christiane peters
TRANSCRIPT
Edwards Curves
Christiane Peters
Technische Universiteit Eindhoven
Seminaire de Cryptographie
Rennes
June 20, 2008
1. Elliptic curves in Edwards form
2. Addition law
3. Fast explicit formulas
4. Twisted Edwards Curves
–p.2
Addition on a clock
Unit circle x2 + y2 = 1.
Let xi = sin(αi), yi = cos(αi).
x3 = sin(α1 + α2)
= sin(α1) cos(α2) + cos(α1) sin(α2)
y3 = cos(α1 + α2)
= cos(α1) cos(α2) − sin(α1) sin(α2)
y
x
OO
//
neutral = (0, 1)• P1 = (x1, y1)•�
��
��
��
α1P2 = (x2, y2)•iiiiiii
P3 = (x3, y3)•PPPPPPP
Addition of angles defines commutative group law(x1, y1) + (x2, y2) = (x3, y3), where
x3 = x1y2 + y1x2 and y3 = y1y2 − x1x2.
Fast but not elliptic; low security.
–p.3
Elliptic curve in Edwards form over a non-binary field k
x2 + y2 = 1 + dx2y2,
where d ∈ k \ {0, 1}.
y
x
OO
//
neutral = (0, 1)•
P1 = (x1, y1)•��
��
P2 = (x2, y2)•ffffff
P3 = (x3, y3)•[[[[[[[
We add two points (x1, y1), (x2, y2) on E according to theEdwards addition law
(x1, y1), (x2, y2) 7→
(
x1y2 + x2y1
1 + dx1x2y1y2,y1y2 − x1x2
1 − dx1x2y1y2
)
.
–p.4
Elliptic?
Short answer:
Projective coordinates (X2 + Y 2)Z2 = Z4 + dX2Y 2
imply at first glance two singular points at infinity:(1 : 0 : 0), (0 : 1 : 0).
Blow up yields two points of order 2 and two points oforder 4.
Easy way to see is approach from curves in Montgomeryform.
–p.5
1. Elliptic curves in Edwards form
2. Addition law
3. Fast explicit formulas
4. Twisted Edwards Curves
–p.6
Addition on Edwards curves
(x1, y1) + (x2, y2) =
(
x1y2 + y1x2
1 + dx1x2y1y2,y1y2 − x1x2
1 − dx1x2y1y2
)
The point (0, 1) is the neutral element of the additionlaw and
the negative of P = (x1, y1) is −P = (−x1, y1).
If d is a non-square in k the addition law is complete.
The addition law is strongly unified, i.e., it can be alsoused for doublings.
–p.7
Complete? – (1)
(x1, y1) + (x2, y2) =
(
x1y2 + y1x2
1 + dx1x2y1y2,y1y2 − x1x2
1 − dx1x2y1y2
)
Can the denominators be 0?
Claim: They are never 0 if d is not a square in k.
Proof : Let (x1, y1) and (x2, y2) be on the curve, i.e.,x2i + y2
i = 1 + dx2i y
2i .
Write ε = dx1x2y1y2 and suppose ε ∈ {−1, 1}.Then x1, x2, y1, y2 6= 0 and
dx21y
21(x
22 + y2
2) = dx21y
21(1 + dx2
2y22)
= dx21y
21 + d2x2
1y21x
22y
22
= dx21y
21 + ε2
= 1 + dx21y
21 //(ε = ±1)
= x21 + y2
1
–p.8
Complete? – (2)
Show: ε = dx1x2y1y2 = ±1 implies d is a square.
(x1, y1) + (x2, y2) =
(
x1y2 + y1x2
1 + dx1x2y1y2,y1y2 − x1x2
1 − dx1x2y1y2
)
We have dx21y
21(x
22 + y2
2) = x21 + y2
1.
Proof (continued): It follows that
(x1 + εy1)2 = x2
1 + y21 + 2εx1y1
= dx21y
21(x
22 + y2
2) + 2x1y1dx1x2y1y2
= dx21y
21(x
22 + 2x2y2 + y2
2) = dx21y
21(x2 + y2)
2
x2 + y2 6= 0 ⇒ d = ((x1 + εy1)/x1y1(x2 + y2))2 ⇒ d = �
x2 − y2 6= 0 ⇒ d = ((x1 − εy1)/x1y1(x2 − y2))2 ⇒ d = �
If x2 + y2 = 0 and x2 − y2 = 0, then x2 = y2 = 0,contradiction.
–p.9
1. Elliptic curves in Edwards form
2. Addition law
3. Fast explicit formulas
4. Twisted Edwards Curves
–p.10
Inversion-free addition
Consider the homogenized Edwards equation
E : (X2 + Y 2)Z2 = Z4 + dX2Y 2
A point (X1 : Y1 : Z1) with Z1 6= 0 on E corresponds to theaffine point (X1/Z1, Y1/Z1).
A = Z1 · Z2; B = A2; C = X1 ·X2; D = Y1 · Y2;
E = (X1 + Y1) · (X2 + Y2) − C −D; F = d · C ·D;
XP+Q = A ·E · (B − F );
YP+Q = A · (D − C) · (B + F );
ZP+Q = (B − F ) · (B + F ).
Costs 10M+1S+1D (mixed ADD needs 9M+1S+1D).
–p.11
Explicit fast doubling and tripling formulas
(Non-unified) Doubling of a point (x1, y1) onx2 + y2 = 1 + dx2y2:
[2](x1, y1) =
(
2x1y1
1 + dx21y
21
,y21 − x2
1
1 − dx21y
21
)
=
(
2x1y1
x21 + y2
1
,y21 − x2
1
2 − (x21 + y2
1)
)
.
Inversion-free version needs 3M + 4S.
Tripling:
[3](x1, y1) =(
((x2
1+ y2
1)2 − (2y1)
2)
4(x2
1− 1)x2
1− (x2
1− y2
1)2x1,
((x2
1+ y2
1)2 − (2x1)
2)
−4(y2
1− 1)y2
1+ (x2
1− y2
1)2y1
)
.
Inversion-free explicit formulas cost 9M + 4S.
–p.12
Inverted Edwards
A point (X1 : Y1 : Z1) with X1Y1Z1 6= 0 on
(X2 + Y 2)Z2 = X2Y 2 + dZ4
corresponds to (Z1/X1, Z1/Y1) on the Edwards curvex2 + y2 = 1 + dx2y2.
Costs: 9M + 1S for ADD, 8M + 1S for mixed ADD, 3M +4S for DBL and 9M + 4S for TRI.
–p.13
1. Elliptic curves in Edwards form
2. Addition law
3. Fast explicit formulas
4. Twisted Edwards Curves
–p.14
What about Montgomery form?
So far fastest ECC methods use curves in Montgomeryform Bv2 = u3 +Au2 + u.
Differential addition formulas for computing nP use 5M+ 4S + 1A for each bit of n.
Setting 1S = 0.8 M: Edwards faster than Montgomerycurves when using scalars with more than 160 bits.
nP + n′P ′ is hard to compute for n 6= n′ and P 6= P ′.Big advantage for Edwards.
–p.15
Counting elliptic curves over Fp if p ≡ 1 (mod 4)
≈ 2p elliptic curves.≈ 5p/6 curves with order ∈ 4Z.≈ 5p/6 Montgomery curves.≈ 2p/3 Edwards curves.≈ p/2 complete Edwards curves.≈ p/24 original Edwards curves.
(more detailed description and more experiments in Bernstein,Birkner, Joye, Lange, P.: Twisted Edwards Curves inAFRICACRYPT ’08)
–p.16
Counting elliptic curves over Fp if p ≡ 3 (mod 4)
≈ 2p elliptic curves.≈ 5p/6 curves with order ∈ 4Z.≈ 3p/4 Montgomery curves.≈ 3p/4 Edwards curves.≈ p/2 complete Edwards curves.≈ p/4 original Edwards curves.
Can we achieve Edwards-like speeds for more curves?
–p.17
Twisted curves
Points of order 4 restrict the number of elliptic curves inEdwards form over k.
Define twisted Edwards curves
ax2 + y2 = 1 + dx2y2,
with a, d 6= 0 and a 6= d.
Every Edwards curve is a twisted Edwards curve (a = 1).
–p.18
Why“twisted”?
E′ : x2 + y2 = 1 + (d/a)x2y2 over k
with a = α2 for some α ∈ k is isomorphic to
E : ax2 + y2 = 1 + dx2y2 by x = x/α and y = y.
In general: E′ and E are quadratic twists of each other,
i.e., isomorphic over a quadratic extension of k.
We have E′ : ax2 + y2 = 1 + dx2y2 and
E : ax2 + y2 = 1 + dx2y2 are quadratic twists
if ad = ad.
–p.19
Convert Edwards curves into twisted form
Get rid of huge denominators mod large primes p:
E.g. Given x2 + y2 = 1 + dx2y2 with d = n/m. Assume m“small”.
Then m−1 mod p is almost as big as p!
Bernstein’s Curve25519: v2 = u3 + 486662u2 + u over Fp
where p = 2255 − 19.
Bernstein/Lange: Curve25519 is birationally equivalent tox2 + y2 = 1 + (121665/121666)x2y2.
But 121665/121666 ≡20800338683988658368647408995589388737092878452977063003340006470870624536394
mod p.
Write curve as 121666 x2 + y2 = 1 + 121665 x2y2.
–p.20
Addition on twisted Edwards curves
(x1, y1) + (x2, y2) =
(
x1y2 + y1x2
1 + dx1x2y1y2,y1y2 − ax1x2
1 − dx1x2y1y2
)
.
Costs for inversion-free formulas: 10M + 1S + 1A + 1D forADD, 3M + 4S + 1A for DBL.
Speed in inverted coordinates: 9M + 1S + 1A + 1D forADD, 3M + 4S + 1A + 1D for DBL.
–p.21
Birational equivalence
The Montgomery curve Bv2 = u3 +Au2 + u is birationallyequivalent to an Edwards curve Ea,d : ax2 + y2 = 1 + dx2y2
where a = (A+ 2)/B and d = (A− 2)/B.
(u, v) 7→ (x, y) = (u/v, (u − 1)/(u + 1)).
inverse map(x, y) 7→ ((1 + y)/(1 − y), (1 + y)/((1 − y)x)).(B = 4/(a − d) and A = 2(a+ d)/(a− d).)
–p.22
Exceptional points
Birational maps (u, v) 7→ (x, y) = (u/v, (u − 1)/(u + 1)).Exceptional points satisfy v(u+ 1) = 0.
(0, 0) ∈ EM corresponds to (0,−1).
If EM (k) contains two more points of order 2, they aremapped to two points of order 2 at infinity of thedesingularization of E.
If d = δ2 in k: The point with u = −1 corresponds topoints (−1,±δ) which have order 4. They correspondto two points of order 4 at infinity of thedesingularization of E.
–p.23
Twisted Edwards speed for curves having group order ∈ 4Z
Not every curve with group order ∈ 4Z can be written as aMontgomery curve.
That’s the case iff p ≡ 3 mod 4 and the curve has 2-torsionZ/2 × Z/2.
Write curve as v2 = u3 − (a+ d)u2 + (ad)u.
This curve is 2-isogenous to ax2 + y2 = 1 + dx2y2:
(u, v) 7→ (2v/(ad − u2), (v2 − (a− d)u2)/(v2 + (a− d)u2).
–p.24
Make use of fast arithmetic on twisted Edwards curves
Given n,m ∈ Z and two points P , Q on the Montgomerycurve EM and a 2-isogeny ψ to a twisted Edwards curveEa,d.
EM × EMP,Q 7→[2n]P+[2m]Q //
ψ×ψ
��
EM
Ea,d × Ea,dP ,Q7→[n]P+[m]Q
// Ea,d
ψ
OO
–p.25
Benefits of twisted Edwards curves
Fast addition formulas for a greater range of ellipticcurves.
Some Edwards curves are sped up by twists.
All Montgomery curves can be written as twistedEdwards curves.
Can use isogenies to achieve similar speeds for all curveswhere 4 divides group order.
–p.26
Merci beaucoup!
–p.27