation P ¯ ≔ { [ − ω ] i P } i = 0 5 for the orbit of P with respect to [ − ω ] . It is straightforward that the norm of P ∈ ℰ m ( F ) is invariant under [ − ω ] . Therefore, the automorphisms also act on the set of minimal points. This action is free, since the nonzero fixed points of [ − ω ] i (for which x y = 0 ) are obviously outside ℰ m ( F ) regardless of i ∈ Z ⁄ 6 and m . Thereby, # P ¯ = 6 unless P is the infinity point (0:1:0). In particular, always 6 ∣ k .

Like in [7, Section 5], everywhere in this article, a basis of ℰ m ( F ) will be taken in the form P 1 , … , P r ⁄ 2 , [ ω ] P 1 , … , [ ω ] P r ⁄ 2 and, moreover, all its points will be minimal. After identifying ℰ m ( F ) ≃ Z r with respect to such a basis, we obtain the following action of [ − ω ] induced on Z r :

[ − ω ] ( v 1 , … , v r ) = ( v r ⁄ 2 + 1 , … , v r , v r ⁄ 2 + 1 − v 1 , … , v r − v r ⁄ 2 ) .

Here, the equality ω 2 = − ω − 1 is utilized. Similarly, denote by v ¯ the orbit of v ∈ Z r under the given action. Evidently, for the point

P v ≔ ∑ i = 1 r ⁄ 2 v i P i + v r ⁄ 2 + i [ ω ] P i ,

its orbit P v ¯ = { P u } u ∈ v ¯ .

The coordinates x , y of the six orbit representatives P u coincide up to multiplication by ω , − 1 , respectively. Consequently, for computing all the points P u ∈ P v ¯ , it is essentially sufficient to determine only one of them. To simplify this process as much as possible, it is necessary to define the “lightest” point P u in a sense. One of the reasonable ways (adopted in the next section) is to take a vector u ∈ v ¯ with the smallest 1-norm ∣ u ∣ 1 = ∑ i = 1 r ∣ u i ∣ . We will equally call this number the 1-norm of P u , which has nothing to do with the other norm h ^ ( P u ) . As an example, the basis points P i , [ ω ] P i are actually the “lightest”, because they (along with their inverse ones) are of 1-norm 1.

3 Minimal points of the lattices L m

This section is heavily based on [7, Section 5]. From there, we will borrow the concrete bases P i , [ ω ] P i depending on m . Be careful, the below points P r ⁄ 2 + i are different from [ ω ] P i in contrast to that article. We will tacitly resort to the computer algebra system Magma. The corresponding code is loaded on the web page [17]. We will consider step by step the remaining minimal points P i ∈ L m , where r ⁄ 2 < i ⩽ k ⁄ 6 . For compactness, their explicit formulas are omitted in the text (except for the degenerate case m = 2 ), but they are momentarily obtained by launching the Magma code.

3.1 The case m = 2

Without loss of generality, one can choose the coefficient c = 1 . Then, the point P 1 ≔ ( − 1 , t ) generates ℰ 2 ( F ) over the ring Z [ ω ] . Furthermore, the set of all minimal points is nothing but the orbit of P 1 , since k = 6 for the lattice L 2 .

3.2 The case m = 3

In addition to the basis points P 1 , P 2 from [7, Section 5.2], orbit representatives among the remaining minimal points in the lattice L 3 are the points

P 3 ≔ [ ω ] P 2 ( ω t ) = [ ω ] P 1 + P 2 , P 4 ≔ P 2 ( ω 2 t ) = [ ω ] P 2 − P 1

of the smallest 1-norm 2.

3.3 The case m = 4

3.3.1 The subcase E 6 * ≃ L 4

In addition to the basis points P 1 , P 2 , P 3 from [7, Section 5.3], orbit representatives (of the smallest 1-norm) among the remaining minimal points in the lattice L 4 are

Points of 1-norm 2:

P 4 ≔ P 1 + P 2 , P 5 ≔ P 1 + P 3 , P 6 ≔ [ ω ] P 2 + P 3 ;

Points of 1-norm 3:

P 7 ≔ P 1 + P 2 − [ ω ] P 3 , P 8 ≔ [ ω ] P 1 − P 2 + [ ω ] P 3 ;

Points of 1-norm 4:

P 9 ≔ [ 1 + ω ] P 1 + [ ω ] P 2 + P 3 .

Moreover, the points of 1-norm n ⩾ 3 are expressed via the points of 1-norm < n as follows:

P 7 = P 4 − [ ω ] P 3 , P 8 = [ ω ] P 5 − P 2 , P 9 = [ ω ] P 4 + P 5 .

3.3.2 The subcase E 6 ↪ L 4

The lattice L 4 contains the sublattice L 4 ′ generated over Z [ ω ] by the points

P 1 ′ ≔ P 1 − [ ω ] P 2 , P 2 ′ ≔ P 1 − [ ω ] P 3 , P 3 ′ ≔ P 2 − [ ω ] P 3 .

The Gram matrix of h ^ with respect to the order P 1 ′ , P 2 ′ , P 3 ′ , [ ω ] P 1 ′ , [ ω ] P 2 ′ , [ ω ] P 3 ′ has the following form:

2 1 0 − 1 0 − 1 1 2 0 − 1 − 1 − 1 0 0 2 1 1 − 1 − 1 − 1 1 2 1 0 0 − 1 1 1 2 0 − 1 − 1 − 1 0 0 2 .

Its determinant and minimal norm are equal to Δ = 3 and λ 1 = 2 , respectively. Recall that δ = λ 1 r ⁄ 2 ⁄ ( 2 r Δ ) is the center density [16, Section 1.1] of an arbitrary r -dimensional lattice. Therefore, the center density of our lattice L 4 ′ is equal to δ = 1 ⁄ ( 8 3 ) as well as for E 6 . At the same time, as stated in [16, Section 4.8.3], there is the unique (up to an isometry) lattice of rank 6 with the given value δ . Consequently, L 4 ′ ≃ E 6 as we wanted.

In addition to the basis points P 1 ′ , P 2 ′ , P 3 ′ , orbit representatives (of the smallest 1-norm) among the remaining minimal points in the lattice L 4 ′ are

Points of 1-norm 2:

P 4 ′ ≔ P 1 ′ − P 2 ′ , P 5 ′ ≔ [ ω ] P 1 ′ − P 3 ′ , P 6 ′ ≔ [ ω ] P 2 ′ − P 3 ′ , P 7 ′ ≔ [ ω ] P 1 ′ + P 2 ′ , P 8 ′ ≔ P 1 ′ + [ ω ] P 3 ′ , P 9 ′ ≔ P 2 ′ + [ ω ] P 3 ′ ;

Points of 1-norm 3 :

P 10 ′ ≔ [ ω ] P 1 ′ + P 2 ′ − P 3 ′ , P 11 ′ ≔ [ ω ] P 1 ′ + P 2 ′ + [ ω ] P 3 ′ ;

Points of 1-norm 4 :

P 12 ′ ≔ [ 1 + ω ] P 1 ′ + P 2 ′ + [ ω ] P 3 ′ .

Moreover, the points of 1-norm n ⩾ 3 are expressed via the points of 1-norm < n as follows:

P 10 ′ = P 7 ′ − P 3 ′ , P 11 ′ = [ ω ] P 3 ′ + P 7 ′ , P 12 ′ = P 1 ′ + P 11 ′ .

3.4 The case m = 5

In addition to the basis points P 1 , P 2 , P 3 , P 4 from [7, Section 5.4], orbit representatives (of the smallest 1-norm) among the remaining minimal points in the lattice L 5 are

Points of 1-norm 2 :

P 5 ≔ P 1 + P 2 , P 6 ≔ P 2 + P 3 , P 7 ≔ P 3 + P 4 , P 8 ≔ P 1 − [ ω ] P 2 , P 9 ≔ P 2 − [ ω ] P 3 , P 10 ≔ P 3 − [ ω ] P 4 ;

Points of 1-norm 3 :

P 11 ≔ P 1 + P 2 + P 3 , P 12 ≔ P 2 + P 3 + P 4 , P 13 ≔ P 1 + P 2 − [ ω ] P 3 , P 14 ≔ P 2 + P 3 − [ ω ] P 4 , P 15 ≔ P 1 − [ ω ] P 2 − [ ω ] P 3 , P 16 ≔ P 2 − [ ω ] P 3 − [ ω ] P 4 ;

Points of 1-norm 4 :

P 17 ≔ P 1 + P 2 + P 3 + P 4 , P 18 ≔ P 1 + P 2 + P 3 − [ ω ] P 4 , P 19 ≔ P 1 + P 2 − [ ω ] P 3 − [ ω ] P 4 , P 20 ≔ P 1 − [ ω ] P 2 − [ ω ] P 3 − [ ω ] P 4 , P 21 ≔ P 1 + [ 1 − ω ] P 2 − [ ω ] P 3 , P 22 ≔ [ ω ] P 1 + [ 1 + ω ] P 2 + P 3 , P 23 ≔ P 2 + [ 1 − ω ] P 3 − [ ω ] P 4 , P 24 ≔ [ ω ] P 2 + [ 1 + ω ] P 3 + P 4 ;

Points of 1-norm 5 :

P 25 ≔ P 1 + P 2 + [ 1 − ω ] P 3 − [ ω ] P 4 , P 26 ≔ P 1 − [ ω ] P 2 − [ 1 + ω ] P 3 − P 4 , P 27 ≔ P 1 + [ 1 − ω ] P 2 − [ ω ] P 3 − [ ω ] P 4 , P 28 ≔ [ 1 + ω ] P 1 + P 2 + P 3 − [ ω ] P 4 , P 29 ≔ [ ω ] P 1 + [ 1 + ω ] P 2 + P 3 + P 4 , P 30 ≔ [ ω ] P 1 + [ ω ] P 2 + [ 1 + ω ] P 3 + P 4 ;

Points of 1-norm 6 :

P 31 ≔ P 1 + [ 2 ] P 2 + [ 1 − ω ] P 3 − [ ω ] P 4 , P 32 ≔ P 1 + [ 1 − ω ] P 2 − [ 2 ω ] P 3 − [ ω ] P 4 , P 33 ≔ P 1 + [ 1 − ω ] P 2 + [ 1 − ω ] P 3 − [ ω ] P 4 , P 34 ≔ P 1 + [ 1 − ω ] P 2 − [ ω ] P 3 − [ 1 + ω ] P 4 , P 35 ≔ [ 1 + ω ] P 1 + P 2 + [ 1 − ω ] P 3 − [ ω ] P 4 ;

Points of 1-norm 7 :

P 36 ≔ P 1 + [ 1 − ω ] P 2 − [ 2 ω ] P 3 − [ 1 + ω ] P 4 , P 37 ≔ [ 1 + ω ] P 1 + [ 2 ] P 2 + [ 1 − ω ] P 3 − [ ω ] P 4 ;

Points of 1-norm 8 :

P 38 ≔ P 1 + [ 1 − ω ] P 2 − [ 2 ω ] P 3 − [ 1 + 2 ω ] P 4 , P 39 ≔ [ ω ] P 1 + [ 1 + 2 ω ] P 2 + [ 2 + ω ] P 3 + P 4 , P 40 ≔ [ 2 + ω ] P 1 + [ 2 ] P 2 + [ 1 − ω ] P 3 − [ ω ] P 4 .

Moreover, the points of 1-norm n ⩾ 3 are expressed via the points of 1-norm < n as follows:

Points of 1-norm 3 :

P 11 = P 3 + P 5 , P 12 = P 4 + P 6 , P 13 = P 1 + P 9 , P 14 = P 2 + P 10 , P 15 = P 8 − [ ω ] P 3 , P 16 = P 9 − [ ω ] P 4 ;

Points of 1-norm 4 :

P 17 = P 5 + P 7 , P 18 = P 5 + P 10 , P 19 = P 1 + P 16 , P 20 = P 15 − [ ω ] P 4 , P 21 = P 2 + P 15 , P 22 = [ ω ] P 5 + P 6 , P 23 = P 3 + P 16 , P 24 = [ ω ] P 6 + P 7 ;

Points of 1-norm 5 :

P 25 = P 3 + P 19 , P 26 = P 15 − P 7 , P 27 = P 2 + P 20 , P 28 = [ ω ] P 1 + P 18 , P 29 = P 4 + P 22 , P 30 = P 7 + [ ω ] P 11 ;

Points of 1-norm 6 :

P 31 = P 11 + P 16 , P 32 = P 15 + P 16 , P 33 = P 11 − [ ω ] P 12 , P 34 = P 27 − P 4 , P 35 = P 28 − [ ω ] P 3 ;

Points of 1-norm 7 :

P 36 = P 34 − [ ω ] P 3 , P 37 = P 2 + P 35 ;

Points of 1-norm 8 :

P 38 = P 36 − [ ω ] P 4 , P 39 = [ ω ] P 9 + P 29 , P 40 = P 1 + P 37 .

3.5 The case m = 6

This case is similar to the previous one because of the isometry L 5 ≃ L 6 . Indeed, the aforementioned linear relations remain the same if a basis P i , [ ω ] P i of L 6 , where i ⩽ 4 , has the Gram matrix exactly as in [7, Section 5.4]. Clearly, this can be ensured with the help of an appropriate coordinate change. The main difference consists in other formulas of the minimal points P i , where i ⩽ 40 . In [7], formulas of the basis points P i are not derived when m = 6 , because in the context of that article (unlike the current one), the L 6 -based generation method is not faster than the L 3 -based one.

By our assumption, m ∣ q − 1 . The condition 5 ∣ q − 1 sometimes may not hold. In turn, 6 ∣ q − 1 or, equivalently, 3 ∣ q − 1 holds automatically for all ordinary curves of j -invariant 0. Therefore, it is actually useful to possess formulas for the points P i ∈ L 6 . Nevertheless, deriving such formulas is a much less ambitious task than the research project from Section 5.2 whose outcomes promise to substantially outperform the case under consideration. That is why the author decided not to dwell on it (at least now). Besides, as explained in the next section, the L 5 -based generation method (when applicable) is still a little bit more efficient on average than the L 6 -based one. Thus, the case m = 5 does not completely lose relevance at the moment.

Perhaps, explicit formulas of P i ∈ L 6 are not represented anywhere in the literature for the abstract coefficient c from the equation of ℰ 6 . The author succeeded to find only [18] handling the special case c = − 1 , although its reasoning is in parallel with [19] dealing with the general c when m ∈ { 4 , 5 } . Recall that the latter article underlies [7, Sections 5.3, 5.4]. Therefore, the former article appears to be generalized to the other values c ∈ F q * . In particular, for an appropriately chosen c , the splitting field of ℰ 6 probably can be reduced from F q ( 1 12 , 2 3 ) (when c = − 1 ) to the expected field F q ( 1 6 ) , that is, to F q in our setting.

4 Generating the minimal points

Assume that t ∈ F q is a known element such that the reduction (also known as specialization) ℰ m , t of the surface ℰ m at t is F q -isomorphic to the original curve E . As explained in [7, Section 3], we are able to obtain such an element as some m -th root t = ⋅ m when it is extracted over F q , that is, approximately with the probability 1 ⁄ m . The associated isomorphism has the following form:

φ t : ℰ m , t → E ( x , y ) ↦ ( c x x , c y y ) ,

where the coefficients c x , c y ∈ F q depend on t .

To this moment, we are given (formulas of) the minimal points P i ∈ L m from Section 3. All of the following is equally true in the case of the points P i ′ ∈ L 4 ′ . Therefore, this case will not be mentioned further to avoid repetitions. Throughout the section, we will assume that the “basis” points φ t ( P i ( t ) ) ∈ E ( F q ) , where i ⩽ r ⁄ 2 , have already been generated by [7, Algorithm 1] with respect to t ∈ F q . Our purpose is to generate as fast as possible the remaining “minimal” points φ t ( P i ( t ) ) , where i ⩽ k ⁄ 6 . By abuse of notation, we will refer to these points simply by P i as well as for the initial lattice points. Let’s suppose for simplicity that multiplications by ω , − 1 (apart from additions in F q ) are not taken into account in the below estimations of running time. Thereby, once a “minimal” point P i is determined, so is its full orbit P i ¯ of 6 conjugates.

A naive method of finding P i ∈ E ( F q ) consists in performing successive curve additions of the form P i = P i 1 + P i 2 (up to the automorphisms of E ) such that i 1 , i 2 , r ⁄ 2 < i . As shown in Section 3, such a minimal addition chain takes place regardless of m . Thus, the total number of additions on E is equal to A ≔ k ⁄ 6 − r ⁄ 2 . According to [20] and [21, Section 6.4.1], the general addition operation on an arbitrary curve E : y 2 = x 3 + b z 6 (in Jacobian coordinates) costs no less than 16 multiplications in F q . Sometimes, E can be transformed into other forms enjoying faster addition formulas. The most efficient among them is widely recognized to be the twisted Edwards form (in extended coordinates) on which + requires 10 multiplications. To sum up, the overall running time of the naive generation method lies between 10 A and 16 A field multiplications.

From the geometric point of view, the minimal points are no different from the basis ones. As a result, we have Algorithm 1 that generates all the “minimal” F q -points on E , supplementing [7, Algorithm 1] in a natural way. Formally speaking, the corresponding vectors v ∈ Z r (i.e., such that P i = P v ) have to be returned in the new algorithm in parallel with the points. Otherwise, the latter are useless for subsequent MSM algorithms. Note that reducing P i ( t ) amounts to two Horner’s schemes applied to the coordinate polynomials x = x ( P i ) and y = y ( P i ) . In turn, each application of φ t costs 2 multiplications in F q (by c x , c y ). As a consequence, to obtain one “minimal” point it is enough to perform M ≔ deg ( x ) + deg ( y ) + 2 field multiplications. Therefore, M A is the total number of multiplications in the new generation method.

Algorithm 1: New method of generating all the “minimal” points
Data: finite field F q of characteristic 7 or greater,
ordinary elliptic F q -curve E of j -invariant 0,
natural m such that 2 ⩽ m ⩽ 6 and m ∣ q − 1 ,
element t ∈ F q such that ℰ m , t ≃ F q E and the F q -isomorphism φ t : ℰ m , t → E ,
coordinate formulas for representatives P 1 , … , P k ⁄ 6 ∈ ℰ m ( F ) of the orbits of minimal points;
Result: k “minimal” points in E ( F q ) ;
begin
for i ≔ 1 to k ⁄ 6 do ∣ P i ≔ φ t ( P i ( t ) ) ; end return P 1 ¯ , … , P k ⁄ 6 ¯ .
end

We see that the new approach is faster than the naive one whenever the cost of one addition on E is greater than M . Interestingly, this is always the case, because M ⩽ 7 , that is, 10 − M ⩾ 3 and 16 − M ⩾ 9 . Table 3 demonstrates the exact numbers of multiplications (checked in Magma [17]) for all the cases 2 ⩽ m ⩽ 6 . As expected, the performance gain (namely, the last two columns) increases when m does. In particular, we do not obtain any benefit for m = 2 , and the best result occurs for m ∈ { 5 , 6 } . Curiously, there is one exception: the value ( 10 − M ) A is equal to 30 for the lattice L 4 , but 27 for its sublattice L 4 ′ . Nevertheless, the situation is opposite ( 66 < 81 ) if the curve E is in the short Weierstrass form.

Table 3

Comparison (in terms of the numbers of multiplications in F q ) of the naive and new methods of generating all the “minimal” F q -points on E

It is impossible not to mention that the entries of Table 3 should be slightly recalculated under a deeper complexity analysis. Indeed, there are several minor optimization possibilities not taken into account before, but explained in the next paragraphs. For simplicity, such a detailed analysis is omitted in the present paper, because it is more mathematical in nature than engineering. Undoubtedly, the table tendencies will remain after recalculation. In other words, supremacy of the new generation method over the naive one is beyond question. Ideally, the optimization tricks under consideration have to be used in the process of programming Algorithm 1 (or some of its versions) in one of low-level languages. Nonetheless, in view of Section 5.2, it is more logical at the beginning to conduct further research on the topic prior to proceeding with an optimized implementation.

First, the constant ω ∈ F p may be quite large (in absolute value) in contrast to − 1 . Hence, multiplication by ω may not be completely free. Second, formulas of the minimal points P i ∈ L m may sometimes have small or repeating coefficients, at least for different indices i . As a result, with the same input argument t ∈ F q , evaluating P i ( t ) together (i.e., for all i ⩽ k ⁄ 6 ) may cost considerably less than separately. On the contrary, repeating field multiplications are seemingly rare in the addition chains P i = P i 1 + P i 2 and the majority of these multiplications are general (i.e., not by a constant). The fact is that addition chains are inherently computed successively (not in parallel as P i ( t ) ), and hence, there is limited room for their optimization.

The operation + on E does not keep affine coordinates unless the inverse operation in F q * is used. Since the latter is recognized to be much more expensive than multiplication, + must return (weighted) projective coordinates. In particular, most instances of + in our addition chains are forced to receive such burdensome input coordinates. As an exception, the points P i of 1-norm 2 (unlike those of larger 1-norms) are the sums of two basis points, which are usually given on the affine plane. Therefore, the 1-norm 2 points require fewer multiplications than 10 and 16, respectively. However, the proportion of these points decreases with the growth of m . For the cases m ∈ { 5 , 6 } the most interesting for us, there are solely 6 such points among 36 nonbasis minimal points. By the way, all the minimal points P i ∈ L m are integral, hence reducing them always avoids inverting in F q * . This circumstance no doubt leads to a slight acceleration of MSM algorithms based on P i .

It has not yet been clearly justified for which value m the L m -based generation method (let’s denote it by M m ) is the best. So far, we have just made sure that this method is better than the naive one with the same m . Evidently, the smaller the given parameter, the more efficient Algorithm 1, but at the price of fewer returned points. It is important to remember that this algorithm is always preceded by much slower [7, Algorithm 1]. Recall that its complexity on average amounts to m ( ⋅ q ) m + ⋅ m (apart from several more multiplications), where ( ⋅ q ) m is the m -th power residue symbol and ⋅ m is the m -th root in the field F q .

Specialists know (see [22, Sections 1, 2] and the references therein) that the symbol ( ⋅ q ) m can be determined (at least for m ⩽ 6 ) by means of Euclidean-type algorithms. With proper implementation, their execution times are close to that of several dozen multiplications. Thus, extracting ⋅ m is an order of magnitude more laborious operation (even for m = 2 ) than the others in F q that we encountered. Concrete complexity estimates heavily depend on m and q . At best, ⋅ m is expressed via one exponentiation in F q , which costs no less than ℓ ≔ ⌈ log 2 ( q ) ⌉ field multiplications. As an example, for the conventional 128-bit security level, ℓ ≳ 256 , and this lower bound on ℓ is known to be even higher for pairing-friendly curves E .

Let’s compare, e.g., the methods M 5 , M 6 with the degenerate one M 2 . The following reasoning is mutatis mutandis transformed for the cases m ∈ { 3 , 4 } . The methods M 5 , M 6 both give k ⁄ 6 = 40 points in E ( F q ) at the cost of one radical, of ≈ 5 , 6 residue symbols, respectively, and of ≈ 250 multiplications according to Table 3. In turn, M 2 generates only one “basis” point (apart from its conjugates by [ − ω ] ) after computing ≈ 2 Legendre symbols and one square root (and a few auxiliary multiplications). Therefore, the latter needs to be launched 40 times (with different elements t ∈ F q ) to obtain the identical number of points. At least when ⋅ , ⋅ 5 , ⋅ 6 are all represented by exponentiations in F q , the 40-time method M 2 is without doubt substantially slower than the one-time M 5 , M 6 .

Besides, M 2 does not return “dependent” points unlike M 5 , M 6 . This means that the total number of F q -points on E generated by the multiple method M 2 is still smaller. As given in Section 1, let N stand for the number of all “basis” points, which must be generated in any case. We see that M 2 generates exactly N (“basis”) points with the same number of launches against 40 N ⁄ 4 = 10 N points returned by M 5 , M 6 after N ⁄ 4 launches, where 4 ∣ N for simplicity. Of course, a concrete MSM algorithm may not need certain “dependent” points (e.g., those of higher 1-norms), hence for it, the efficiency of M 5 , M 6 may be too exaggerated. Nevertheless, in general (i.e., abstracting from MSM algorithms), the methods M 5 , M 6 are justified to be the best among all the state-of-the-art generation methods. This is also consistent with the conclusions of [7, Section 4], where “basis” points are the only resulting ones.

Finally, it remains to choose the winner between M 5 and M 6 . As already said in Section 3.5, the first method (unlike the second) suffers from an applicability restriction (of the form 5 ∣ q − 1 ). However, if both methods are available, then M 5 is a little more preferable than M 6 , because on average, the first has one residue symbol less than the second. Certainly, we are under the pretty natural heuristic assumption that ( ⋅ q ) 5 (resp., ⋅ 5 ) is implemented not slower than ( ⋅ q ) 6 (resp., ⋅ 6 ).

5 Final remarks

5.1 Hybrid point generation

Special attention should be paid to the generation technique combined from the minimal points P i ∈ L 4 and P i ′ ∈ L 4 ′ simultaneously, that is, with one element t ∈ F q such that ℰ 4 , t ≃ F q E . This technique allows to obtain at once more F q -points on E . A minor comment is that P 1 ′ , P 2 ′ , P 3 ′ are no longer considered as basis points, but as points of 1-norm 2 with respect to P 1 , P 2 , P 3 and their counterparts [ ω ] P i . Therefore, none of the induced points P i ′ ∈ E ( F q ) are given in advance, and hence, they all need to be computed. It is also worth bearing in mind that the 1-norm becomes greater for all the points P i ′ .

We lack the notion of the so-called everywhere integral points (in the sense of Shioda [23–25]) in the MW lattice of an elliptic F q -surface ℰ . By one definition, these are integral points P = ( x , y ) ∈ ℰ ( F ) for which h ^ ( P ) ⩽ 2 χ or, equivalently, deg ( x ) ⩽ 2 χ and deg ( y ) ⩽ 3 χ , where χ ∈ N is the arithmetic genus of ℰ . No worries, χ is nothing but 1 whenever ℰ is a rational surface, which is the case for ℰ m with m ⩽ 6 . Be careful, in some sources (but not here), such points are called just integral, while arbitrary points with polynomial coordinates x , y are called ∞ -integral or F q [ t ] -integral. For convenience, let e be the (finite) number of all everywhere integral points in ℰ ( F ) .

Note that L 4 ′ is an instance of what is known as the narrow MW lattice L m ′ ≔ ℰ m ( F ) ∘ whose definition is given in [15, Section 2]. By virtue of [15, Remark 3.5], the lattices L m ′ are root ones we have previously encountered (not only for m = 4 ). It turns out (cf. [25, Section 3.1]) that the minimal points of L m and those of L m ′ (also known as roots) together constitute the set of all everywhere integral points in ℰ m ( F ) . For m ∈ { 2 , 3 } , the number e = 2 k ∈ { 12 , 48 } , since the kissing numbers of A 2 , A 2 * coincide, and this is equally true for D 4 , D 4 * . Finally, E 8 = E 8 * , which implies the equality e = k ( = 240 ) in the last cases m ∈ { 5 , 6 } . For clarity, these facts are translated into Table 4 supplementing Table 2. Among other things, the column “ind” contains the indices [ L m : L m ′ ] .

Table 4

Some parameters of the narrow sublattices L m ′ ⊂ L m

The aforementioned hybrid generation is naturally generalized to the other cases m ≠ 4 by exploiting likewise all everywhere integral points in ℰ m ( F ) . However, the maximal number e = 240 occurs for m ∈ { 5 , 6 } , and hence, the original methods M 5 , M 6 remain the best. Moreover, there is the fact [24, Theorem 2.1] that none of rational elliptic surfaces ℰ enjoys e > 240 . Certainly, nothing prevents us from using other points from ℰ ( F ) . Nevertheless, it is desirable to keep the integrality property to be able to return affine points in E ( F q ) without inverting in F q * . Extra integral points in ℰ m ( F ) (of canonical height > 2 ) are succinctly surveyed in [26, Section 8]. There are only an insignificant number of such “sporadic” points, not to mention that deg ( x ) > 2 or deg ( y ) > 3 for them. Therefore, it is not expected that the efficiency of the generation process including these points is so impressive to dwell on it.

5.2 MW lattices of higher kissing numbers

This section briefly outlines a promising research direction on the topic. It is reasonable to wonder about extending the article idea to MW lattices (of isotrivial ordinary elliptic surfaces) with kissing numbers k > 240 . Intuitively, they should provide a more impressive performance gain during point generation than the lattices previously considered. As earlier, there is hope to identify desired lattices only for the j -invariant 0. Unfortunately, all rational elliptic surfaces necessarily have the MW ranks r ⩽ 8 (see [27]), which is somewhat demotivating in view of Table 1. Therefore, we are forced to resort to elliptic surfaces of greater arithmetic genus χ > 1 . The next case χ = 2 corresponds to the so-called K3 surfaces. Already in this case, the theory of MW lattices is significantly complicated.

In a series of works [28–31], Usui establishes the full classification (i.e., for all m ∈ N ) of the lattices L m over the algebraic closure F q ¯ . As explained in [7, Section 3], for each m ⩾ 6 , the cost of finding a necessary element t ∈ F q is permanent and amounts just to 6 ( ⋅ q ) 6 + ⋅ 6 . Thereby, the kissing number or rather δ ≔ k ⁄ r is actually the main indicator for running time of the L m -based generation methods. The minimal norm λ 1 (crucial for the speed of point reduction) also plays a role, but appears to be secondary as we will see in the next noteworthy examples ( λ 1 = 4 for all of them).

According to Usui [31, Main Theorem], solely the lattice L 12 merits attention, because it is easily seen that L 12 enjoys the largest value δ = 115.5 among all the lattices L m . More precisely, L 12 possesses the parameters r = 16 , λ 1 = 4 , and k = 1,848 . Although the last value is pretty small compared to 4,320 ⩽ k ( 16 ) ⩽ 7,320 , it is much greater than the kissing number 2 × 240 = 480 of the 16-dimensional direct squares L 5 2 , L 6 2 . The latter essentially underlie the methods M 5 , M 6 applied twice, that is, with two different seeds t ∈ F q .

Recall that at the moment the maximal (in characteristic 0) MW rank r = 68 , which is attained by the lattice L 360 . For it, λ 1 = 120 ≫ 4 and k = 2,472 , and hence, δ ≈ 36.353 ≪ 115.5 . The inequalities ≫ , ≪ confirm that L 360 (like the other lattices L m for m ≠ 12 ) loses to L 12 based on a combination of factors. This opinion is opposite to [7, Section 3], because for generating only “independent” points, the MW rank is the unique important indicator.

In addition to the surfaces ℰ m , the K3 ones

ℱ m : y 2 = x 3 + c 1 t m + c 1 ′ t m + c 0

deserve separate consideration, where similarly m ⩽ 6 and c 1 , c 1 ′ ≠ 0 . Over arbitrary fields (including F q ) the MW lattices Λ m of these surfaces are thoroughly studied in [32]. In particular, over F q ¯ , one can put c 1 = c 1 ′ = 1 without loss of generality. The coefficient c 0 conversely matters even over F q ¯ (unlike c in the equation of ℰ m ), and hence, it is more correct to indicate c 0 as follows: ℱ m ( c 0 ) , Λ m ( c 0 ) .

Obviously, if c 1 = 1 , c 1 ′ = c , then ℰ 12 ≃ F q ℱ 6 ( 0 ) , and hence, L 12 ≃ Λ 6 ( 0 ) . In turn, Λ 5 ( 0 ) has the even better parameters r = 16 , λ 1 = 4 , and k = 2,640 (i.e., δ = 165 ) by virtue of [31, Section 3]. The cases m ⩽ 4 are less remarkable, since the value δ of the lattice Λ m ( 0 ) diminishes by analogy with L m . Thus, the family ℱ m ( 0 ) remotely resembles ℰ m . Finally, little is known about Λ m ( 0 ) for m > 6 .

It must be understood that, generally speaking, minimal and everywhere integral points are not at all the same thing. In this connection, there is an independent task of maximizing the number e instead of k . As stated in [25, Section 4], the record is e = 5,820 , at least in 2010 when that article was published. This record is due to the MW lattice of the surface ℰ : y 2 = x 3 + t 5 − t − 5 − 11 from [33] isomorphic to ℱ 5 ( 11 − 1 ) as usual over F q ¯ . For this lattice, λ 1 = 4 , r = 18 , and so e ⁄ r = 323 . ( 3 ) ≫ 165 . By the way, 18 is the maximal possible MW rank for ordinary elliptic K3 surfaces [32, Section 8]. In the literature, such surfaces are said to be singular.

It should be stressed that the splitting field of ℰ is exactly F q ( 1 5 , 10 3 ) . Probably, there is not yet an article dedicated to the twists of the surface ℰ , in contrast to ℰ m , ℱ m ( 0 ) with m ⩽ 6 . This subject is important if we want to try to ease the restrictions on F q as much as possible. Currently, 1 5 , 10 3 ⊂ F q seem quite severe conditions to be able to use ℰ for generating F q -points on j = 0 elliptic curves. In other words, we are interested in coefficients c 0 , c 1 , c 1 ′ ∈ F q such that the surface ℱ 5 (with the given coefficients) is a twist of ℰ whose MW lattice is full already over F q under more mild conditions (e.g., without 10 3 ⊂ F q ).

Acknowledgements

The author expresses his gratitude to Antonio Sanso and Justin Drake from Ethereum Foundation for motivation (and help in searching for financial support) they provided to complete this article. Besides, the author was contacted by Victor Miller with appreciation for the previous work [6], which also encouraged to continue research in this direction.

Funding information: This paper is part of the project “Avances en criptografía post-cuántica aplicados al desarrollo de un sistema de cupones”, financed by “European Union NextGeneration–UE, the Recovery Plan, Transformation and Resilience, through INCIBE”. The paper is also part of the R&D+i project PID2021-124613OB-I00 funded by MICIU/AEI/10.13039/501100011033 and FEDER, EU. Besides, the author was supported by Ethereum Foundation through the grant FY23-1227 “Acceleration of multiscalar multiplication”.
Author contributions: The author confirms the sole responsibility for the conception of the study, presented results, and manuscript preparation.
Conflict of interest: The author states no conflict of interest.

References

[1] ZPRIZE 2022 competition. https://github.com/z-prize. Search in Google Scholar

[2] ZPRIZE 2023 competition. https://www.zprize.io. Search in Google Scholar

[3] Avanzi RM. The complexity of certain multi-exponentiation techniques in cryptography. J Cryptol. 2005;18:357–73. 10.1007/s00145-004-0229-5Search in Google Scholar

[4] Bernstein DJ. Pippenger’s exponentiation algorithm; 2002. https://cr.yp.to/papers/pippenger-20020118-retypeset20220327.pdf. Search in Google Scholar

[5] Botrel G, El Housni Y. Faster Montgomery multiplication and multi-scalar-multiplication for SNARKs. Trans Cryptographic Hardware Embedded Systems (TCHES). 2023;2023(3):504–21. 10.46586/tches.v2023.i3.504-521Search in Google Scholar

[6] Koshelev D. Generation of two “independent” points on an elliptic curve of j-invariant ≠0, 1728. 2023. https://eprint.iacr.org/2023/785. Search in Google Scholar

[7] Koshelev D. Generation of “independent” points on elliptic curves by means of Mordell-Weil lattices. Math Cryptol. 2024;4(1):11–22. https://journals.flvc.org/mathcryptology/article/view/132727Search in Google Scholar

[8] Cohn H. Kissing numbers. https://cohn.mit.edu/kissing-numbers.Search in Google Scholar

[9] Nebe G, Sloane N. LATTICES. https://www.math.rwth-aachen.de/homes/Gabriele.Nebe/LATTICES.Search in Google Scholar

[10] Vlăduţ S. Lattices with exponentially large kissing numbers. Moscow J Combinat Number Theory. 2019;8(2):163–77. 10.2140/moscow.2019.8.163Search in Google Scholar

[11] Vlăduţ S. Lattices with exponentially large kissing numbers do exist; 2024. https://arxiv.org/abs/2411.07371. Search in Google Scholar

[12] Elkies ND. Mordell-Weil lattices in characteristic 2, I: Construction and first properties. Int Math Res Notices. 1994;1994(8):343–61. 10.1155/S1073792894000395Search in Google Scholar

[13] Elkies ND. Mordell-Weil lattices in characteristic 2, II: The Leech lattice as a Mordell-Weil lattice. Invent Math. 1997;128(1):1–8. 10.1007/s002220050133Search in Google Scholar

[14] Elkies ND. Mordell-Weil lattices in characteristic 2, III: A Mordell-Weil lattice of rank 128. Experiment Math. 2001;10(3):467–73. 10.1080/10586458.2001.10504463Search in Google Scholar

[15] Shioda T. Mordell-Weil lattices and sphere packings. Amer J Math. 1991;113(5):931–48. 10.2307/2374791Search in Google Scholar

[16] Conway JH, Sloane NJA. Sphere packings, lattices and groups. vol. 290 of Grundlehren der Mathematischen Wissenschaften. 3rd ed. New York: Springer; 2013. https://doi.org/10.1007/978-1-4757-6568-7Search in Google Scholar

[17] Koshelev D. Magma code; 2023. https://github.com/dishport/Application-of-MW-lattices-with-large-kissing-numbers-to-acceleration-of-MSM-on-elliptic-curves. Search in Google Scholar

[18] Shioda T. The splitting field of Mordell-Weil lattices. In: Pragacz P, Szurek M, Wiśniewski J, editors. Algebraic Geometry: Hirzebruch 70. vol. 241 of Contemporary Mathematics. Providence: American Mathematical Society; 1999. p. 297–303. 10.1090/conm/241/03641Search in Google Scholar

[19] Shioda T. Cyclotomic analogue in the theory of algebraic equations of type E6, E7, E8. In: Kim MH, Hsia JS, Kitaoka Y, Schulze-Pillot R, editors. Integral Quadratic Forms and Lattices. vol. 249 of Contemporary Mathematics. Providence: American Mathematical Society; 1999. p. 87–96. 10.1090/conm/249/03750Search in Google Scholar

[20] Bernstein DJ, Lange T. Explicit-Formulas Database. https://www.hyperelliptic.org/EFD/index.html. Search in Google Scholar

[21] El Mrabet N, Joye M, editors. Guide to pairing-based cryptography. Cryptography and Network Security Series. New York: Chapman and Hall/CRC; 2017. 10.1201/9781315370170Search in Google Scholar

[22] Joye M, Lapiha O, Nguyen K, Naccache D. The eleventh power residue symbol. J Math Cryptol. 2021;15(1):111–22. 10.1515/jmc-2020-0077Search in Google Scholar

[23] Shioda T. Integral points and Mordell-Weil lattices. In: Wüstholz G, editor. A panorama of number theory or the view from Baker’s garden. Cambridge: Cambridge University Press; 2002. p. 185–93. 10.1017/CBO9780511542961.013Search in Google Scholar

[24] Shioda T. Gröbner basis, Mordell-Weil lattices and deformation of singularities, I. Proc Jpn Acad A: Math Sci. 2010;86(2):21–6. 10.3792/pjaa.86.21Search in Google Scholar

[25] Shioda T. Gröbner basis, Mordell-Weil lattices and deformation of singularities, II. Proc Jpn Acad A: Math Sci. 2010;86(2):27–32. 10.3792/pjaa.86.27Search in Google Scholar

[26] Shioda T. Elliptic surfaces and Davenport-Stothers triples. Commentarii Mathematici Universitatis Sancti Pauli, Rikkyo Daigaku Sugaku Zasshi. 2005;54(1):49–68. Search in Google Scholar

[27] Oguiso K, Shioda T. The Mordell-Weil lattice of a rational elliptic surface. Commentarii Mathematici Universitatis Sancti Pauli, Rikkyo Daigaku Sugaku Zasshi. 1991;40(1):83–99. Search in Google Scholar

[28] Usui H. On the Mordell-Weil lattice of the elliptic curve y2=x3+tm+1. I. Commentarii Mathematici Universitatis Sancti Pauli, Rikkyo Daigaku Sugaku Zasshi. 2000;49(1):71–8. Search in Google Scholar

[29] Usui H. On the Mordell-Weil lattice of the elliptic curve y2=x3+tm+1. II. Commentarii Mathematici Universitatis Sancti Pauli, Rikkyo Daigaku Sugaku Zasshi. 2001;50(1):65–87. Search in Google Scholar

[30] Usui H. On the Mordell-Weil lattice of the elliptic curve y2=x3+tm+1. III. Commentarii Mathematici Universitatis Sancti Pauli, Rikkyo Daigaku Sugaku Zasshi. 2006;55(2):173–94. Search in Google Scholar

[31] Usui H. On the Mordell-Weil lattice of the elliptic curve y2=x3+tm+1. IV. Commentarii Mathematici Universitatis Sancti Pauli, Rikkyo Daigaku Sugaku Zasshi. 2008;57(1):23–63. Search in Google Scholar

[32] Kumar A, Kuwata M. Elliptic K3 surfaces associated with the product of two elliptic curves: Mordell-Weil lattices and their fields of definition. Nagoya Math J. 2017;228:124–85. 10.1017/nmj.2016.56Search in Google Scholar

[33] Shioda T. The Mordell-Weil lattice of y2=x3+t5‒1⁄t5‒11. Commentarii Mathematici Universitatis Sancti Pauli, Rikkyo Daigaku Sugaku Zasshi. 2007;56(1):45–70. Search in Google Scholar

Received: 2024-10-10

Revised: 2024-12-20

Accepted: 2024-12-21

Published Online: 2025-04-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2024-0034

Keywords for this article

elliptic curves of j-invariant 0; kissing number; minimal points; Mordell–Weil lattices; multiscalar multiplication

Creative Commons

BY 4.0