Twisted Edwards Curves Daniel J. Bernstein1, Peter Birkner2, Marc Joye3, Tanja Lange2, and Christiane Peters2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607–7045, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected], [email protected], [email protected] 3 Thomson R&D France Technology Group, Corporate Research, Security Laboratory 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´eCedex, France [email protected] Abstract. This paper introduces “twisted Edwards curves,” a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves. Keywords: Elliptic curves, Edwards curves, twisted Edwards curves, Montgomery curves, isogenies. 1 Introduction Edwards in [13], generalizing an example from Euler and Gauss, introduced an addition law for the curves x2 + y2 = c2(1 + x2y2) over a non-binary field k. Edwards showed that every elliptic curve over k can be expressed in the form x2 + y2 = c2(1 + x2y2) if k is algebraically closed. However, over a finite field, only a small fraction of elliptic curves can be expressed in this form. Bernstein and Lange in [4] presented fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on an Edwards curve, and showed that these explicit formulas save time in elliptic- curve cryptography. Bernstein and Lange also generalized the addition law to the curves x2 + y2 = c2(1 + dx2y2). This shape covers considerably more elliptic * Permanent ID of this document: c798703ae3ecfdc375112f19dd0787e4. Date of this document: 2008.03.13. This work has been supported in part by the European Com- mission through the IST Programme under Contract IST–2002–507932 ECRYPT, and in part by the National Science Foundation under grant ITR–0716498. Part of this work was carried out during a visit to INRIA Lorraine (LORIA). 2 D. J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters curves over a finite field than x2 +y2 = c2(1+x2y2). All curves in the generalized form are isomorphic to curves x2 + y2 = 1 + dx2y2. In this paper, we further generalize the Edwards addition law to cover all curves ax2 + y2 = 1 + dx2y2. Our explicit formulas for addition and doubling are almost as fast in the general case as they are for the special case a = 1. We show that our generalization brings the speed of the Edwards addition law to every Montgomery curve; we also show that, over prime fields Fp where p ≡ 1 (mod 4), many Montgomery curves are not covered by the special case a = 1. We further explain how to use isogenies to cover the odd part of every curve whose group order is a multiple of 4; over prime fields Fp where p ≡ 3 (mod 4), the special case a = 1 covers all Montgomery curves but does not cover all curves whose group order is a multiple of 4. Our generalization is also of interest for many curves that were already expressible in Edwards form; we explain how the twisting can save time in arithmetic. See [2] for a successful application of twisted Edwards curves to the elliptic-curve method of factorization. Section 2 reviews Edwards curves, introduces twisted Edwards curves, and shows that each twisted Edwards curve is (as the name would suggest) a twist of an Edwards curve. Section 3 shows that every Montgomery curve can be expressed as a twisted Edwards curve, and vice versa. Section 4 reports the percentages of elliptic curves (over various prime fields) that can be expressed as Edwards curves, twisted Edwards curves, “4 times odd” twisted Edwards curves, etc. Section 5 uses isogenies to cover even more curves: specifically, it shows that every curve with group order a multiple of 4 and with no point of order 4 is 2-isogenous to a twisted Edwards curve. Section 6 generalizes the Edwards addition law, the explicit formulas from [4], and the “inverted” formulas from [5] to handle twisted Edwards curves. Section 7 analyzes the benefits of the generalization for cryptographic applications. 2 Edwards Curves and Twisted Edwards Curves In this section we briefly review Edwards curves and the Edwards addition law at the level of generality of [4]. We then introduce twisted Edwards curves and discuss their relationship to Edwards curves. Review of Edwards Curves. Throughout the paper we consider elliptic curves over a non-binary field k, i.e., a field k whose characteristic char(k) is not 2. An Edwards curve over k is a curve E : x2+y2 = 1+dx2y2 where d ∈ k\{0, 1}. The sum of two points (x1, y1), (x2, y2) on this Edwards curve E is x1y2 + y1x2 y1y2 − x1x2 (x1, y1) + (x2, y2) = , . 1 + dx1x2y1y2 1 − dx1x2y1y2 The point (0, 1) is the neutral element of the addition law. The point (0, −1) has order 2. The points (1, 0) and (−1, 0) have order 4. The inverse of a point (x1, y1) on E is (−x1, y1). The addition law is strongly unified: i.e., it can also be used to double a point. The addition law also works for the neutral element Twisted Edwards Curves 3 and for inverses. If d is a nonsquare in k then, as proven in [4, Theorem 3.3], this addition law is complete: it works for all pairs of inputs. Twisted Edwards Curves. The existence of points of order 4 restricts the number of elliptic curves in Edwards form over k. We embed the set of Edwards curves in a larger set of elliptic curves of a similar shape by introducing twisted Edwards curves. Definition 2.1 (Twisted Edwards curve). Fix a field k with char(k) 6= 2. Fix distinct nonzero elements a, d ∈ k. The twisted Edwards curve with coeffi- cients a and d is the curve 2 2 2 2 E E,a,d : ax + y = 1 + dx y . An Edwards curve is a twisted Edwards curve with a = 1. In Section 3 we will show that every twisted Edwards curve is birationally equivalent to an elliptic curve in Montgomery form, and vice versa. The elliptic curve has j-invariant 16(a2 + 14ad + d2)3/ad(a − d)4. Twisted Edwards Curves as Twists of Edwards Curves. The twisted 2 2 2 2 Edwards curve E E,a,d : ax + y = 1 + dx y is a quadratic twist of the Edwards 2 2 2 2 √ curve E E,1,d/a :x ¯ +y ¯ = 1 + (d/a)¯x y¯ . The map√ (¯x, y¯) 7→ (x, y) = (¯x/ a, y¯) is an isomorphism from E E,1,d/a to E E,a,d over k( a). If a is a square in k then E E,a,d is isomorphic to E E,1,d/a over k. ¯ More generally, E E,a,d is a quadratic twist of E E,a,¯ d¯ for anya, ¯ d satisfying d/¯ a¯ = d/a. Conversely, every quadratic twist of a twisted Edwards curve is isomorphic to a twisted Edwards curve; i.e., the set of twisted Edwards curves is invariant under quadratic twists. 2 2 2 2 Furthermore, the twisted Edwards curve E E,a,d : ax + y = 1 + dx y is a quadratic twist of (actually is birationally equivalent to) the twisted Edwards 2 2 2 2 curve E E,d,a : dx¯ +y ¯ = 1 + ax¯ y¯ . The map (¯x, y¯) 7→ (x, y) = (¯x, 1/y¯) is a birational equivalence from E E,d,a to E E,a,d. More generally, E E,a,d is a quadratic ¯ ¯ twist of E E,a,¯ d¯ for anya, ¯ d satisfying d/a¯ = a/d. This generalizes the known fact, used in [4, proof of Theorem 2.1], that E E,1,d is a quadratic twist of E E,1,1/d. 3 Montgomery Curves and Twisted Edwards Curves Let k be a field with char(k) 6= 2. In this section we show that the set of Montgomery curves over k is equivalent to the set of twisted Edwards curves over k. We also analyze the extent to which this is true without twists. Standard algorithms for transforming a Weierstrass curve into a Montgomery curve if possible (see, e.g., [11, Section 13.2.3.c]) can be combined with our explicit transformation from a Montgomery curve to a twisted Edwards curve. Definition 3.1 (Montgomery curve). Fix a field k with char(k) 6= 2. Fix A ∈ k \ {−2, 2} and B ∈ k \{0}. The Montgomery curve with coefficients A and B is the curve 2 3 2 EM,A,B : Bv = u + Au + u. 4 D. J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters Theorem 3.2. Fix a field k with char(k) 6= 2. (i) Every twisted Edwards curve over k is birationally equivalent over k to a Montgomery curve. Specifically, fix distinct nonzero elements a, d ∈ k. The twisted Edwards curve E E,a,d is birationally equivalent to the Montgomery curve EM,A,B, where A = 2(a + d)/(a − d) and B = 4/(a − d). The map (x, y) 7→ (u, v) = ((1 + y)/(1 − y), (1 + y)/(1 − y)x) is a birational equivalence from E E,a,d to EM,A,B, with inverse (u, v) 7→ (x, y) = (u/v, (u − 1)/(u + 1)).