Goppa codes over Edwards curves

Given an Edwards curve, we determine a basis for the Riemann-Roch space of any divisor whose support does not contain any of the two singular points. This basis allows us to compute a generating matrix for an algebraic-geometric Goppa code over the Edwards curve.


Introduction
The literature on elliptic curves and their applications in cryptography is well consolidated. Besides the well-known ECC (Elliptic Curve Cryptography) in which the group law, defined on these curves, is exploited to encrypt messages, and the ECDSA (Elliptic Curve Digital Signature Algorithm), another example can be found in the Lenstra algorithm for the factorization of integers. Moreover, there are as well applications to coding theory based on the Riemann-Roch space L (D) associated with a rational divisor D of these curves. In particular, this space is a fundamental ingredient to construct Goppa codes, first introduced in 1983 [9]. Goppa codes over the Hermitian curve, as well as over maximal curves and hyperelliptic curves, have been extensively studied in [1, 6-8, 11, 12, 15], as they have become an important topic both in coding theory and in cryptography, where they play a central role in McEliece public-key cryptographic systems [14].
To the best of our knowledge, AG Goppa codes for Edwards curves have not been considered until now. In this paper, we compute the generating matrices for AG Goppa codes over Edwards curves. These curves are already the subject of many papers in cryptography [2-5, 10, 13], in particular in their twisted version. Compared to the classic elliptic curves in Weierstrass form, they can be more efficient for cryptographic use and for the (single or multiple) digital signature.
In section 2 we describe Edwards curves and their relationship with elliptic curves in Weierstrass form. In section 3 we compute a basis for L (D) over Edwards curves, while in section 4 we construct AG Goppa codes over Edwards curves and their generating matrices. In particular, in subsec. 4.3 we give a small example of a Goppa MDS code where we use the AG Goppa code defined in subsec. 4.1 over Edwards curves.

Edwards curves and elliptic curves in Weierstrass form
In this section we introduce Edwards curves E, that is, algebraic curves, defined over a field K, which can be represented in a suitable coordinate system by the equationx 2 +ŷ 2 = 1 + dx 2ŷ2 , with d(d − 1) = 0. We present these curves as a birationally equivalent version of elliptic curves in Weierstrass form.
Recall that, over a field K of characteristic different from 2, a (smooth) elliptic curve (possessing at least a K-rational point) can be represented in a suitable coordinate system by the Weierstrass equation y 2 = x 3 +a x 2 +b x, having one point at infinity Ω = [Z : X : Y ] = [0 : 0 : 1] on the y axis.  Edwards curves and elliptic curves in Weierstrass form are closely related. In particular, over a field K of characteristic different from 2, one has that an elliptic curve W defined by the equation y 2 = x 3 +a x 2 +b x, and an Edwards curve E defined by the equationx 2 +ŷ 2 = 1+dx 2ŷ2 , where d is not a square, are birationally equivalent (cf. [2]). Furthermore, this equivalence is given by the following two rational maps: where P = (x 1 , y 1 ) ∈ W (K) is such that the divisor 2(P − Ω) = (0, 0) − Ω.

Remark 2.4.
Since there are two points mapped by β onto Ω 1 and two points onto Ω 2 , one sees that it is not possible to coherently define α(Ω 1 ) and α(Ω 2 ). For this reason the maps α and β define a birational equivalence between the two forms. Note that W is, indeed, a smooth projective resolution of the non-smooth curve E.

Remark 2.5.
Since the map β in (2.1b) transforms a line through P ∈ W (K) and Q ∈ W (K) onto the hyperbola through β(P ), β(Q), O , 2Ω 1 and 2Ω 2 , and maps vertical lines onto horizontal lines, then β induces a group homomorphism of the corresponding divisor classes group (cf. [2] for further details about the group law of Edwards curves).

The Riemann-Roch space L (D) over Edwards curves
In this section, given a divisor D ∈ Div(E), we provide a basis of the Riemann-Roch vector space for an Edwards curve E, under the assumption that the support of D does not contain the two singular points Ω 1 and Ω 2 .
We recall that a divisor is, in this context, an element of the free abelian group Div(E) on the points of E, that is, a formal sum D = n P ∈Z n P P , with P ∈ E (K), where only finitely many integers n P are not zero, and that a principal divisor D = div (g) of a function g is the sum of the zeros of g on E minus the poles of g on E. The integer δ = n P is the degree of the divisor D and principal divisors give a subgroup of the subgroup Div 0 (E) of divisors having degree equal to zero, because any function g on E has by Bezout theorem the same number of zeros and poles on E. The group taken into account is formally the quotient group Div 0 (E) Princ(E) .
Also, we recall that any divisor D on E of degree k + 1, such that Ω 1 and Ω 2 do not belong to the support of D , is linearly equivalent to P + kO, for a suitable point P ∈ E (K) (or (k + 1)O, in the case where P = O), that is, D = P + kO + div (g), for a suitable function g. Since the map is an isomorphism between L (D ) and L (P + kO), we confine ourselves to the latter space.
Since W is smooth, by the formula of Riemann-Roch, the dimension of L (α(P ) + kΩ) is k + 1, and we are left with exhibiting k + 1 linearly independent functions in L (P + kO), as manifestly L (P + (i − 1)O) is contained in L (P + iO), for i = 1, . . . , k + 1.
For i = 0 the assertion follows, because div Z Z = 0 and for every P ∈ E (K) we have that div (F 0 ) + P is effective.
Hence, we have that div (F 1 ) + P + O is effective for any suitable P . Additionally, for i ≥ 2, we have that: hence, div (F i ) + P + iO is effective in both the cases i = 2h and i = 2h + 1. So, every function F i is such that div (F i ) + D is effective if D = P + kO or D = (k + 1)O. In order to complete the proof, it is necessary to show that all these functions are linearly independent, but this follows from standard, elementary, arguments of linear algebra.
We note that in the case D = (k + 1)O we simply remove F 1 and we add F k+1 , thus, also in this case, we have k + 1 linearly independent functions.

Computational cost
Recalling that the costs of modular addition, multiplication, and inversion over GF (q) are O (ln(q)), O ln 2 (q) , O ln 3 (q) , respectively, we now compute the cost of evaluating at a point P ∈ E (GF (q)) each element of the basis of L (D).
We firstly note that we can compute F 2h from F 2h−2 , and F 2h+1 from F 2h , as that is, at each step we have to perform a single multiplication times the last (or the secondlast) value. Moreover, we can pre-calculate the value of the function to further speed up the computation. Therefore, the maximal global cost C (L (D)) of evaluating the first k functions F i is C (L (D)) = O k · ln 2 (q) + ln 3 (q) .

AG Goppa codes on Edwards curves
In this section, we construct the generating matrix and the parity-check matrix for a [n, k, d] q AG Goppa code for an Edwards curve E over GF (q), compute the computational cost, and give a small example.

Goppa code for an Edwards curve
In the following, we adapt the definition of a Goppa code to our case.
k×n be the k × n matrix, we define the [n, k, d] q AG Goppa code Proof. It follows from the same, classic, proof of AG Goppa codes over curves.
If we order the points in T so that the first k columns of the generating matrix k×n of the Goppa code C G are linearly independent, e.g. by applying the Gauss-Jordan method, then G can be reduced in its standard form [I k |M ], where I k is the identity matrix of order k and M ∈ GF (q) k×(n−k) . Once G is in standard form, the parity-check matrix H ∈ GF (q) (n−k)×n of this Goppa code, that is, the matrix such that G · H T = 0 and H · y T = 0 for every code word y ∈ C G , is simply H = [−M T |I n−k ]. Thus, the code C G is also defined as {y ∈ GF (q) n : H · y T = 0}.

Computational cost of constructing a Goppa code
In order to compute the generating matrix G we need to evaluate each of the n points in the set T for each element of the basis of L (D), that is, we have a computational cost of O (n · C (L (D))) because G is a matrix of size k × n. Moreover, the cost of computing the parity-check matrix depends on the method used to solve the linear system G · x = 0. For instance, if we used the Gauss-Jordan method to reduce the matrix G to its standard form, then the cost would be O max (n, k) 3 Hence, the global computational cost of constructing a Goppa code over E (GF (q)) is: O (n · C (L (D))) + O max (n, k) 3 = O n · (k · ln 2 (q) + ln 3 (q)) + O n 3 .

Conclusions
Edwards curves have been recently introduced for their applications in cryptography. In this paper, we provided a basis for the Riemann-Roch space of a divisor on these curves, and we used this basis for the construction of the generating matrices of the AG Goppa codes, thus providing a possible application of Edwards curves to Coding theory, as well.