Edwards Curves

Christiane Peters

Technische Universiteit Eindhoven

S´eminaire de Cryptographie Rennes June 20, 2008 1. Elliptic curves in Edwards form

2. Addition law

3. Fast explicit formulas

4. Twisted Edwards Curves

–p.2 Addition on a clock

2 2 Unit circle x + y = 1. y Let xi = sin(αi), yi = cos(αi). O neutral = (0, 1) • x3 = sin(α1 + α2) P1 = (x1,y1) α1 ÑÑ• = sin(α1) cos(α2) + cos(α1) sin(α2) ÑÑ Ñ iii• P2 = (x2,y2) PiÑÑiii y3 = cos(α1 + α2) PPP / x PPP = cos(α1)cos(α2) − sin(α1) sin(α2) • P3 = (x3,y3)

Addition of angles defines commutative group law (x1,y1) + (x2,y2) = (x3,y3), where

x3 = x1y2 + y1x2 and y3 = y1y2 − x1x2.

Fast but not elliptic; low security.

–p.3 Elliptic curve in Edwards form over a non-binary field k

y O neutral = (0, 1) • 2 2 2 2 x + y =1+ dx y , P1 = (x1,y1) • P = (x ,y ) where d ∈ k \ {0, 1}. f [ fffff• 2 2 2 [[[[[[• / x P3 = (x3,y3)

We add two points (x1,y1), (x2,y2) on E according to the Edwards addition law

x1y2 + x2y1 y1y2 − x1x2 (x1,y1), (x2,y2) 7→ , . 1+ dx1x2y1y2 1 − dx1x2y1y2 

–p.4 Elliptic?

Short answer: Projective coordinates (X2 + Y 2)Z2 = Z4 + dX2Y 2 imply at first glance two singular points at infinity: (1 : 0 : 0), (0 : 1 : 0).

Blow up yields two points of order 2 and two points of order 4.

Easy way to see is approach from curves in Montgomery form.

–p.5 1. Elliptic curves in Edwards form

2. Addition law

3. Fast explicit formulas

4. Twisted Edwards Curves

–p.6 Addition on Edwards curves

x1y2 + y1x2 y1y2 − x1x2 (x1,y1) + (x2,y2)= ,  1+ dx1x2y1y2 1 − dx1x2y1y2 

The point (0, 1) is the neutral element of the addition law and

the negative of P = (x1,y1) is −P = (−x1,y1).

If d is a non-square in k the addition law is complete.

The addition law is strongly unified, i.e., it can be also used for doublings.

–p.7 Complete? – (1)

x1y2 + y1x2 y1y2 − x1x2 (x1,y1) + (x2,y2)= , 1+ dx1x2y1y2 1 − dx1x2y1y2  Can the denominators be 0? Claim: They are never 0 if d is not a square in k.

Proof : Let (x1,y1) and (x2,y2) be on the curve, i.e., 2 2 2 2 xi + yi =1+ dxi yi . Write ε = dx1x2y1y2 and suppose ε ∈ {−1, 1}. Then x1,x2,y1,y2 6= 0 and 2 2 2 2 2 2 2 2 dx1y1(x2 + y2) = dx1y1(1 + dx2y2) 2 2 2 2 2 2 2 = dx1y1 + d x1y1x2y2 2 2 2 = dx1y1 + ε 2 2 = 1+ dx1y1 //(ε = ±1) 2 2 = x1 + y1

–p.8 Complete? – (2)

Show: ε = dx1x2y1y2 = ±1 implies d is a square.

x1y2 + y1x2 y1y2 − x1x2 (x1,y1) + (x2,y2)= , 1+ dx1x2y1y2 1 − dx1x2y1y2 

2 2 2 2 2 2 We have dx1y1(x2 + y2)= x1 + y1. Proof (continued): It follows that

2 2 2 (x1 + εy1) = x1 + y1 + 2εx1y1 2 2 2 2 = dx1y1(x2 + y2) + 2x1y1dx1x2y1y2 2 2 2 2 2 2 2 = dx1y1(x2 + 2x2y2 + y2)= dx1y1(x2 + y2)

2 x2 + y2 6= 0 ⇒ d = ((x1 + εy1)/x1y1(x2 + y2)) ⇒ d =  2 x2 − y2 6= 0 ⇒ d = ((x1 − εy1)/x1y1(x2 − y2)) ⇒ d =  If x2 + y2 = 0 and x2 − y2 = 0, then x2 = y2 = 0, contradiction.

–p.9 1. Elliptic curves in Edwards form

2. Addition law

3. Fast explicit formulas

4. Twisted Edwards Curves

–p.10 Inversion-free addition

Consider the homogenized Edwards equation

E : (X2 + Y 2)Z2 = Z4 + dX2Y 2

A point (X1 : Y1 : Z1) with Z1 6= 0 on E corresponds to the affine point (X1/Z1,Y1/Z1).

2 A = Z1 · Z2; B = A ; C = X1 · X2; D = Y1 · Y2;

E = (X1 + Y1) · (X2 + Y2) − C − D; F = d · C · D;

XP +Q = A · E · (B − F );

YP +Q = A · (D − C) · (B + F );

ZP +Q = (B − F ) · (B + F ).

Costs 10M+1S+1D (mixed ADD needs 9M+1S+1D).

–p.11 Explicit fast doubling and tripling formulas

(Non-unified) Doubling of a point (x1,y1) on x2 + y2 =1+ dx2y2:

2 2 2x1y1 y1 − x1 [2](x1,y1) = 2 2 , 2 2 1+ dx1y1 1 − dx1y1  2 2 2x1y1 y1 − x1 = 2 2 , 2 2 . x1 + y1 2 − (x1 + y1) Inversion-free version needs 3M + 4S.

Tripling:

[3](x1,y1)= 2 2 2 2 2 2 2 2 ((x1 + y1) − (2y1) ) ((x1 + y1) − (2x1) ) 2 2 2 2 2 x1, 2 2 2 2 2 y1 . 4(x1 − 1)x1 − (x1 − y1) −4(y1 − 1)y1 + (x1 − y1)  Inversion-free explicit formulas cost 9M + 4S.

–p.12 Inverted Edwards

A point (X1 : Y1 : Z1) with X1Y1Z1 6= 0 on

(X2 + Y 2)Z2 = X2Y 2 + dZ4

corresponds to (Z1/X1, Z1/Y1) on the Edwards curve x2 + y2 =1+ dx2y2.

Costs: 9M + 1S for ADD, 8M + 1S for mixed ADD, 3M + 4S for DBL and 9M + 4S for TRI.

–p.13 1. Elliptic curves in Edwards form

2. Addition law

3. Fast explicit formulas

4. Twisted Edwards Curves

–p.14 What about Montgomery form?

So far fastest ECC methods use curves in Montgomery form Bv2 = u3 + Au2 + u.

Differential addition formulas for computing nP use 5M + 4S + 1A for each bit of n.

Setting 1S = 0.8 M: Edwards faster than Montgomery curves when using scalars with more than 160 bits.

nP + n′P ′ is hard to compute for n 6= n′ and P 6= P ′. Big advantage for Edwards.

–p.15 Counting elliptic curves over Fp if p ≡ 1 (mod 4)

≈ 2p elliptic curves. ≈ 5p/6 curves with order ∈ 4Z. ≈ 5p/6 Montgomery curves. ≈ 2p/3 Edwards curves. ≈ p/2 complete Edwards curves. ≈ p/24 original Edwards curves.

(more detailed description and more experiments in Bernstein, Birkner, Joye, Lange, P.: Twisted Edwards Curves in AFRICACRYPT ’08)

–p.16 Counting elliptic curves over Fp if p ≡ 3 (mod 4)

≈ 2p elliptic curves. ≈ 5p/6 curves with order ∈ 4Z. ≈ 3p/4 Montgomery curves. ≈ 3p/4 Edwards curves. ≈ p/2 complete Edwards curves. ≈ p/4 original Edwards curves.

Can we achieve Edwards-like speeds for more curves?

–p.17 Twisted curves

Points of order 4 restrict the number of elliptic curves in Edwards form over k.

Define twisted Edwards curves

ax2 + y2 =1+ dx2y2,

with a, d 6= 0 and a 6= d.

Every Edwards curve is a twisted Edwards curve (a = 1).

–p.18 Why“twisted”?

E′ :x ¯2 +y ¯2 =1+(d/a)¯x2y¯2 over k with a = α2 for some α ∈ k is isomorphic to E : ax2 + y2 =1+ dx2y2 by x =x/α ¯ and y =y ¯.

In general: E′ and E are quadratic twists of each other, i.e., isomorphic over a quadratic extension of k. We have E′ :a ¯x¯2 +y ¯2 =1+ d¯x¯2y¯2 and E : ax2 + y2 =1+ dx2y2 are quadratic twists if ad¯=ad ¯ .

–p.19 Convert Edwards curves into twisted form

Get rid of huge denominators mod large primes p: E.g. Given x2 + y2 =1+ dx2y2 with d = n/m. Assume m “small”. Then m−1 mod p is almost as big as p!

2 3 2 Bernstein’s Curve25519: v = u + 486662u + u over Fp where p = 2255 − 19. Bernstein/Lange: Curve25519 is birationally equivalent to x2 + y2 = 1 + (121665/121666)x2 y2. But 121665/121666 ≡ 20800338683988658368647408995589388737092878452977063003340006470870624536394 mod p. Write curve as 121666 x2 + y2 = 1 + 121665 x2y2.

–p.20 Addition on twisted Edwards curves

x1y2 + y1x2 y1y2 − ax1x2 (x1,y1) + (x2,y2)= , . 1+ dx1x2y1y2 1 − dx1x2y1y2 

Costs for inversion-free formulas: 10M + 1S + 1A + 1D for ADD, 3M + 4S + 1A for DBL. Speed in inverted coordinates: 9M + 1S + 1A + 1D for ADD, 3M + 4S + 1A + 1D for DBL.

–p.21 Birational equivalence

The Montgomery curve Bv2 = u3 + Au2 + u is birationally 2 2 2 2 equivalent to an Edwards curve Ea,d : ax + y =1+ dx y where a = (A + 2)/B and d = (A − 2)/B.

(u, v) 7→ (x,y) = (u/v, (u − 1)/(u + 1)).

inverse map (x,y) 7→ ((1 + y)/(1 − y), (1 + y)/((1 − y)x)). (B = 4/(a − d) and A = 2(a + d)/(a − d).)

–p.22 Exceptional points

Birational maps (u, v) 7→ (x,y) = (u/v, (u − 1)/(u + 1)). Exceptional points satisfy v(u + 1) = 0.

(0, 0) ∈ EM corresponds to (0, −1).

If EM (k) contains two more points of order 2, they are mapped to two points of order 2 at infinity of the desingularization of E.

If d = δ2 in k: The point with u = −1 corresponds to points (−1, ±δ) which have order 4. They correspond to two points of order 4 at infinity of the desingularization of E.

–p.23 Twisted Edwards speed for curves having group order ∈ 4Z

Not every curve with group order ∈ 4Z can be written as a Montgomery curve.

That’s the case iff p ≡ 3 mod 4 and the curve has 2-torsion Z/2 × Z/2.

Write curve as v2 = u3 − (a + d)u2 + (ad)u.

This curve is 2-isogenous to ax2 + y2 =1+ dx2y2:

(u, v) 7→ (2v/(ad − u2), (v2 − (a − d)u2)/(v2 + (a − d)u2).

–p.24 Make use of fast arithmetic on twisted Edwards curves

Given n,m ∈ Z and two points P , Q on the Montgomery curve EM and a 2-isogeny ψ to a twisted Edwards curve Ea,d.

P,Q7→[2n]P +[2m]Q EM × EM / EM O

ψ×ψ ψˆ

 Ea,d × Ea,d / Ea,d P,˜ Q˜7→[n]P˜+[m]Q˜

–p.25 Benefits of twisted Edwards curves

Fast addition formulas for a greater range of elliptic curves.

Some Edwards curves are sped up by twists.

All Montgomery curves can be written as twisted Edwards curves.

Can use isogenies to achieve similar speeds for all curves where 4 divides group order.

–p.26 Merci beaucoup!

–p.27