Twisted_Edwards_curve Knowpia

In algebraic geometry, the twisted Edwards curves are plane models of elliptic curves, a generalisation of Edwards curves introduced by Bernstein, Birkner, Joye, Lange and Peters in 2008.^[1] The curve set is named after mathematician Harold M. Edwards. Elliptic curves are important in public key cryptography and twisted Edwards curves are at the heart of an electronic signature scheme called EdDSA that offers high performance while avoiding security problems that have surfaced in other digital signature schemes.

Definition edit

A twisted Edwards curve $E_{E,a,d}$ over a field $\mathbb {K}$ with characteristic not equal to 2 (that is, no element is its own additive inverse) is an affine plane curve defined by the equation:

E_{E,a,d}:ax^{2}+y^{2}=1+dx^{2}y^{2}

where $a,d$ are distinct non-zero elements of $\mathbb {K}$ .

Each twisted Edwards curve is a twist of an Edwards curve. The special case $a=1$ is untwisted, because the curve reduces to an ordinary Edwards curve.

Every twisted Edwards curve is birationally equivalent to an elliptic curve in Montgomery form and vice versa.^[2]

Group law edit

As for all elliptic curves, also for the twisted Edwards curve, it is possible to do some operations between its points, such as adding two of them or doubling (or tripling) one. The results of these operations are always points that belong to the curve itself. In the following sections some formulas are given to obtain the coordinates of a point resulted from an addition between two other points (addition), or the coordinates of point resulted from a doubling of a single point on a curve.

Addition on twisted Edwards curves edit

Let $\mathbb {K}$ be a field with characteristic different from 2. Let $(x_{1},y_{1})$ and $(x_{2},y_{2})$ be points on the twisted Edwards curve. The equation of twisted Edwards curve is written as;

E_{E,a,d}

:

ax^{2}+y^{2}=1+dx^{2}y^{2}

.

The sum of these points $(x_{1},y_{1}),(x_{2},y_{2})$ on $E_{E,a,d}$ is:

(x_{1},y_{1})+(x_{2},y_{2})=\left({\frac {x_{1}y_{2}+y_{1}x_{2}}{1+dx_{1}x_{2}y_{1}y_{2}}},{\frac {y_{1}y_{2}-ax_{1}x_{2}}{1-dx_{1}x_{2}y_{1}y_{2}}}\right)

The neutral element is (0,1) and the negative of $(x_{1},y_{1})$ is $(-x_{1},y_{1})$

These formulas also work for doubling. If a is a square in $\mathbb {K}$ and d is a non-square in $\mathbb {K}$ , these formulas are complete: this means that they can be used for all pairs of points without exceptions; so they work for doubling as well, and neutral elements and negatives are accepted as inputs.^[3]^{[failed verification]}

Example of addition

Given the following twisted Edwards curve with a = 3 and d = 2:

$3x^{2}+y^{2}=1+2x^{2}y^{2}$

it is possible to add the points $P_{1}=(1,{\sqrt {2}})$ and $P_{2}=(1,-{\sqrt {2}})$ using the formula given above. The result is a point P₃ that has coordinates:

x_{3}={\frac {x_{1}y_{2}+y_{1}x_{2}}{1+dx_{1}x_{2}y_{1}y_{2}}}=0,

y_{3}={\frac {y_{1}y_{2}-ax_{1}x_{2}}{1-dx_{1}x_{2}y_{1}y_{2}}}=-1.

Doubling on twisted Edwards curves edit

Doubling can be performed with exactly the same formula as addition. Doubling of a point $(x_{1},y_{1})$ on the curve $E_{E,a,d}$ is:

$2(x_{1},y_{1})=(x_{3},y_{3})$

where

{\begin{aligned}x_{3}&={\frac {x_{1}y_{1}+y_{1}x_{1}}{1+dx_{1}x_{1}y_{1}y_{1}}}={\frac {2x_{1}y_{1}}{ax_{1}^{2}+y_{1}^{2}}}\\[6pt]y_{3}&={\frac {y_{1}y_{1}-ax_{1}x_{1}}{1-dx_{1}x_{1}y_{1}y_{1}}}={\frac {y_{1}^{2}-ax_{1}^{2}}{2-ax_{1}^{2}-y_{1}^{2}}}.\end{aligned}}

Denominators in doubling are simplified using the curve equation $dx^{2}y^{2}=ax^{2}+by^{2}-1$ . This reduces the power from 4 to 2 and allows for more efficient computation.

Example of doubling

Considering the same twisted Edwards curve given in the previous example, with a=3 and d=2, it is possible to double the point $P_{1}=(1,{\sqrt {2}})$ . The point 2P₁ obtained using the formula above has the following coordinates:

x_{3}={\frac {2x_{1}y_{1}}{ax_{1}^{2}+y_{1}^{2}}}={\frac {2{\sqrt {2}}}{5}},

y_{3}={\frac {y_{1}^{2}-ax_{1}^{2}}{2-ax_{1}^{2}-y_{1}^{2}}}={\frac {1}{3}}.

It is easy to see, with some little computations, that the point $P_{3}=\left({\frac {2{\sqrt {2}}}{5}},{\frac {1}{3}}\right)$ belongs to the curve $3x^{2}+y^{2}=1+2x^{2}y^{2}$ .

Extended coordinates edit

There is another kind of coordinate system with which a point in the twisted Edwards curves can be represented. A point $(x,y,z)$ on $ax^{2}+y^{2}=1+dx^{2}y^{2}$ is represented as X, Y, Z, T satisfying the following equations x = X/Z, y = Y/Z, xy = T/Z.

The coordinates of the point (X:Y:Z:T) are called the extended twisted Edwards coordinates. The identity element is represented by (0:1:1:0). The negative of a point is (−X:Y:Z:−T).

Inverted twisted Edwards coordinates edit

The coordinates of the point $(X_{1}:Y_{1}:Z_{1})$ are called the inverted twisted Edwards coordinates on the curve ${\textstyle (X^{2}+aY^{2})Z^{2}=X^{2}Y^{2}+dZ^{4}}$ with ${\textstyle X_{1}Y_{1}Z_{1}\neq 0}$ ; this point to the affine one $(Z_{1}/X_{1},Z_{1}/Y_{1})$ on $E_{E,a,d}$ . Bernstein and Lange introduced these inverted coordinates, for the case a=1 and observed that the coordinates save time in addition.

Projective twisted Edwards coordinates edit

The equation for the projective twisted Edwards curve is given as: $(aX^{2}+Y^{2})Z^{2}=Z^{4}+dX^{2}Y^{2}$ For Z₁ ≠ 0 the point (X₁:Y₁:Z₁) represents the affine point (x₁ = X₁/Z₁, y₁ = Y₁/Z₁) on E_E,a,d.

Expressing an elliptic curve in twisted Edwards form saves time in arithmetic, even when the same curve can be expressed in the Edwards form.

Addition in projective twisted curves edit

The addition on a projective twisted Edwards curve is given by

(X₃:Y₃:Z₃) = (X₁:Y₁:Z₁) + (X₂:Y₂:Z₂)

and costs 10Multiplications + 1Squaring + 2D + 7 additions, where the 2D are one multiplication by a and one by d.

Algorithm

A = Z₁ · Z₂,

B = A²

C = X₁ · X₂

D = Y₁ · Y₂

E = dC · D

F = B − E

G = B + E

X₃ = A · F((X₁ + Y₁) · (X₂ + Y₂) − C − D)

Y₃ = A · G · (D − aC)

Z₃ = F · G

Doubling on projective twisted curves edit

Doubling on the projective twisted curve is given by

(X₃:Y₃:Z₃) = 2(X₁:Y₁:Z₁).

This costs 3Multiplications + 4Squarings + 1D + 7additions, where 1D is a multiplication by a.

Algorithm

B = (X₁ + Y₁)²

C = X₁²

D = Y₁²

E = aC

F = E + D

H = Z₁²

J = F − 2H

X₃ = (B − C − D).J

Y₃ = F · (E − D)

Z₃ = F · J^[1]

Notes edit

^ ^a ^b Bernstein, Daniel J.; Birkner, Peter; Joye, Marc; Lange, Tanja; Peters, Christiane (2008). Vaudenay, Serge (ed.). Twisted Edwards Curves. Lecture Notes in Computer Science. Vol. 5023. Berlin, Heidelberg: Springer. pp. 389–405. doi:10.1007/978-3-540-68164-9_26. ISBN 978-3-540-68164-9. {{cite book}}: |journal= ignored (help)
^ Daniel J. Bernstein; Peter Birkner; Marc Joye; Tanja Lange; Christiane Peters. "Twisted Edwards Curves" (PDF). Retrieved 28 January 2020.
^ Daniel J. Bernstein and Tanja Lange, Faster addition and doubling on elliptic curves

References edit

Daniel J. Bernstein; Marc Joye; Tanja Lange; Peter Birkner; Christiane Peters, Twisted Edwards Curves (PDF)

Huseyin Hisil, Kenneth Wong, Gary Carter, Ed Dawson. (2008), "Twisted Edwards Curves revisited", Cryptology ePrint Archive{{citation}}: CS1 maint: multiple names: authors list (link)