Edwards curve

Edwards curves of equation x + y = 1 + d ·x ·y over the real numbers for d = −300 (red), d = −√8 (yellow) and d = 0.9 (blue)

In mathematics, the Edwards curves are a family of elliptic curves studied by Harold Edwards in 2007. The concept of elliptic curves over finite fields is widely used in elliptic curve cryptography. Applications of Edwards curves to cryptography were developed by Daniel J. Bernstein and Tanja Lange: they pointed out several advantages of the Edwards form in comparison to the more well known Weierstrass form. ^[1]

Definition

The equation of an Edwards curve over a field K which does not have characteristic 2 is:

${\displaystyle x^{2}+y^{2}=1+d\ x^{2}y^{2}\,}$

for some scalar ${\displaystyle d\in K\setminus \{0,1\}}$. Also the following form with parameters c and d is called an Edwards curve:

${\displaystyle x^{2}+y^{2}=c^{2}(1+d\ x^{2}y^{2})\,}$

where c, d ∈ K with cd(1 − c⁴·d) ≠ 0.

Every Edwards curve is birationally equivalent to an elliptic curve in Montgomery form, and thus admits an algebraic group law once one chooses a point to serve as a neutral element. If K is finite, then a sizeable fraction of all elliptic curves over K can be written as Edwards curves. Often elliptic curves in Edwards form are defined having c=1, without loss of generality. In the following sections, it is assumed that c=1.

The group law

(See also Weierstrass curve group law)

Every Edwards curve ${\displaystyle x^{2}+y^{2}=1+dx^{2}y^{2}}$ over field K with characteristic not equal to 2 with ${\displaystyle d\neq 1}$ is birationally equivalent to an elliptic curve over the same field: ${\displaystyle (1/e)v^{2}=u^{3}+(4/e-2)u^{2}+u}$, where ${\displaystyle e=1-d,u={\frac {1+y}{1-y}},v={\frac {2(1+y)}{x(1-y)}}}$ and the point ${\displaystyle P=(0,1)}$ is mapped to the infinity O. This birational mapping induces a group on any Edwards curve.

Edwards addition law

On any elliptic curve the sum of two points is given by a rational expression of the coordinates of the points, although in general one may need to use several formulas to cover all possible pairs. For the Edwards curve, taking the neutral element to be the point (0, 1), the sum of the points ${\displaystyle (x_{1},y_{1})}$ and ${\displaystyle (x_{2},y_{2})}$ is given by the formula

${\displaystyle (x_{1},y_{1})+(x_{2},y_{2})=\left({\frac {x_{1}y_{2}+x_{2}y_{1}}{1+dx_{1}x_{2}y_{1}y_{2}}},{\frac {y_{1}y_{2}-x_{1}x_{2}}{1-dx_{1}x_{2}y_{1}y_{2}}}\right)\,}$

The opposite of any point ${\displaystyle (x,y)}$ is ${\displaystyle (-x,y)}$. The point ${\displaystyle (0,-1)}$ has order 2, and the points ${\displaystyle (\pm 1,0)}$ have order 4. In particular, an Edwards curve always has a point of order 4 with coordinates in K.

If d is not a square in K and ${\displaystyle \{(x_{1},y_{1}),(x_{2},y_{2})\}\in \{(x,y)|x^{2}+y^{2}=1+dx^{2}y^{2}\}^{2}}$, then there are no exceptional points: the denominators ${\displaystyle 1+dx_{1}x_{2}y_{1}y_{2}}$ and ${\displaystyle 1-dx_{1}x_{2}y_{1}y_{2}}$ are always nonzero. Therefore, the Edwards addition law is complete when d is not a square in K. This means that the formulas work for all pairs of input points on the Edwards curve with no exceptions for doubling, no exception for the neutral element, no exception for negatives, etc. ^[2] In other words, it is defined for all pairs of input points on the Edwards curve over K and the result gives the sum of the input points.

If d is a square in K, then the same operation can have exceptional points, i.e. there can be pairs of points ${\displaystyle (x_{1},y_{1}),(x_{2},y_{2})\in \{(x,y)|x^{2}+y^{2}=1+dx^{2}y^{2}\}}$ such that one of the denominators becomes zero: either ${\displaystyle 1+dx_{1}x_{2}y_{1}y_{2}=0}$ or ${\displaystyle 1-dx_{1}x_{2}y_{1}y_{2}=0}$.

One of the attractive feature of the Edwards Addition law is that it is strongly unified i.e. it can also be used to double a point, simplifying protection against side-channel attack. The addition formula above is faster than other unified formulas and has the strong property of completeness ^[2]

Example of addition law :

Consider the elliptic curve in the Edwards form with d=2

${\displaystyle {\displaystyle }x^{2}+y^{2}=1+2x^{2}y^{2}}$

and the point ${\displaystyle P_{1}=(1,0)}$ on it. It is possible to prove that the sum of P₁ with the neutral element (0,1) gives again P₁. Indeed, using the formula given above, the coordinates of the point given by this sum are:

${\displaystyle x_{3}={\frac {x_{1}y_{2}+y_{1}x_{2}}{1+2x_{1}x_{2}y_{1}y_{2}}}=1}$

${\displaystyle y_{3}={\frac {y_{1}y_{2}-x_{1}x_{2}}{1-2x_{1}x_{2}y_{1}y_{2}}}=0}$

An analogue on the circle

Clock group

To understand better the concept of "addition" of points on a curve, a nice example is given by the classical circle group:

take the circle of radius 1

${\displaystyle {\displaystyle }x^{2}+y^{2}=1}$

and consider two points P₁=(x₁,y₁), P₂=(x₂,y₂) on it. Let α₁ and α₂ be the angles such that:

${\displaystyle {\displaystyle }P_{1}=(x_{1},y_{1})=(\sin {\alpha _{1}},\cos {\alpha _{1}})}$

${\displaystyle {\displaystyle }P_{2}=(x_{2},y_{2})=(\sin {\alpha _{2}},\cos {\alpha _{2}})}$

The sum of P₁ and P₂ is, thus, given by the sum of "their angles". That is, the point P₃=P₁+P₂ is a point on the circle with coordinates (x₃,y₃), where:

${\displaystyle {\displaystyle }x_{3}=\sin({\alpha }_{1}+{\alpha }_{2})=\sin {\alpha }_{1}\cos {\alpha }_{2}+\sin {\alpha }_{2}\cos {\alpha }_{1}=x_{1}y_{2}+x_{2}y_{1}}$

${\displaystyle {\displaystyle }y_{3}=\cos({\alpha }_{1}+{\alpha }_{2})=\cos {\alpha }_{1}\cos {\alpha }_{2}-\sin {\alpha }_{1}\sin {\alpha }_{2}=y_{1}y_{2}-x_{1}x_{2}.}$

In this way, the addition formula for points on the circle of radius 1 is:

${\displaystyle {\displaystyle }(x_{1},y_{1})+(x_{2},y_{2})=(x_{1}y_{2}+x_{2}y_{1},y_{1}y_{2}-x_{1}x_{2})}$.

Addition on Edwards curves

Sum of two points on the Edwards curve with d = -30

Doubling a point on the Edwards curve with d=-30

The points on an elliptic curve form an abelian group: one can add points and take integer multiples of a single point. When an elliptic curve is described by a non-singular cubic equation, then the sum of two points P and Q, denoted P + Q, is directly related to third point of intersection between the curve and the line that passes through P and Q.

The birational mapping between an Edwards curve and the corresponding cubic elliptic curve maps the straight lines into conic sections ^[3] ${\displaystyle Axy+Bx+Cy+D=0}$. In other words, for the Edwards curves the three points ${\displaystyle P}$, ${\displaystyle Q}$ and ${\displaystyle -(P+Q)}$ lie on a hyperbola.

Given two distinct non-identity points ${\displaystyle P_{1}=(x_{1},y_{1}),P_{2}=(x_{2},y_{2}),P_{1}\neq P_{2}}$, the coefficients of the quadratic form are (up to scalars):

${\displaystyle A=(x_{1}-x_{2})+(x_{1}y_{2}-x_{2}y_{1})}$,

${\displaystyle B=(x_{2}y_{2}-x_{1}y_{1})+y_{1}y_{2}(x_{2}-x_{1})}$,

${\displaystyle C=x_{1}x_{2}(y_{1}-y_{2}),D=C}$

In the case of doubling a point ${\displaystyle P=(x,y)}$ the inverse point ${\displaystyle -2P}$ lies on the conic that touches the curve at the point ${\displaystyle P}$. The coefficients of the quadratic form that defines the conic are (up to scalars^{[ clarification needed ]}):

${\displaystyle A=dx^{2}y-1}$,

${\displaystyle B=y-x^{2}}$,

${\displaystyle C=x(1-y),D=C}$

Projective homogeneous coordinates

In the context of cryptography, homogeneous coordinates are used to prevent field inversions that appear in the affine formula. To avoid inversions in the original Edwards addition formulas, the curve equation can be written in projective coordinates as:

${\displaystyle (X^{2}+Y^{2})Z^{2}=Z^{4}+dX^{2}Y^{2}}$.

A projective point ${\displaystyle (X:Y:Z)}$ corresponds to the affine point ${\displaystyle (X/Z:Y/Z)}$ on the Edwards curve.

The identity element is represented by ${\displaystyle (0:1:1)}$. The inverse of ${\displaystyle (X:Y:Z)}$ is ${\displaystyle (-X:Y:Z)}$.

The addition formula in homogeneous coordinates is given by: ${\displaystyle (X_{1}:Y_{1}:Z_{1})+(X_{2}:Y_{2}:Z_{2})=(X_{3}:Y_{3}:Z_{3})}$

where

${\displaystyle X_{3}=Z_{1}Z_{2}(X_{1}Y_{2}+X_{2}Y_{1})(Z_{1}^{2}Z_{2}^{2}-dX_{1}X_{2}Y_{1}Y_{2})}$

${\displaystyle Y_{3}=Z_{1}Z_{2}(Y_{1}Y_{2}-X_{1}X_{2})(Z_{1}^{2}Z_{2}^{2}+dX_{1}X_{2}Y_{1}Y_{2})}$

${\displaystyle Z_{3}=(Z_{1}^{2}Z_{2}^{2}-dX_{1}X_{2}Y_{1}Y_{2})(Z_{1}^{2}Z_{2}^{2}+dX_{1}X_{2}Y_{1}Y_{2})}$

Algorithm

Addition of two points on the Edwards curve could be computed more efficiently ^[4] in the extended Edwards form${\displaystyle (X:Y:Z:T)}$, where ${\displaystyle T=XY/Z}$: ${\displaystyle (X_{3}:Y_{3}:Z_{3}:T_{3})=(X_{1}:Y_{1}:Z_{1}:T_{1})+(X_{2}:Y_{2}:Z_{2}:T_{2})}$

${\displaystyle A=X_{1}X_{2};B=Y_{1}Y_{2};C=dT_{1}T_{2};D=Z_{1}Z_{2};}$

${\displaystyle E=(X_{1}+Y_{1})(X_{2}+Y_{2})-A-B;F=D-C;G=D+C;H=B-A;}$

${\displaystyle X_{3}=E\cdot F;Y_{3}=G\cdot H;Z_{3}=F\cdot G;T_{3}=E\cdot H;}$

Doubling

Doubling can be performed with exactly the same formula as addition. Doubling refers to the case in which the inputs (x₁, y₁) and (x₂, y₂) are equal.

Doubling a point ${\displaystyle P=(x,y)}$:

${\displaystyle {\begin{aligned}(x,y)+(x,y)&=\left({\frac {2xy}{1+dx^{2}y^{2}}},{\frac {y^{2}-x^{2}}{1-dx^{2}y^{2}}}\right)\\[6pt]&=\left({\frac {2xy}{x^{2}+y^{2}}},{\frac {y^{2}-x^{2}}{2-x^{2}-y^{2}}}\right)\end{aligned}}}$

The denominators were simplified based on the curve equation ${\displaystyle x^{2}+y^{2}=1+dx^{2}y^{2}}$. Further speedup is achieved by computing ${\displaystyle 2xy}$ as ${\displaystyle (x+y)^{2}-x^{2}-y^{2}}$. This reduces the cost of doubling in homomorphic coordinates to 3M + 4S + 3C + 6a, while general addition costs 10M + 1S + 1C + 1D + 7a. Here M is field multiplications, S is field squarings, D is the cost of multiplying by the curve parameter d, and a is field addition.

Example of doubling

As in the previous example for the addition law, consider the Edwards curve with d=2:

${\displaystyle x^{2}+y^{2}=1+2x^{2}y^{2}}$

and the point ${\displaystyle P=(1,0)}$. The coordinates of the point ${\displaystyle P_{2}=2P_{1}}$ are:

${\displaystyle x_{2}={\frac {2xy}{x^{2}+y^{2}}}=0}$

${\displaystyle y_{2}={\frac {y^{2}-x^{2}}{2-(x^{2}+y^{2})}}=-1}$

The point obtained from doubling P is thus ${\displaystyle P_{2}=(0,-1)}$.

Mixed addition

Mixed addition is the case when Z₂ is known to be 1. In such a case A=Z₁^.Z₂ can be eliminated and the total cost reduces to 9M+1S+1C+1D+7a

Algorithm

A= Z₁^.Z₂ // in other words, A= Z₁

B= Z₁²

C=X₁.X₂

D=Y₁^.Y₂

E=d^.C^.D

F=B-E

G=B+E

X₃= A^.F((X_I+Y₁)^.(X₂+Y₂)-C-D)

Y₃= A^.G^.(D-C)

Z₃=C^.F^.G

Tripling

Tripling can be done by first doubling the point and then adding the result to itself. By applying the curve equation as in doubling, we obtain

${\displaystyle 3(x_{1},y_{1})=\left({\frac {(x_{1}^{2}+y_{1}^{2})^{2}-(2y_{1})^{2}}{4(x_{1}^{2}-1)x_{1}^{2}-(x_{1}^{2}-y_{1}^{2})^{2}}}x_{1},{\frac {(x_{1}^{2}+y_{1}^{2})^{2}-(2x_{1})^{2}}{-4(y_{1}^{2}-1)y_{1}^{2}+(x_{1}^{2}-y_{1}^{2})^{2}}}y_{1}\right).\,}$

There are two sets of formulas for this operation in standard Edwards coordinates. The first one costs 9M + 4S while the second needs 7M + 7S. If the S/M ratio is very small, specifically below 2/3, then the second set is better while for larger ratios the first one is to be preferred. ^[5] Using the addition and doubling formulas (as mentioned above) the point (X₁ : Y₁ : Z₁) is symbolically computed as 3(X₁ : Y₁ : Z₁) and compared with (X₃ : Y₃ : Z₃)

Example of tripling

Giving the Edwards curve with d=2, and the point P₁=(1,0), the point 3P₁ has coordinates:

${\displaystyle x_{3}={\frac {(x_{1}^{2}+y_{1}^{2})^{2}-(2y_{1})^{2}}{4(x_{1}^{2}-1)x_{1}^{2}-(x_{1}^{2}-y_{1}^{2})^{2}}}x_{1}=-1}$

${\displaystyle y_{3}={\frac {(x_{1}^{2}+y_{1}^{2})^{2}-2(x_{1})^{2}}{-4(y_{1}^{2}-1)y_{1}^{2}+(x_{1}^{2}-y_{1}^{2})^{2}}}y_{1}=0}$

So, 3P₁=(-1,0)=P-₁. This result can also be found considering the doubling example: 2P₁=(0,1), so 3P₁ = 2P₁ + P₁ = (0,-1) + P₁ = -P₁.

Algorithm

A=X₁²

B=Y₁²

C=(2Z₁)²

D=A+B

E=D²

F=2D.(A-B)

G=E-B.C

H=E-A.C

I=F+H

J=F-G

X₃=G.J.X1

Y₃=H.I.Y1

Z₃=I.J.Z1

This formula costs 9M + 4S

Inverted Edwards coordinates

Bernstein and Lange introduced an even faster coordinate system for elliptic curves called the Inverted Edward coordinates ^[6] in which the coordinates (X : Y : Z) satisfy the curve (X² + Y²)Z² = (dZ⁴ + X²Y²) and corresponds to the affine point (Z/X, Z/Y) on the Edwards curve x² + y² = 1 + dx²y² with XYZ ≠ 0.

Inverted Edwards coordinates, unlike standard Edwards coordinates, do not have complete addition formulas: some points, such as the neutral element, must be handled separately. But the addition formulas still have the advantage of strong unification: they can be used without change to double a point.

For more information about operations with these coordinates see http://hyperelliptic.org/EFD/g1p/auto-edwards-inverted.html

Extended Coordinates for Edward Curves

There is another coordinates system with which an Edwards curve can be represented. These new coordinates are called extended coordinates ^[7] and are even faster than inverted coordinates. For more information about the time-cost required in the operations with these coordinates see: http://hyperelliptic.org/EFD/g1p/auto-edwards.html

See also

• Twisted Edwards curve

For more information about the running-time required in a specific case, see Table of costs of operations in elliptic curves.

Notes

1. Bernstein, Daniel; Lange, Tanja (3 March 2014), How to design an elliptic-curve signature system
2. Daniel. J. Bernstein , Tanja Lange, pag. 3, Faster addition and doubling on elliptic curves
3. Christophe Arene; Tanja Lange; Michael Naehrig; Christophe Ritzenthaler (2009). "Faster Computation of the Tate Pairing". arXiv: 0904.0854 . Bibcode:2009arXiv0904.0854A . Retrieved 28 February 2010.
4. Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson. Twisted Edwards curves revisited. In ASIACRYPT 2008, pages 326–343, 2008
5. Bernstein et al., Optimizing Double-Base Elliptic curve single-scalar Multiplication
6. Daniel J.Bernstein. Tanja Lange, pag.2, Inverted Edward coordinates
7. H. Hisil, K. K. Wong, G. Carter, E. Dawson Faster group operations on elliptic curves

References

• Bernstein, Daniel; Lange, Tanja (2007), Faster Addition and Doubling on Elliptic curves (PDF)
• Edwards, Harold M. (9 April 2007), "A normal form for elliptic curves", Bulletin of the American Mathematical Society , 44 (3): 393–422, doi: 10.1090/s0273-0979-07-01153-6 , ISSN   0002-9904
• Faster Group Operations on Elliptic curves, H. Hisil, K. K. Wong, G. Carter, E. Dawson
• D.J.Bernstein, P.Birkner. T. Lange, C.Peters, Optimizing Double-Base Elliptic-Curve Single-Scalar Multiplication (PDF)
• Washington, Lawrence C. (2008), Elliptic Curves: Number Theory and Cryptography, Discrete Mathematics and its Applications (2nd ed.), Chapman & Hall/CRC, ISBN   978-1-4200-7146-7
• Bernstein, Daniel; Lange, Tanja, Inverted Edwards coordinates (PDF)

External links

• http://hyperelliptic.org/EFD/g1p/index.html
• http://hyperelliptic.org/EFD/g1p/auto-edwards.html