Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

Srinivasa Rao Subramanya Rao Mathematical Sciences Institute, The Australian National University, Union Lane, Canberra ACT 2601, Australia

Keywords: Scalar Multiplication, Montgomery , Differential Addition, Edwards Curves, Twisted Edwards Curves, Binary Edwards Curves, Homogeneous Projective, Inverted Coordinates, Extended Homogeneous Projective Coordinates, w-coordinate Differential addition.

Abstract: Cryptographic algorithms in smart cards and other constrained environments increasingly rely on Elliptic Curves and thus it is desirable to have fast algorithms for elliptic arithmetic. In this paper, we provide (i) faster differential addition formulae for arithmetic on Generalized Edwards’ Curves improving upon the currently known formulae in the literature, proposed by Justus and Loebenberger at IWSEC 2010, (ii) more efficient affine differential addition formulae for a new model of Binary Edwards Curves proposed by Wu, Tang and Feng at INDOCRYPT 2012 and (iii) an algorithm for doubling on Twisted Edwards Curves with a smaller footprint when the implementation is desired to work across Homogeneous Projective, Inverted and Extended Homogeneous Projective Coordinates.

1 INTRODUCTION ECC. Thus efficient methods for point multiplication are crucial for ECC. A very good source for point Security in smart devices and mobile networks multiplication formula is the EFD(Explicit Forms require an efficient implementation of cryptographic Database) (Bernstein and Lange, 2007). The usual algorithms owing to the computational, bandwidth, convention in the literature is to denote the cost power and memory constraints experienced in these of a field inversion by I, a field multiplication by environments. With its smaller key sizes, Elliptic M and a field squaring by S. In this paper we Curve Cryptography(ECC) is increasingly seen as an will denote the cost of a field multiplication with a alternative to traditional public key algorithms such as constant by Mc. Multiplications by 2,3 or 4 can RSA, especially in constrained environments such as be achieved by field additions and are thus ignored mobile devices. Thus while ECC is attractive for the in cost comparisons in this paper. Lately, a new success of lightweight applications such as security form of an elliptic curve called ”Edwards Curve” has for mobile and/or embedded applications, RFID and received attention in the research community mainly in the context of ”Internet for Things”, optimized due to its low finite field operation count for point low-cost ECC implementations are crucial for this multiplication. Differential addition, a concept used success. earlier in the context of Montgomery curves has been In recent years, amongst other things, research adapted to other forms of elliptic curves including in ECC has focused on efficient implementations. Edwards curves. As is well known, the set of points on an elliptic In this paper, we review some formulae presented curve defined over a finite field along with the in the literature towards differential addition on point at infinity form a group when appropriate Edwards Curves and work towards speeding up the group operations are defined. Elliptic curve groups same. Specifically, we look at formulae proposed have an additive notation and thus the operation of by Justus and Loebenberger at IWSEC 2010 and exponentiation in a group with multiplicative notation at formulae proposed by Wu, Tang and Feng at becomes a multiplication operation in Elliptic curve INDOCRYPT 2012. The rest of the paper is groups over a finite field. Point multiplication is at organized as follows: In Section-2, we review the core of most ECC applications and dominates (i) differential addition and (ii) some formulae

336

Rao, S. Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form. DOI: 10.5220/0005970603360343 In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications (ICETE 2016) - Volume 4: SECRYPT, pages 336-343 ISBN: 978-989-758-196-0 Copyright c 2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

presented in the literature for differential addition Lucas chains are also known as differential addition on Generalized Edwards Curves and Binary Edwards chains in the literature (Bernstein, 2006b). Below we Curves. In section 3, we provide faster algorithms review differential addition formulae for Montgomery to evaluate some of the formulae reviewed in curves. A Montgomery curve defined over a finite Section 2. In Section 4, we review point doubling field Fp is given by in Twisted Edwards Curves for the Homogeneous 2 3 2 Projective, Inverted and Extended Homogeneous Em : By = x + Ax + x Projective coordinate forms and provide an alternate If P = (x ,y ) is a point on the E , P can be written algorithm for point doubling. This alternate algorithm 1 1 m in projective coordinates as P = (X ,Y ,Z ). If does not improve on the operation counts of currently 1 1 1 [n]P = (X : Y : Z ), the sum [n + m]P = [n]P + [m]P known algorithms in the literature, but the similarity n n n can be computed using the differential addition of the algorithms across coorodinate forms means that formulae below: it may be possible to have a smaller footprint when implementing algorithms that work with all of these Addition: (n = m) three coordinate systems simultaneously. We finally 6 conclude in Section-4. Xm+n = 2 Zm n((Xm Zm)(Xn + Zn) + (Xm + Zm)(Xn Zn)) − − − Zm+n = 2 DIFFERENTIAL ADDITION 2 Xm n((Xm Zm)(Xn + Zn) (Xm + Zm)(Xn Zn)) − − − − The problem of reducing the number of Doubling: (n = m) group operations required while computing an 4X Z = (X + Z )2 (X Z )2 exponentiation (multiplication whilst in a additive n n n n − n − n 2 2 group) is probably best seen in the context of addition X2n = (Xn + Zn) (Xn Zn) chains. A finite sequence of integers a ,a ,...ar is − 0 1 Z = 4X Z ((X Z )2 + ((A + 2)/4)(4X Z )) called an addition chain (section 4.63 in (D.Knuth, 2n n n n − n n n 1998)) for ar if for each element ai, there exists a j In the above formulae, we can see that the and ak in the sequence such that a0 = 1 and for all Y-coordinate is not required in the computation of i = 1,2,...,r X-coordinate of [n + m]P, provided we are supplied with the value of [n m]P. This is employed by ai = a j + ak, for some k j < i (1) ≤ the Montgomery ladder− for scalar multiplication. A Addition chains are applicable both in the context good reference for Montgomery ladders is (M.Joye of multiplicative groups and additive groups such as and S.Yen, 2002). Elliptic curve groups over a finite field. The idea of differential addition has been extended In 1987, Montgomery proposed a special type to other forms of elliptic curves. Lopez and Dahab of an elliptic curve, now known as Montgomery (J.Lopez and R.Dahab, 1999) generalized this idea form of an elliptic curve or simply Montgomery to Weierstrass form binary curves and Brier and curve (P.L.Montgomery, 1987). The arithmetic on Joye (E.Brier and M.Joye, 2002) generalized it to a Montgomery curve relies on ’x-coordinate’ only Weierstrass Curves defined over GF(p). Justus arithmetic and also requires the ’difference’ of two and Loebenberger (R.Justus and Loebenberger, 2010) group elements (points) to be known prior to the extended differential addition to Generalized Edwards computation of addition of these two elements. Elliptic Curve form in a paper presented at IWSEC Thus ordinary addition chains and improvements 2010. Wu, Tang and Feng (H.Wu et al., 2012) of these chains cannot be directly utilized for proposed differential addition formulae for a new scalar multiplication on Montgomery curves where model of Binary elliptic curves. In this paper, we ’x-coordinate’ only formale are used. A special form try to speed up some of the formulae proposed in of addition chain called Lucas chains is useful in (R.Justus and Loebenberger, 2010) and the affine this context. A Lucas chain is a restricted variant w-Coordinate differential addition proposed in (H.Wu of an addition chain where the indices in et al., 2012). In the remainder of this section, we (1) above are such that either j = k or the difference review some of the Differential addition formulae ak a j is already part of the chain. A special case for Generalized Edwards’ Curves as provided in of− Lucas chains occur when either j = k or a a = (R.Justus and Loebenberger, 2010) and the affine k − j a0 = 1 and these are called binary chains. A good w-Coordinate differential addition formulae for a new reference for Lucas chains is (Montgomery, 1992). model of Binary elliptic curve as provided in (H.Wu

337 SECRYPT 2016 - International Conference on Security and Cryptography

et al., 2012). and the tripling formulae from (R.Justus and Generalized Edwards Curves over a finite field Fp Loebenberger, 2010) for SQO parametrization. are given by (curve parameters c,d F ) ∈ p 2 2 2 2 2 D. SQO Doubling for Generalised Edwards Ec,d : x + y = c (1 + dx y ) Coordinates: n = m It turns out that the differential addition formulae for (Operation count given in (R.Justus and generalized Edwards curves uses y-only coordinates Loebenberger, 2010) is 5S). 2 2 4 2 4 2 2 2 2 instead of x-only coordinates for Montgomery Y2n = ((1 c d)Yn + (1 c )Zn (Yn Zn ) ) curves. Let P = (x ,y ) be a point on E . − − − − 1 1 c,d Z2 = (dc2(Y 2 Z2)2 d(c2 1)Y 4 + (c2d 1)Z4)2 In projective coordinates, P can be written as 2n n − n − − n − n P = (X1,Y1,Z1) and let [n]P = (Xn : Yn : Zn). If c,d = 0, dc4 = 1 and d is not a square in GF(p), the E. SQO Tripling for Generalised Edwards 6 6 sum [n + m]P = [n]P + [m]P, as provided in (R.Justus Coordinates: m = 2n and Loebenberger, 2010) is reproduced below: (Operation count in (R.Justus and Loebenberger, 2010) is 4M + 7S). A. Differential Addition for Generalised Edwards Y 2 = Y 2(c2(3Z4 dY 4)2 Coordinates: m > n 3n n n − n − 4 2 4 2 3 1 2 2 Z (8c Z + (Y (c d + c− ) 2cZ ) (Operation count given by authors in (R.Justus and n n n − n − Loebenberger, 2010) is 6M + 4S). 2 4 2 4 2 c− (c d + 1) Yn )) 2 2 2 2 2 2 2 2 2 2 2 4 4 2 Ym+n = Zm n(Ym(Zn c dYn ) + Zm(Yn c Zn )) Z3n = Zn (c (Zn 3dYn ) + − − − − 4 2 4 2 3 1 2 2 2 2 2 2 2 2 2 2 dY (4c Z (Y (c d + c− ) 2cZ ) + Zm+n = Ym n(dYm(Yn c Zn ) + Zm(Zn c dYn )) n n − n − n − − − 2 4 2 4 4 2 c− ((c d + 1) 12c d)Y )) − n B. Differential Doubling for Generalised Edwards In (H.Wu et al., 2012), the authors propose a new Coordinates: n = m model of Binary Edwards Curve given by (Operation count given by authors in (R.Justus and 2 2 Loebenberger, 2010) is 1M + 4S). St : x y + xy +txy + x + y = 0 2 Y = c2dY 4 + 2Y 2Z2 c2Z4 where (x,y) K and K is a field of characteristic 2n − n n n − n 2. Further,∈ in section 6 of this paper, the authors 4 2 2 2 4 Z2n = dYn 2c dYn Zn + Zn construct differential addition formula for S . We − t In (R.Justus and Loebenberger, 2010), point tripling reproduce the approach and the formulae here. formula are provided as well, which we reproduce w below: F. Affine -coordinate Differential Addition and Doubling for a new model of Binary Edwards C. Tripling for Generalised Edwards Coordinates: Curves proposed in (H.Wu et al., 2012): (Operation count given by authors in (R.Justus and (Operation count for addition and doubling as given I + M + S + M Loebenberger, 2010) is 4M + 7S). in (H.Wu et al., 2012) is 1 2 2 1 c and 1I + 1M + 2S + 1Mc respectively.) Y = Y (c2(3Z4 dY 4)2 Utilizing w-coordinate differential addition that was 3n n n − n − 4 2 4 2 3 1 2 2 initially proposed by Bernstein in (Bernstein et al., Z (8c Z + (Y (c d + c− ) 2cZ ) n n n − n − 2008a), the authors in (H.Wu et al., 2012) propose 2 4 2 4 c− (c d + 1) Yn )) w-coordinate differential addition and doubling for St , Z = Z (c2(Z4 3dY 4)2+ i.e., they present formulae to compute w(P + Q) and 3n n n − n 4 2 4 2 3 1 2 2 w(2P) from w(P), w(Q) and w(Q P). If P = (x,y) is dYn (4c Zn (Yn (c d + c− ) 2cZn ) + − − − a point on St , then the w-function is defined as w(P) = 2 4 2 4 2 4 c− ((c d + 1) 12c d) Yn )) xy. If P = (x ,y ), Q = (x ,y ), Q P = (x ,y ), − 2 2 3 3 − 1 1 2P = (x4,y4) and Q + P = (x5,y5), we write wi = xiyi In (R.Justus and Loebenberger, 2010), an alternate for i = 1,2,3,4,5. Then w2 = w(P), w4 = w(2P), parameterization is provided by the authors, where w5 = w(P + Q), w1 = w(Q P) and w3 = w(Q). only the squares of the points (Y : Z ), (Y : Z ) − m m n n The affine differential addition formulae on St , as and (Ym n : Zm n) are utilized. We call this ”Squares developed and presented in (H.Wu et al., 2012) are Only” or− SQO− parametrization. The authors provide as follows: 4 2 addition, doubling and tripling formulae for this 1 + w t w2w3 w = 2 and w = w + parametrization. Here we reproduce the doubling 4 2 2 5 1 2 2 t w2 w2 + w3

338 Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

3 ALTERNATE ALGORITHMS the older complexity (1M + 4Mc + 4S) AND NEWER OPERATION CC. Tripling for Generalised Edwards COUNTS Coordinates: The operation count of formula (C) in Section 2 In this section we show that the operation counts in of this paper is 4M + 7S. In addition to this, by formulae (B-F) of Section 2 can be improved. For inspection, one can count 8Mc operations as required clarity in comparison, the subsections that describe to compute the requisite formula. Thus the total and compare our improvements to (B-F) of Section-2 complexity of formula(C) is 4M + 7S + 8Mc are labeled as (BB-FF) respectively. From section 3.1 in (R.Justus and Loebenberger, 2010), we have BB. Differential Doubling for Generalised Edwards Coordinates: y(c2d2y8 6c2dy4 + 4(c4d + 1)y2 3c2) y = − − The operation count of formula (B) in Section 2 is 3 3c2d2y8 + 4d(c4d + 1)y6 6c2dy4 + c2 1M + 4S as the formula can be computed using the − − writing y = Y/Z in projective coordinates, the following algorithm: above formula can be written as 2 2 A Yn ( = Yn ) S 2 2 8 2 4 4 4 2 6 2 8 ← Y3n Yn (c d Yn 6c dYn Zn + 4(c d + 1)Yn Zn 3c Zn ) 2 2 = . − − B Z ( = Z ) S Z Z 3c2d2Y 8 + 4d(c4d + 1)Y 6Z2 6c2dY 4Z4 + c2Z8 ← n n 3n n − n n n − n n n D A B ( = Y 2Z2) M ← ∗ n n Then 2 4 A A ( = Yn ) S 2 2 8 2 4 4 4 2 6 2 8 ← Y3n = Yn[c d Yn 6c dYn Zn + 4(c d + 1)Yn Zn 3c Zn ] 2 4 − − B B ( = Z ) S and ← n Y = c2dA+ ( = c2dY 4+ 2M 2n n c Z = Z [ 3c2d2Y 8 + 4d(c4d + 1)Y 6Z2 6c2dY 4Z4 + c2Z8] − − 3n n − n n n − n n n 2D c2B 2Y 2Z2 c2Z4) − n n − n The above rewritten formulae can now be computed Z = dA 2c2dD + B ( = dY 4 2M 2n − n − c using the algorithm below: 2 2 2 4 2c dYn Zn + Zn ) A Y 2 ( = Y 2) S ← n n Thus the total complexity, if one takes into 2 2 B Zn ( = Zn ) S consideration the cost of multiplication by a constant ← E A2 ( = Y 4) S other than 1 or 2 or 3, is (1M + 4Mc + 4S). The ← n formulae (B) in Section 2 can be rewritten as F B2 ( = Z4) S ← n 2 2 2 2 Y = c2dY 4 + 2Y 2Z2 c2Z4 = 2Y 2Z2 c2(Z4 + dY 4) G (A + B) (=(Yn + Zn ) S 2n − n n n − n n n − n n ← 4 2 2 2 4 2 2 2 4 4 E F Y 4 Z4 = 2Y 2Z2) Z2n = dYn 2c dYn Zn + Zn = c d(2Yn Zn ) + (Zn + dYn ) − − − n − n n n − − 2 4 4 H G ( = 4Yn Zn ) S The rewritten formulae above can be computed ← J E2 ( = Y 8) S using the algorithm below: ← n 2 8 K F ( = Zn ) S A Y 2 ( = Y 2) S ← n n 2 2 2 4 2 8 ← M (G + F) [ = (2Yn Zn + Zn ) Zn S B Z2 ( = Z2) S ← − n n 4 4 2 6 ← K H 4Yn Zn ] = 4Yn Zn E A2 ( = Y 4) S − − − n 2 2 2 4 2 ← N (G + E) [ = (2Yn Zn +Yn ) S F B2 ( = Z4) S ← ← n 8 4 4 6 2 J H Yn 4Yn Zn ] = 4Yn Zn G (A + B)2 ( = 2Y 2Z2) S − − − − ← n n E F − − Finally, 2 2 3 2 2 2 Y = G ( = 2Y 2Z2 2M Y3n Yn[(c d )J ( c d)H +(c d +1)M (3c )K] 2n − n n − c ← − 2 − 2 2 4 4 which costs 1M + 3Mc and c (F + dE) c (Zn + dYn )) Z3n Zn 2 2 2 2 ← 2 2 4 3 2 2 Z2n = ( c d)G+ ( = c d(2Y Z )+ 1Mc [( 3c d )J d(c d +1)N ( c d)H +(c )K] − − n n − − − 2 4 4 2 (F + dE)(Zn + dYn )) which costs 1M + 2Mc. In the above, once (c )K is computed, the cost of computing (3c2)K is Thus the new complexity is 5S + 3Mc. As ignored. The complexity of the new algorithm is 1S < 1M, the new complexity 5S + 3Mc is less than (10S + 2M + 5Mc). If 3S < 2M + 3Mc, then the new

339 SECRYPT 2016 - International Conference on Security and Cryptography

complexity of (10S + 2M + 5Mc) is less than the FF. Affine w-coordinate Differential Addition and older complexity of (7S + 4M + 8Mc). In (Bernstein, Doubling for a new model of Binary Edwards 2006a), 2M = 3S and thus 3S < 2M + 3Mc. Curves proposed in (H.Wu et al., 2012): The operation count of computing w4 in formula (F) DD. SQO Doubling for Generalised Edwards in Section 2 is 1I +1M +1Mc +2S as the formula can Coordinates: be computed using the algorithm below: By inspecting formula(D) in Section 2 and taking into 2 2 2 2 A = w2 ( = w2) 1S consideration that we are provided with X2n and Y2n, 2 4 we can see that the total complexity of the formula(D) B = A ( = w2) 1S is (5S + 5Mc). We can improve upon this. Using the C = t2A ( = t2w2) 1M doubling formula(BB) in this section, we can write 2 c 1 1 2 2 2 2 4 4 2 D = C− = 1I Y n = 2Yn Zn c (Zn + dYn ) 2 2 2 − t w2 2   Z2 =  c2d(2Y 2Z2) + (Z4 +dY 4) 4 2n − n n n n 1 + w2 w4 = (1 + B)D = 1M   t2w2 Given that only squares of the coordinates are  2  stored, the above formula can be computed using the Now w4 can be rewritten as following algorithm: 1 1 2 w4 = + w2 and A (Y 2)2 ( = Y 4) 1S t2 w2 ← n n   2  B (Z2)2 ( = Z4) 1S w can be computed using the following algorithm: ← n n 4 E (Y 2 + Z2)2 A B ( = 2Y 2Z2) 1S 2 2 ← n n − − n n A = w2 ( = w2) 1S Y 2 E ( = 2Y 2Z2 1S + 2M 2n ← − n n c 1 1 2 2 B = = 1I  c2(B + dA) c2(Z4 + dY 4) A w2 − n n  2  2 2 2 2 2 Z2n c dE+ ( = c d(2Yn Zn ) 1S + Mc 1 1 1 2 ← − − w4 = 2 (A + B) = 2 2 + w2 Mc 2 2 4 4 2 t t w  (B + dA) + (Zn + dYn )      2    Thus the complexity of the new doubling The complexity of the new algorithm is algorithm is 1I + 1S + 1Mc resulting in a saving (5S + 3Mc) while the older complexity was of 1M + 1S. The formulae(F) for differential (5S + 5Mc) addition(w5) in the previous section costs 1I + 2M + 2 2S + 1Mc. Considering that w2 is computed both EE. SQO Tripling for Generalised Edwards 2 in the differential addition and doubling steps, w2 Coordinates: can be computed just once. Thus the new total cost By inspecting formula(E) in Section 2, we can see of a differential addition and doubling is 2I + 2M + that the total complexity of formula(E) is (4M + 7S + 2S + 2Mc or 1I + 5M + 2S + 2Mc with Montgomery’s 8Mc). The algorithm used to compute Y3n and Z3n Inversion trick, as compared to the previous total cost in formula(CC) of this section can be adapted to of 1I + 6M + 4S + 2Mc resulting in an overall saving compute the requisite formulae. The first two steps of 1M + 2S. can be omitted as squares are already available and the last two steps can be replaced with

3 2 Y 2 Y 2 (c2d2)J ( c2d)H + (c2d + 1)M (3c2)K 4 DOUBLING IN TWISTED 3n ← n − 2 −  3  2 EDWARDS CURVES Z2 Z2 ( 3c2d2)J d(c4d + 1)N ( c2d)H + (c2)K 3n ← n − − − 2   In this section, we look at the doubling formula The complexity of this algorithm would for Twisted Edwards Curves with a particular be the same as that of formula(CC) which is parameterization and then propose alternate (10S + 2M + 5Mc). We can take 2M = 3S (Bernstein, formulae for the same. Building on the work of 2006a). Thus 3S < (2M + 3Mc) and the new Edwards(Edwards, 2007), the authors in (Bernstein algorithm with complexity (10S + 2M + 5Mc) et al., 2008b) introduced Twisted Edwards Curves, is better than the older one with complexity whose equation is given by (7S + 4M + 8Mc). ax2 + y2 = 1 + dx2y2 (2)

340 Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

2 where K is a field of odd characteristic a,d K with X2 ((X1 +Y1) D)F ( = (2X1Y1) S + M ad(a d) = 0. Here, we closely follow the treatment∈ ← − − 6 (2Z2 + X2 Y 2)) in (Hisil, 2010), where, amongst others, the formulae 1 1 − 1 Y DE ( = (X2 +Y 2) M for Homogeneous Projective, Inverted and Extended 2 ← 1 1 Homogeneous Projective coordinates are presented. 2 2 (Y1 X1 )) The triplet (X : Y : Z) satisfies the homogeneous − Z EF ( = (Y 2 X2) M projective equation aX2Z2 +Y 2Z2 = Z4 + dX2Y 2. 2 ← 1 − 1 (2Z2 + X2 Y 2)) 1 1 − 1 Homogenous Projective Coordinates: Here the triplet (X : Y : Z) corresponds to the affine Inverted Coordinates: point (X/Z,Y/Z) with Z = 0. If P = (X : Y : Z ) Here the triplet (X : Y : Z) corresponds to the affine 6 1 1 1 then the doubling formula for [2]P = (X : Y : Z ) is point (Z/X,Z/Y) with Z = 0. If the triplet (X1 : 2 2 2 6 as below: (assuming Z2 = 0). Y1 : Z1) satisfies the homogeneous projective equation 6 2 2 2 2 4 2 2 2 2 2 aX Z +Y Z = Z + dX Y and X1Y1Z1 = 0, then X2 = 2X1Y1(2Z1 Y1 aX1 ) 6 − − the doubling formulae for [2]P = (X2 : Y2 : Z2) is as Y = (Y 2 aX2)(Y 2 + aX2) 2 1 − 1 1 1 below: (assuming X2Y2Z2 = 0): 2 2 2 2 2 6 Z2 = (Y + aX )(2Z Y aX ) 1 1 1 − 1 − 1 X = (X2 aY 2)(X2 + aY 2) 2 1 − 1 1 1 Evaluating the above doubling formulae as in 2 2 2 Y2 = 2X1Y1(X1 + aY1 2dZ1 ) (Bernstein et al., 2008b) costs 3M + 4S + 1Mc and is − Z = 2X Y (X2 aY 2) computed using the following algorithm: 2 1 1 1 − 1 B (X +Y )2 ( = X2 +Y 2 + 2X Y ) S ← 1 1 1 1 1 1 Evaluating the above doubling formulae as in C X2 ( = X2) S (Bernstein et al., 2008b) costs 3M + 4S + 2M and is ← 1 1 c D Y 2 ( = Y 2) S computed using the following algorithm: ← 1 1 2 2 2 E aC ( = aX1 ) Mc A X ( = X ) S ← ← 1 1 2 2 2 2 F E + D ( = Y1 + aX1 ) B Y ( = Y ) S ← ← 1 1 2 2 2 H Z1 ( = Z1 ) S U aB ( = aY ) M ← ← 1 c 2 2 2 2 2 J F 2H ( = (2Z1 Y1 aX1 )) C A +U ( = (X + aY )) ← − − − − ← 1 1 X2 (B C D)J ( = (2X1Y1) M 2 2 ← − − − D A U ( = (X1 aY1 )) 2 2 2 ← − − (2Z Y aX )) 2 1 − 1 − 1 E (X1 +Y1) ( = 2X1Y1) S 2 2 ← Y2 F(E D) ( = (Y1 aX1 ) M A B ← − − − − − 2 2 2 2 2 2 (Y1 + aX1 )) X CD ( = (X + aY )(X aY )) M 2 ← 1 1 1 − 1 2 2 2 Z2 FJ ( = (Y1 + aX1 ) M Y E(C (2d)Z ) ( = 2X Y M + M + S ← − 2 ← − 1 1 1 c 2 2 2 2 2 2 (2Z1 Y1 aX1 )) (X + aY 2dZ )) − − 1 1 − 1 Z DE ( = 2X Y (X2 aY 2)) M If a = 1, then the doubling costs 3M + 4S by 2 ← 1 1 1 − 1 replacing the instruction X2 (B C D)J in the above algorithm with X (B← F)J−, as− in (Bernstein 2 ← − If a = 1 then the doubling takes 3M + 4S + 1Mc and T.Lange, 2007a). 2 by computing E as (X1 +Y1) C see (Bernstein and If a = 1, then the doubling again costs 3M + 4S − − T.Lange, 2007b). and can be computed using the following algorithm If a = 1 then the doubling again takes as provided in (Hisil, 2010): − 2 3M + 4S + 1Mc by computing E as (X1 + Y1) D 2 2 − A 2Z1 ( = 2Z1 ) S and replacing U aB, C A +U, D A U with ← C A B D ←A + B ← ← − B Y 2 ( = Y 2) S , as given in (Hisil, 2010). ← 1 1 ← − ← C X2 ( = X2) S ← 1 1 Extended Homogenous Projective Coordinates: 2 2 2 2 D B +C ( = X1 +Y1 ) In this system, each point (x,y) on ax + y = 1 + ← dx2y2 (X Y T E B C ( = Y 2 X2) is represented by the quadruplet : : : ← − 1 − 1 Z) which in turn corresponds to the affine point F A E ( = 2Z2 + X2 Y 2) ← − 1 1 − 1 (X/Z,Y/Z) with the auxiliary coordinate T = XY/Z and Z = 0. If (X : Y : T : Z ) with Z = 0 and 6 1 1 1 1 1 6

341 SECRYPT 2016 - International Conference on Security and Cryptography

2 2 2 2 4 2 2 T1 = X1Y1/Z1 satisfy aX Z + Y Z = Z + dX Y , the coordinate system being used. Below, we first then the doubling formulae for [2](X1,Y1,T1,Z1) = present instructions that are common to all the 3 (X2 : Y2 : T2 : Z2) is as follows (assuming Z2 = 0): coordinate systems considered here and then present 6 instructions that are specific to the coordinate system X = 2X Y (2Z2 Y 2 aX2) 2 1 1 1 − 1 − 1 being used. We note here that for all nonzero c K, Y = (Y 2 aX2)(Y 2 + aX2) (X : Y : Z) = (cX : cY : cZ). ∈ 2 1 − 1 1 1 T = 2X Y (Y 2 aX2) 2 1 1 1 − 1 Instructions Common to all 3 Coordinate Systems: Z = (Y 2 + aX2)(2Z2 Y 2 aX2) 2 1 1 1 − 1 − 1 A (X +Y )2 ( = X2 +Y 2 + 2X Y ) S ← 1 1 1 1 1 1 2 2 2 Evaluating the above doubling formulae as in B (X1 Y1) ( = X +Y 2X1Y1) S ← − 1 1 − (Hisil, 2010) costs 4M + 4S + 1Mc and is computed C A + B ( = 2(X2 +Y 2)) ← 1 1 using the following algorithm: D A B ( = 4X Y ) ← − 1 1 A X2 ( = X2) S E (Z + Z )2 ( = 4Z2) S ← 1 1 ← 1 1 1 B Y 2 ( = Y 2) S F (X + X )2 ( = 4X2) S ← 1 1 ← 1 1 1 C 2Z2 ( = 2Z2) S G C F ( = 2(Y 2 X2)) ← 1 1 ← − 1 − 1 D aA ( = aX2) M ← 1 c Instructions Specific to Homogenous Projective E B + D ( = Y 2 + aX2) Coordinates: ← 1 1 F B D ( = Y 2 aX2) Y CG ( = 4(Y 2 + X2)(Y 2 X2)) M ← − 1 − 1 2 ← 1 1 1 − 1 G C E ( = 2Z2 (Y 2 + aX2)) if a = +1 ← − 1 − 1 1 2 2 2 2 H (X +Y ) ( = 2X Y ) S X2 D(E C) ( = (4X1Y1)(4Z1 2(X1 +Y1 ))) M ← 1 1 1 1 ← − − A B Z C(E C) ( = 2(X2 +Y 2) M − − 2 ← − 1 1 X2 GH ( = (2X1Y1) M (4Z2 2(X2 +Y 2))) ← 1 − 1 1 (2Z2 Y 2 aX2)) if a = 1 1 − 1 − 1 − 2 2 2 2 2 Y2 EF ( = (Y aX ) M X D(E G) ( = (4X Y )(4Z 2(Y X ))) M ← 1 − 1 2 ← − 1 1 1 − 1 − 1 (Y 2 + aX2)) Z G(E G) ( = (2(Y 2 X2))) M 1 1 2 ← − 1 − 1 2 2 2 2 2 T2 FH ( = 2X1Y1(Y aX )) M (4Z 2(Y X )) ← 1 − 1 1 − 1 − 1 Z EG ( = (Y 2 + aX2) M 2 ← 1 1 Instructions Specific to Inverted Coordinates: 2 2 2 (2Z1 Y1 aX1 )) 2 2 2 2 − − X2 CG ( = 4(Y + X )(Y X )) M ← 1 1 1 − 1 If a = 1 then the doubling costs 4M + 4S if a = +1 and can be computed by first removing D aA Y D(dE C) ( = (4X Y )(4dZ2 2(X2 +Y 2)) M ← 2 ← − 1 1 1 − 1 1 and then replacing E B + D, F B D, Z DG ( = ( X Y )( (Y 2 X2))) M 2 ← ← − 2 4 1 1 2 1 1 H (X1 +Y1) A B with E B+A, F B A, ← − ← 2 − − ← ← − if a = 1 H (X1 +Y1) E, respectively. − ← − Y D(dE + G) ( = (4X Y )(4dZ2 + 2(Y 2 X2))) M If a = 1 then the doubling costs 4M + 4S and 2 ← 1 1 1 1 − 1 − 2 2 can be computed by first removing D aA Z2 DC ( = ( 4X1Y1)(2(X1 +Y1 ))) M and then replacing E B + D, F B← D, ← − − 2 ← ← − H (X1 +Y1) A B with E B A, F B+A, Instructions Specific to Extended Homogenous H ← (X +Y )2 − F−, respectively.← − ← Projective Coordinates: ← 1 1 − Y CG ( = 4(X2 +Y 2)(Y 2 X2)) M 2 ← 1 1 1 − 1 New Alternate Algorithm to Compute Doubling if a = +1 Formulae for Homogeneous Projective, Inverted X D(E C) ( = (4X Y )(4Z2 2(X2 +Y 2))) M and Extended Homogeneous Projective 2 ← − 1 1 1 − 1 1 2 2 Coordinates (a = 1 or a = 1): T2 DG ( = (4X1Y1)(2(Y X ))) M − ← 1 − 1 Here we provide an alternate algorithm to compute 2 2 Z2 C(E C) ( = (2(X +Y )) M a doubling on Twisted Edwards Curves. It is ← − 1 1 (4Z2 2(X2 +Y 2))) possible to collect instructions that are common to 1 − 1 1 if a = 1 all the 3 computations, compute them separately − and then perform computations that are specific to

342 Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

2 2 2 X2 D(E G) ( = (4X1Y1)(4Z 2(Y X )))M Bernstein, D. and Lange, T. (2007). Explicit Forms ← − 1 − 1 − 1 T DC ( = (4X Y )(2(X2 +Y 2))) M Database(EFD). Technical report, http://hyperellip 2 ← 1 1 1 1 tic.org/EFD/ accessed on 30th Nov 2015. Z G(E G) ( = (2(Y 2 X2)) M 2 ← − 1 − 1 Bernstein, D., Lange, T., and Farashahi, T. (2008a). Binary (4Z2 2(Y 2 X2))) Edwards Curves. In Cryptographic Hardware and 1 − 1 − 1 Embedded Systems - CHES 2008, LNCS 5154. The cost of the new algorithm presented here Bernstein, D., P.Birkner, M.Joye, T.Lange, and C.Peters is the same as that of the currently known best (2008b). Twisted Edwards Curves. In AFRICACRYPT algorithms in the literature due to Bernstein and 2008, LNCS 5023. Hisil depicted above (i.e., 3M + 4S operations each Bernstein, D. and T.Lange (2007a). Faster addition and for Homogeneous Projective and Inverted coordinates doubling on Elliptic curves. In ASIACRYPT 2007, LNCS 4833. and 4S + 4M operations for Extended Homogeneous Projective coordinates when the curve parameter a = Bernstein, D. and T.Lange (2007b). Inverted Edwards coordinates. In Applied Algebra, Algebraic 1 or 1). However, in the new algorithm, the − Algorithms and Error-Correcting Codes, AAECC-17, non-coordinate specific instructions can be separated LNCS 4851. from the coordinate specific instructions as shown D.Knuth (1998). The Art of Computer Programming Vol 2. above(variables A...G are common to all coordinate Pearson Education. forms) and further within each coordinate system, E.Brier and M.Joye (2002). Weierstrass Elliptic Curves and one instruction is independent of whether a = 1 or side channel attacks. In Public Key Cryptography - 1. Thus the new algorithm’s footprint may be PKC 2002, LNCS 2274. lower− than the sum of the footprints of currently Edwards, H. (2007). A normal form for elliptic curves. known algorithms for the three coordinate systems Bulletin of the AMS, 44(3):393422. under consideration. Thus the new algorithm may Hisil, H. (2010). Elliptic Curves,Group Law, and Efficient be an attractive alternative when the implementation Computation. PhD thesis, Queensland University of is intended to work across the three coordinate Technology. systems, namely Homogeneous Projective, Inverted H.Wu, C.Tang, and R.Feng (2012). A new model of Binary Elliptic Curves. In INDOCRYPT 2012, LNCS 7668. and Extended Homogeneous Projective Coordinates. J.Lopez and R.Dahab (1999). Fast multiplication on Elliptic Curves over GF(2m) without precomputation. In Cryptographic Hardware and Embedded Systems - 5 CONCLUSION CHES 1999, LNCS 1717. M.Joye and S.Yen (2002). The Montgomery Powering In this paper, we improved the arithmetic for Ladder. In Cryptographic Hardware and Embedded differential addition on Generalized Edwards curves. Systems - CHES 2002, LNCS 2523. We also improved the w-coordinate formulae for a Montgomery, P. L. (1992). Evaluating recurrences of form Xm+n = f (Xm,Xn,Xm n) via Lucas chains. Technical new model of elliptic curve proposed by Wu, Tang report, ftp://ftp.cwi.nl/pub/pmontgom/Lucas.ps.gz− and Feng. We also provided a new algorithm for point accessed on 30th Nov 2015. doubling on Twisted Edwards Curves with a lower P.L.Montgomery (1987). Speeding the Pollard and Elliptic foot print for implementation. Curve methods of Factorization. In Mathematics of Computation Vol 48, Issue 177 Jan 1987. R.Justus and Loebenberger, D. (2010). Differential Addition in Generalized Edwards Coordinates. In 5th ACKNOWLEDGEMENTS International Workshop on Security - IWSEC 2010,, LNCS 6434. The author would like to sincerely thank the anonymous reviewers of SECRYPT 2016 for their extremely useful comments and suggestions.

REFERENCES

Bernstein, D. (2006a). : New Diffie-Hellman speed records. In Public Key Cryptography - PKC 2006, LNCS 3958. Bernstein, D. (2006b). Differential Addition Chains. Technical report, http://cr.yp.to/ecdh/diffchain-2006 0219.pdf accessed on 30th Nov 2015.

343