Edwards Curve

In mathematics, the Edwards curves are a family of elliptic curves studied by Harold Edwards in 2007. The concept of elliptic curves over finite fields is widely used in elliptic curve cryptography. Applications of Edwards curves to cryptography were developed by Daniel J. Bernstein and Tanja Lange: they pointed out several advantages of the Edwards form in comparison to the more well known Weierstrass form.

Definition

The equation of an Edwards curve over a field ''K'' which does not
have characteristic 2 is:

: $x^2 + y^2 = 1 + d x^2 y^2 \,$

for some scalar $d\in K\setminus\$.
Also the following form with parameters ''c'' and ''d'' is called an Edwards curve:

: $x^2 + y^2 = c^2(1 + dx^2 y^2) \,$

where ''c'', ''d'' ∈ ''K'' with ''cd''(1 − ''c''⁴·''d'') ≠ 0.

Every Edwards curve is birationally equivalent to an elliptic curve in Montgomery form, and thus admits an algebraic group law once one chooses a point to serve as a neutral element. If ''K'' is finite, then a sizeable fraction of all elliptic curves over ''K'' can be written as Edwards curves.
Often elliptic curves in Edwards form are defined having c=1, without loss of generality. In the following sections, it is assumed that c=1.

The group law

(See also Weierstrass curve group law)

Every Edwards curve $x^2 + y^2 = 1 + dx^2y^2$ over field ''K'' with characteristic not equal to 2 with $d \ne 1$ is birationally equivalent to an elliptic curve over the same field: $(1/e)v^2 = u^3 + (4/e - 2)u^2 + u$, where $e=1-d, u=\frac, v=\frac$ and the point $P = (0,1)$ is mapped to the infinity ''O''. This birational mapping induces a group on any Edwards curve.

Edwards addition law

On any elliptic curve the sum of two points is given by a rational expression of the coordinates of the points, although in general one may need to use several formulas to cover all possible pairs. For the Edwards curve, taking the neutral element to be the point (0, 1), the sum of the points $(x_1,y_1)$ and $(x_2,y_2)$ is given by the formula

:$(x_1,y_1) + (x_2,y_2) = \left( \frac, \frac \right) \,$

The opposite of any point $(x,y)$ is $(-x,y)$. The point $(0,-1)$ has order 2, and the points $(\pm 1,0)$ have order 4. In particular, an Edwards curve always has a point of order 4 with coordinates in ''K''.

If ''d is not a square'' in ''K'' and $\ \in \^2$, then there are no exceptional points: the denominators $1 + dx_x_y_y_$ and $1 - dx_x_y_y_$ are always nonzero. Therefore, the Edwards addition law is complete when ''d'' is not a square in ''K''. This means that the formulas work for all pairs of input points on the Edwards curve with no exceptions for doubling, no exception for the neutral element, no exception for negatives, etc.Daniel. J. Bernstein , Tanja Lange, pag. 3, '' Faster addition and doubling on elliptic curves'' In other words, it is defined for all pairs of input points on the Edwards curve over ''K'' and the result gives the sum of the input points.

If ''d is a square'' in ''K'', then the same operation can have exceptional points, i.e. there can be pairs of points $(x_1,y_1), (x_2,y_2) \in \$ such that one of the denominators becomes zero: either $1 + dx_x_y_y_ = 0$ or $1 - dx_x_y_y_ = 0$.

One of the attractive feature of the Edwards Addition law is that it is strongly ''unified'' i.e. it can also be used to double a point, simplifying protection against side-channel attack. The addition formula above is faster than other unified formulas and has the strong property of completeness

Example of addition law :

Consider the elliptic curve in the Edwards form with ''d''=2

:$x^2 + y^2 = 1 + 2 x^2 y^2$

and the point $P_1=(1,0)$ on it. It is possible to prove that the sum of ''P''₁ with the neutral element (0,1) gives again P₁. Indeed, using the formula given above, the coordinates of the point given by this sum are:

:$x_3 = \frac = 1$

:$y_3 = \frac = 0$

An analogue on the circle

To understand better the concept of "addition" of points on a curve, a nice example is given by the classical circle group:

take the circle of radius 1

:$x^2+y^2=1$

and consider two points P₁=(x₁,y₁), P₂=(x₂,y₂) on it. Let α₁ and α₂ be the angles such that:

:$P_=(x_,y_)=(\sin,\cos)$
:$P_=(x_,y_)=(\sin,\cos)$

The sum of P₁ and P₂ is, thus, given by the sum of "their angles". That is, the point P₃=P₁+P₂ is a point on the circle with coordinates (x₃,y₃), where:

:$x_=\sin(_+_)=\sin_\cos_+\sin_\cos_=x_y_+x_y_$
:$y_=\cos(_+_)=\cos_\cos_-\sin_\sin_=y_y_-x_x_.$

In this way, the addition formula for points on the circle of radius 1 is:

:$(x_1,y_1)+(x_2,y_2) = (x_1y_2+x_2y_1,y_1y_2-x_1x_2)$.

Addition on Edwards curves

The points on an elliptic curve form an abelian group: one can add points and take integer multiples of a single point. When an elliptic curve is described by a non-singular cubic equation, then the sum of two points ''P'' and ''Q'', denoted ''P'' + ''Q'', is directly related to third point of intersection between the curve and the line that passes through ''P'' and ''Q''.

The birational mapping between an Edwards curve and the corresponding cubic elliptic curve maps the straight lines into conic sections
$Axy + Bx + Cy + D = 0$. In other words, for the Edwards curves the three points $P$, $Q$ and $-(P+Q)$ lay on a hyperbola.

Given two distinct non-identity points $P_1=(x_1,y_1), P_2=(x_2,y_2), P_1 \ne P_2$, the coefficients of the quadratic form are (up to scalars):

$A = (x_1 - x_2) + (x_y_ - x_y_)$,

$B = (x_y_ - x_y_) + y_y_(x_ - x_)$,

$C = x_x_(y_ - y_), D = C$

In the case of doubling a point $P=(x,y)$ the inverse point $-2P$ lies on the conic that touches the curve at the point $P$. The coefficients of the quadratic form that defines the conic are (up to scalars):

$A = dx^2y - 1$,

$B = y - x^2$,

$C = x(1 - y), D = C$

Projective homogeneous coordinates

In the context of cryptography, homogeneous coordinates are used to prevent field inversions that appear in the affine formula. To avoid inversions in the original Edwards addition formulas, the curve equation can be written in projective coordinates as:

$(X^2+Y^2)Z^2=Z^4+dX^2Y^2$.

A projective point $(X : Y : Z)$ corresponds to the affine point $(X/Z : Y/Z)$ on the Edwards curve.

The identity element is represented by $(0 : 1 : 1 )$. The inverse of $(X : Y : Z)$ is $(-X : Y : Z)$.

The addition formula in homogeneous coordinates is given by: $(X_1 : Y_1 : Z_1)+(X_2 : Y_2 : Z_2 )=(X_3 : Y_3 : Z_3 )$

where

$X_3 = Z_Z_(X_Y_ + X_Y_)(Z_^Z_^ - dX_X_Y_Y_)$

$Y_3 = Z_Z_(Y_Y_ - X_X_)(Z_^Z_^ + dX_X_Y_Y_)$

$Z_3 = (Z_^Z_^ - dX_X_Y_Y_)(Z_^Z_^ + dX_X_Y_Y_)$

Algorithm

Addition of two points on the Edwards curve could be computed more efficiently Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson. Twisted Edwards curves revisited. In ASIACRYPT
2008, pages 326–343, 2008 in the extended Edwards form $(X:Y:Z:T)$, where $T=XY/Z$: $(X_3:Y_3:Z_3:T_3) = (X_1:Y_1:Z_1:T_1) + (X_2:Y_2:Z_2:T_2)$

$A = X_X_; B = Y_Y_; C = dT_T_; D = Z_Z_;$

$E = (X_ + Y_)(X_ + Y_) - A - B; F = D - C; G = D + C; H = B - A;$

$X_3 = E \cdot F; Y_3 = G \cdot H; Z_3 = F \cdot G; T_3 = E \cdot H;$

Doubling

''Doubling'' can be performed with exactly the same formula as addition. Doubling refers to the case in which the inputs (''x''₁, ''y''₁) and (''x''₂, ''y''₂) are equal.

Doubling a point $P=(x,y)$:

\begin
(x,y)+(x,y) & = \left( \frac, \frac \right) \\ pt& = \left( \frac, \frac \right)
\end

The denominators were simplified based on the curve equation $x^2 + y^2 = 1 + dx^2y^2$. Further speedup is achieved by computing $2xy$ as $(x + y)^2 - x^2 - y^2$. This reduces the cost of doubling in homomorphic coordinates to 3M + 4S + 3C + 6a, while general addition costs 10M + 1S + 1C + 1D + 7a. Here M is field multiplications, S is field squarings, D is the cost of multiplying by the curve parameter ''d'', and a is field addition.

;Example of doubling

As in the previous example for the addition law, consider the Edwards curve with d=2:

$x^2 + y^2 = 1 + 2 x^2 y^2$

and the point $P=(1,0)$. The coordinates of the point $P_2 = 2P_1$ are:

$x_2 = \frac = 0$

$y_2 = \frac = -1$

The point obtained from doubling ''P'' is thus $P_2=(0,-1)$.

Mixed addition

Mixed addition is the case when Z₂ is known to be 1. In such a case A=Z₁^.Z₂ can be eliminated and the total cost reduces to 9M+1S+1C+1D+7a

Algorithm

A= Z₁^.Z₂ // in other words, A= Z₁

B= Z₁²

C=X₁.X₂

D=Y₁^.Y₂

E=d^.C^.D

F=B-E

G=B+E

X₃= A^.F((X_I+Y₁)^.(X₂+Y₂)-C-D)

Y₃= A^.G^.(D-C)

Z₃=C^.F^.G

Tripling

''Tripling'' can be done by first doubling the point and then adding the result to itself. By applying the curve equation as in doubling, we obtain

: $3(x_1,y_1) = \left( \fracx_1, \fracy_1 \right). \,$

There are two sets of formulas for this operation in standard Edwards coordinates. The first one costs 9M + 4S while the second needs 7M + 7S. If the S/M ratio is very small, specifically below 2/3, then the second set is better while for larger ratios the first one is to be preferred.
Using the addition and doubling formulas (as mentioned above) the point (''X''₁ : ''Y''₁ : ''Z''₁) is symbolically computed as 3(''X''₁ : ''Y''₁ : ''Z''₁) and compared with (''X''₃ : ''Y''₃ : ''Z''₃)

;Example of tripling

Giving the Edwards curve with d=2, and the point P₁=(1,0), the point 3P₁ has coordinates:

$x_3 = \fracx_1 = -1$

$y_3 = \fracy_1 = 0$

So, 3P₁=(-1,0)=P-₁. This result can also be found considering the doubling example: 2P₁=(0,1), so 3P₁ = 2P₁ + P₁ = (0,-1) + P₁ = -P₁.

;Algorithm

A=X₁²

B=Y₁²

C=(2Z₁)²

D=A+B

E=D²

F=2D.(A-B)

G=E-B.C

H=E-A.C

I=F+H

J=F-G

X₃=G.J.X1

Y₃=H.I.Y1

Z₃=I.J.Z1

This formula costs 9M + 4S

Inverted Edwards coordinates

Bernstein and Lange introduced an even faster coordinate system for elliptic curves called the ''Inverted Edward coordinates'' in which the coordinates (''X'' : ''Y'' : ''Z'') satisfy the curve (''X''² + ''Y''²)''Z''² = (''dZ''⁴ + ''X''²''Y''²) and corresponds
to the affine point (''Z''/''X'', ''Z''/''Y'') on the Edwards curve ''x''² + ''y''² = 1 + ''dx''²''y''² with XYZ ≠ 0.

Inverted Edwards coordinates, unlike standard Edwards coordinates, do not have complete addition formulas: some points, such as the neutral element, must be handled separately. But the addition formulas still have the advantage of strong unification: they can be used without change to double a point.

For more information about operations with these coordinates see http://hyperelliptic.org/EFD/g1p/auto-edwards-inverted.html

Extended Coordinates for Edward Curves

There is another coordinates system with which an Edwards curve can be represented; these new coordinates are called extended coordinatesH. Hisil, K. K. Wong, G. Carter, E. Dawson ''Faster group operations on elliptic curves'' and are even faster than inverted coordinates. For more information about the time-cost required in the operations with these coordinates see:
http://hyperelliptic.org/EFD/g1p/auto-edwards.html

See also

*Twisted Edwards curve
For more information about the running-time required in a specific case, see Table of costs of operations in elliptic curves.

Notes

References

*
*
* ''Faster Group Operations on Elliptic curves'', H. Hisil, K. K. Wong, G. Carter, E. Dawson
*
*
*

External links

* http://hyperelliptic.org/EFD/g1p/index.html
* http://hyperelliptic.org/EFD/g1p/auto-edwards.html

{{DEFAULTSORT:Edwards Curve
Elliptic curves
Elliptic curve cryptography