Twisted Edwards curve
This article needs additional citations for verification. (January 2010) |
In algebraic geometry, the twisted Edwards curves are plane models of elliptic curves, a generalisation of Edwards curves introduced by Bernstein, Birkner, Joye, Lange and Peters in 2008.[1] The curve set is named after mathematician Harold M. Edwards. Elliptic curves are important in public key cryptography and twisted Edwards curves are at the heart of an electronic signature scheme called EdDSA that offers high performance while avoiding security problems that have surfaced in other digital signature schemes.
Definition
[edit]A twisted Edwards curve over a field with characteristic not equal to 2 (that is, no element is its own additive inverse) is an affine plane curve defined by the equation:
where are distinct non-zero elements of .
Each twisted Edwards curve is a twist of an Edwards curve. The special case is untwisted, because the curve reduces to an ordinary Edwards curve.
Every twisted Edwards curve is birationally equivalent to an elliptic curve in Montgomery form and vice versa.[2]
Group law
[edit]As for all elliptic curves, also for the twisted Edwards curve, it is possible to do some operations between its points, such as adding two of them or doubling (or tripling) one. The results of these operations are always points that belong to the curve itself. In the following sections some formulas are given to obtain the coordinates of a point resulted from an addition between two other points (addition), or the coordinates of point resulted from a doubling of a single point on a curve.
Addition on twisted Edwards curves
[edit]Let be a field with characteristic different from 2. Let and be points on the twisted Edwards curve. The equation of twisted Edwards curve is written as;
- : .
The sum of these points on is:
The neutral element is (0,1) and the negative of is
These formulas also work for doubling. If a is a square in and d is a non-square in , these formulas are complete: this means that they can be used for all pairs of points without exceptions; so they work for doubling as well, and neutral elements and negatives are accepted as inputs.[3][failed verification]
Example of addition
Given the following twisted Edwards curve with a = 3 and d = 2:
it is possible to add the points and using the formula given above. The result is a point P3 that has coordinates:
Doubling on twisted Edwards curves
[edit]Doubling can be performed with exactly the same formula as addition. Doubling of a point on the curve is:
where
Denominators in doubling are simplified using the curve equation . This reduces the power from 4 to 2 and allows for more efficient computation.
Example of doubling
Considering the same twisted Edwards curve given in the previous example, with a=3 and d=2, it is possible to double the point . The point 2P1 obtained using the formula above has the following coordinates:
It is easy to see, with some little computations, that the point belongs to the curve .
Extended coordinates
[edit]There is another kind of coordinate system with which a point in the twisted Edwards curves can be represented. A point on is represented as X, Y, Z, T satisfying the following equations x = X/Z, y = Y/Z, xy = T/Z.
The coordinates of the point (X:Y:Z:T) are called the extended twisted Edwards coordinates. The identity element is represented by (0:1:1:0). The negative of a point is (−X:Y:Z:−T).
Inverted twisted Edwards coordinates
[edit]The coordinates of the point are called the inverted twisted Edwards coordinates on the curve with ; this point to the affine one on . Bernstein and Lange introduced these inverted coordinates, for the case a=1 and observed that the coordinates save time in addition.
Projective twisted Edwards coordinates
[edit]The equation for the projective twisted Edwards curve is given as: For Z1 ≠ 0 the point (X1:Y1:Z1) represents the affine point (x1 = X1/Z1, y1 = Y1/Z1) on EE,a,d.
Expressing an elliptic curve in twisted Edwards form saves time in arithmetic, even when the same curve can be expressed in the Edwards form.
Addition in projective twisted curves
[edit]The addition on a projective twisted Edwards curve is given by
- (X3:Y3:Z3) = (X1:Y1:Z1) + (X2:Y2:Z2)
and costs 10Multiplications + 1Squaring + 2D + 7 additions, where the 2D are one multiplication by a and one by d.
- Algorithm
- A = Z1 · Z2,
- B = A2
- C = X1 · X2
- D = Y1 · Y2
- E = dC · D
- F = B − E
- G = B + E
- X3 = A · F((X1 + Y1) · (X2 + Y2) − C − D)
- Y3 = A · G · (D − aC)
- Z3 = F · G
Doubling on projective twisted curves
[edit]Doubling on the projective twisted curve is given by
- (X3:Y3:Z3) = 2(X1:Y1:Z1).
This costs 3Multiplications + 4Squarings + 1D + 7additions, where 1D is a multiplication by a.
- Algorithm
- B = (X1 + Y1)2
- C = X12
- D = Y12
- E = aC
- F = E + D
- H = Z12
- J = F − 2H
- X3 = (B − C − D).J
- Y3 = F · (E − D)
- Z3 = F · J[1]
See also
[edit]- EdDSA
- For more information about the running time required in a specific case, see Table of costs of operations in elliptic curves.
Notes
[edit]- ^ a b Bernstein, Daniel J.; Birkner, Peter; Joye, Marc; Lange, Tanja; Peters, Christiane (2008). "Twisted Edwards Curves". In Vaudenay, Serge (ed.). Progress in Cryptology – AFRICACRYPT 2008. Lecture Notes in Computer Science. Vol. 5023. Berlin, Heidelberg: Springer. pp. 389–405. doi:10.1007/978-3-540-68164-9_26. ISBN 978-3-540-68164-9.
- ^ Daniel J. Bernstein; Peter Birkner; Marc Joye; Tanja Lange; Christiane Peters. "Twisted Edwards Curves" (PDF). Retrieved 28 January 2020.
- ^ Daniel J. Bernstein and Tanja Lange, Faster addition and doubling on elliptic curves
References
[edit]- Daniel J. Bernstein; Marc Joye; Tanja Lange; Peter Birkner; Christiane Peters, Twisted Edwards Curves (PDF)
- Huseyin Hisil, Kenneth Wong, Gary Carter, Ed Dawson. (2008), "Twisted Edwards Curves revisited", Cryptology ePrint Archive
{{citation}}
: CS1 maint: multiple names: authors list (link)
- Daniel J. Bernstein; Tanja Lange; Peter Birkner; Christiane Peters, ECM using Edwards curves (PDF)