# Edwards curve

In mathematics, the **Edwards curves** are a family of elliptic curves studied by Harold Edwards in 2007. The concept of elliptic curves over finite fields is widely used in elliptic curve cryptography. Applications of Edwards curves to cryptography were developed by Daniel J. Bernstein and Tanja Lange: they pointed out several advantages of the Edwards form in comparison to the more well known Weierstrass form^{[example needed]}.

## Definition

The equation of an Edwards curve over a field *K* which does not
have characteristic 2 is:

- [math]\displaystyle{ x^2 + y^2 = 1 + d x^2 y^2 \, }[/math]

for some scalar [math]\displaystyle{ d\in K\setminus\{0,1\} }[/math].
Also the following form with parameters *c* and *d* is called an Edwards curve:

- [math]\displaystyle{ x^2 + y^2 = c^2(1 + dx^2 y^2) \, }[/math]

where *c*, *d* ∈ *K* with *cd*(1 − *c*^{4}·*d*) ≠ 0.

Every Edwards curve is birationally equivalent to an elliptic curve in Montgomery form, and thus admits an algebraic group law once one chooses a point to serve as a neutral element. If *K* is finite, then a sizeable fraction of all elliptic curves over *K* can be written as Edwards curves.
Often elliptic curves in Edwards form are defined having c=1, without loss of generality. In the following sections, it is assumed that c=1.

## The group law

(See also Weierstrass curve group law)

Every Edwards curve [math]\displaystyle{ x^2 + y^2 = 1 + dx^2y^2 }[/math] over field *K* with characteristic not equal to 2 with [math]\displaystyle{ d \ne 1 }[/math] is birationally equivalent to an elliptic curve over the same field: [math]\displaystyle{ (1/e)v^2 = u^3 + (4/e - 2)u^2 + u }[/math], where [math]\displaystyle{ e=1-d, u=\frac{1+y}{1-y}, v=\frac{2(1+y)}{x(1-y)} }[/math] and the point [math]\displaystyle{ P = (0,1) }[/math] is mapped to the infinity *O*. This birational mapping induces a group on any Edwards curve.

### Edwards addition law

On any elliptic curve the sum of two points is given by a rational expression of the coordinates of the points, although in general one may need to use several formulas to cover all possible pairs. For the Edwards curve, taking the neutral element to be the point (0, 1), the sum of the points [math]\displaystyle{ (x_1,y_1) }[/math] and [math]\displaystyle{ (x_2,y_2) }[/math] is given by the formula

- [math]\displaystyle{ (x_1,y_1) + (x_2,y_2) = \left( \frac{x_1 y_2 + x_2 y_1}{1 + dx_1 x_2 y_1 y_2}, \frac{y_1 y_2 - x_1 x_2}{1 - dx_1 x_2 y_1 y_2} \right) \, }[/math]

The opposite of any point [math]\displaystyle{ (x,y) }[/math] is [math]\displaystyle{ (-x,y) }[/math]. The point [math]\displaystyle{ (0,-1) }[/math] has order 2, and the points [math]\displaystyle{ (\pm 1,0) }[/math] have order 4. In particular, an Edwards curve always has a point of order 4 with coordinates in *K*.

If *d is not a square* in *K* and [math]\displaystyle{ \{(x_1,y_1), (x_2,y_2)\} \in \{(x,y)|x^2+y^2=1+d x^2 y^2 \}^2 }[/math], then there are no exceptional points: the denominators [math]\displaystyle{ 1 + dx_{1}x_{2}y_{1}y_{2} }[/math] and [math]\displaystyle{ 1 - dx_{1}x_{2}y_{1}y_{2} }[/math] are always nonzero. Therefore, the Edwards addition law is complete when *d* is not a square in *K*. This means that the formulas work for all pairs of input points on the Edwards curve with no exceptions for doubling, no exception for the neutral element, no exception for negatives, etc.^{[1]} In other words, it is defined for all pairs of input points on the Edwards curve over *K* and the result gives the sum of the input points.

If *d is a square* in *K*, then the same operation can have exceptional points, i.e. there can be pairs of points [math]\displaystyle{ (x_1,y_1), (x_2,y_2) \in \{(x,y)|x^2+y^2=1+d x^2 y^2 \} }[/math] such that one of the denominators becomes zero: either [math]\displaystyle{ 1 + dx_{1}x_{2}y_{1}y_{2} = 0 }[/math] or [math]\displaystyle{ 1 - dx_{1}x_{2}y_{1}y_{2} = 0 }[/math].

One of the attractive feature of the Edwards Addition law is that it is strongly *unified* i.e. it can also be used to double a point, simplifying protection against side-channel attack. The addition formula above is faster than other unified formulas and has the strong property of completeness^{[1]}

**Example of addition law **:

Consider the elliptic curve in the Edwards form with *d*=2

- [math]\displaystyle{ {\displaystyle}x^2 + y^2 = 1 + 2 x^2 y^2 }[/math]

and the point [math]\displaystyle{ P_1=(1,0) }[/math] on it. It is possible to prove that the sum of *P*_{1} with the neutral element (0,1) gives again P_{1}. Indeed, using the formula given above, the coordinates of the point given by this sum are:

- [math]\displaystyle{ x_3 = \frac{x_1 y_2 + y_1 x_2}{1 + 2x_1 x_2 y_1 y_2} = 1 }[/math]

- [math]\displaystyle{ y_3 = \frac{y_1 y_2 - x_1 x_2}{1 - 2x_1 x_2 y_1 y_2} = 0 }[/math]

### An analogue on the circle

To understand better the concept of "addition" of points on a curve, a nice example is given by the classical circle group:

take the circle of radius 1

- [math]\displaystyle{ {\displaystyle}x^2+y^2=1 }[/math]

and consider two points P_{1}=(x_{1},y_{1}), P_{2}=(x_{2},y_{2}) on it. Let α_{1} and α_{2} be the angles such that:

- [math]\displaystyle{ {\displaystyle}P_{1}=(x_{1},y_{1})=(\sin{\alpha_{1}},\cos{\alpha_{1}}) }[/math]
- [math]\displaystyle{ {\displaystyle}P_{2}=(x_{2},y_{2})=(\sin{\alpha_{2}},\cos{\alpha_{2}}) }[/math]

The sum of P_{1} and P_{2} is, thus, given by the sum of "their angles". That is, the point P_{3}=P_{1}+P_{2} is a point on the circle with coordinates (x_{3},y_{3}), where:

- [math]\displaystyle{ {\displaystyle}x_{3}=\sin({\alpha}_{1}+{\alpha}_{2})=\sin{\alpha}_{1}\cos{\alpha}_{2}+\sin{\alpha}_{2}\cos{\alpha}_{1}=x_{1}y_{2}+x_{2}y_{1} }[/math]
- [math]\displaystyle{ {\displaystyle}y_{3}=\cos({\alpha}_{1}+{\alpha}_{2})=\cos{\alpha}_{1}\cos{\alpha}_{2}-\sin{\alpha}_{1}\sin{\alpha}_{2}=y_{1}y_{2}-x_{1}x_{2}. }[/math]

In this way, the addition formula for points on the circle of radius 1 is:

- [math]\displaystyle{ {\displaystyle}(x_1,y_1)+(x_2,y_2) = (x_1y_2+x_2y_1,y_1y_2-x_1x_2) }[/math].

### Addition on Edwards curves

The points on an elliptic curve form an abelian group: one can add points and take integer multiples of a single point. When an elliptic curve is described by a non-singular cubic equation, then the sum of two points *P* and *Q*, denoted *P* + *Q*, is directly related to third point of intersection between the curve and the line that passes through *P* and *Q*.

The birational mapping between an Edwards curve and the corresponding cubic elliptic curve maps the straight lines into conic sections^{[2]}
[math]\displaystyle{ Axy + Bx + Cy + D = 0 }[/math]. In other words, for the Edwards curves the three points [math]\displaystyle{ P }[/math], [math]\displaystyle{ Q }[/math] and [math]\displaystyle{ -(P+Q) }[/math] lay on a hyperbola.

Given two distinct non-identity points [math]\displaystyle{ P_1=(x_1,y_1), P_2=(x_2,y_2), P_1 \ne P_2 }[/math], the coefficients of the quadratic form are (up to scalars):

[math]\displaystyle{ A = (x_1 - x_2) + (x_{1}y_{2} - x_{2}y_{1}) }[/math],

[math]\displaystyle{ B = (x_{2}y_{2} - x_{1}y_{1}) + y_{1}y_{2}(x_{2} - x_{1}) }[/math],

[math]\displaystyle{ C = x_{1}x_{2}(y_{1} - y_{2}), D = C }[/math]

In the case of doubling a point [math]\displaystyle{ P=(x,y) }[/math] the inverse point [math]\displaystyle{ -2P }[/math] lies on the conic that touches the curve at the point [math]\displaystyle{ P }[/math]. The coefficients of the quadratic form that defines the conic are (up to scalars^{[clarification needed]}):

[math]\displaystyle{ A = dx^2y - 1 }[/math],

[math]\displaystyle{ B = y - x^2 }[/math],

[math]\displaystyle{ C = x(1 - y), D = C }[/math]

## Projective homogeneous coordinates

In the context of cryptography, homogeneous coordinates are used to prevent field inversions that appear in the affine formula. To avoid inversions in the original Edwards addition formulas, the curve equation can be written in projective coordinates as:

[math]\displaystyle{ (X^2+Y^2)Z^2=Z^4+dX^2Y^2 }[/math].

A projective point [math]\displaystyle{ (X : Y : Z) }[/math] corresponds to the affine point [math]\displaystyle{ (X/Z : Y/Z) }[/math] on the Edwards curve.

The identity element is represented by [math]\displaystyle{ (0 : 1 : 1 ) }[/math]. The inverse of [math]\displaystyle{ (X : Y : Z) }[/math] is [math]\displaystyle{ (-X : Y : Z) }[/math].

The addition formula in homogeneous coordinates is given by: [math]\displaystyle{ (X_1 : Y_1 : Z_1)+(X_2 : Y_2 : Z_2 )=(X_3 : Y_3 : Z_3 ) }[/math]

where

[math]\displaystyle{ X_3 = Z_{1}Z_{2}(X_{1}Y_{2} + X_{2}Y_{1})(Z_{1}^{2}Z_{2}^{2} - dX_{1}X_{2}Y_{1}Y_{2}) }[/math]

[math]\displaystyle{ Y_3 = Z_{1}Z_{2}(Y_{1}Y_{2} - X_{1}X_{2})(Z_{1}^{2}Z_{2}^{2} + dX_{1}X_{2}Y_{1}Y_{2}) }[/math]

[math]\displaystyle{ Z_3 = (Z_{1}^{2}Z_{2}^{2} - dX_{1}X_{2}Y_{1}Y_{2})(Z_{1}^{2}Z_{2}^{2} + dX_{1}X_{2}Y_{1}Y_{2}) }[/math]

### Algorithm

Addition of two points on the Edwards curve could be computed more efficiently^{[3]} in the *extended Edwards form* [math]\displaystyle{ (X:Y:Z:T) }[/math], where [math]\displaystyle{ T=XY/Z }[/math]: [math]\displaystyle{ (X_3:Y_3:Z_3:T_3) = (X_1:Y_1:Z_1:T_1) + (X_2:Y_2:Z_2:T_2) }[/math]

[math]\displaystyle{ A = X_{1}X_{2}; B = Y_{1}Y_{2}; C = dT_{1}T_{2}; D = Z_{1}Z_{2}; }[/math]

[math]\displaystyle{ E = (X_{1} + Y_{1})(X_{2} + Y_{2}) - A - B; F = D - C; G = D + C; H = B - A; }[/math]

[math]\displaystyle{ X_3 = E \cdot F; Y_3 = G \cdot H; Z_3 = F \cdot G; T_3 = E \cdot H; }[/math]

## Doubling

*Doubling* can be performed with exactly the same formula as addition. Doubling refers to the case in which the inputs (*x*_{1}, *y*_{1}) and (*x*_{2}, *y*_{2}) are equal.

Doubling a point [math]\displaystyle{ P=(x,y) }[/math]:

[math]\displaystyle{ \begin{align} (x,y)+(x,y) & = \left( \frac{2xy}{1+dx^2y^2}, \frac{y^2-x^2}{1-dx^2y^2} \right) \\[6pt] & = \left( \frac{2xy}{x^2+y^2}, \frac{y^2-x^2}{2-x^2-y^2} \right) \end{align} }[/math]

The denominators were simplified based on the curve equation [math]\displaystyle{ x^2 + y^2 = 1 + dx^2y^2 }[/math]. Further speedup is achieved by computing [math]\displaystyle{ 2xy }[/math] as [math]\displaystyle{ (x + y)^2 - x^2 - y^2 }[/math]. This reduces the cost of doubling in homomorphic coordinates to 3**M** + 4**S** + 3**C** + 6**a**, while general addition costs 10**M** + 1**S** + 1**C** + 1**D** + 7**a**. Here **M** is field multiplications, **S** is field squarings, **D** is the cost of multiplying by the curve parameter *d*, and **a** is field addition.

- Example of doubling

As in the previous example for the addition law, consider the Edwards curve with d=2:

[math]\displaystyle{ x^2 + y^2 = 1 + 2 x^2 y^2 }[/math]

and the point [math]\displaystyle{ P=(1,0) }[/math]. The coordinates of the point [math]\displaystyle{ P_2 = 2P_1 }[/math] are:

[math]\displaystyle{ x_2 = \frac{2xy}{x^2 + y^2} = 0 }[/math]

[math]\displaystyle{ y_2 = \frac{y^2-x^2}{2 - (x^2 + y^2)} = -1 }[/math]

The point obtained from doubling *P* is thus [math]\displaystyle{ P_2=(0,-1) }[/math].

## Mixed addition

Mixed addition is the case when Z_{2} is known to be 1. In such a case A=Z_{1}^{.}Z_{2} can be eliminated and the total cost reduces to 9**M**+1**S**+1**C**+1**D**+7**a**

### Algorithm

A= Z_{1}^{.}Z_{2} // in other words, A= Z_{1}

B= Z_{1}^{2}

C=X_{1}.X_{2}

D=Y_{1}^{.}Y_{2}

E=d^{.}C^{.}D

F=B-E

G=B+E

X_{3}= A^{.}F((X_{I}+Y_{1})^{.}(X_{2}+Y_{2})-C-D)

Y_{3}= A^{.}G^{.}(D-C)

Z_{3}=C^{.}F^{.}G

## Tripling

*Tripling* can be done by first doubling the point and then adding the result to itself. By applying the curve equation as in doubling, we obtain

- [math]\displaystyle{ 3(x_1,y_1) = \left( \frac{(x_1^2+ y_1^2)^2 - (2 y_1)^2}{4(x_1^2-1)x_1^2 - (x_1^2-y_1^2)^2}x_1, \frac{(x_1^2+ y_1^2)^2 - (2x_1)^2}{-4(y_1^2-1)y_1^2+(x_1^2-y_1^2)^2}y_1 \right). \, }[/math]

There are two sets of formulas for this operation in standard Edwards coordinates. The first one costs 9**M** + 4**S** while the second needs 7**M** + 7**S**. If the **S/M** ratio is very small, specifically below 2/3, then the second set is better while for larger ratios the first one is to be preferred.^{[4]}
Using the addition and doubling formulas (as mentioned above) the point (*X*_{1} : *Y*_{1} : *Z*_{1}) is symbolically computed as 3(*X*_{1} : *Y*_{1} : *Z*_{1}) and compared with (*X*_{3} : *Y*_{3} : *Z*_{3})

- Example of tripling

Giving the Edwards curve with d=2, and the point P_{1}=(1,0), the point 3P_{1} has coordinates:

[math]\displaystyle{ x_3 = \frac{(x_1^2+ y_1^2)^2 - (2 y_1)^2}{4(x_1^2-1)x_1^2 - (x_1^2-y_1^2)^2}x_1 = -1 }[/math]

[math]\displaystyle{ y_3 = \frac{(x_1^2+ y_1^2)^2 - 2(x_1 )^2}{-4 (y_1^2-1)y_1^2+(x_1^2-y_1^2)^2}y_1 = 0 }[/math]

So, 3P_{1}=(-1,0)=P-_{1}. This result can also be found considering the doubling example: 2P_{1}=(0,1), so 3P_{1} = 2P_{1} + P_{1} = (0,-1) + P_{1} = -P_{1}.

- Algorithm

A=X_{1}^{2}

B=Y_{1}^{2}

C=(2Z_{1})^{2}

D=A+B

E=D^{2}

F=2D.(A-B)

G=E-B.C

H=E-A.C

I=F+H

J=F-G

X_{3}=G.J.X1

Y_{3}=H.I.Y1

Z_{3}=I.J.Z1

This formula costs 9**M** + 4**S**

## Inverted Edwards coordinates

Bernstein and Lange introduced an even faster coordinate system for elliptic curves called the *Inverted Edward coordinates*^{[5]} in which the coordinates (*X* : *Y* : *Z*) satisfy the curve (*X*^{2} + *Y*^{2})*Z*^{2} = (*dZ*^{4} + *X*^{2}*Y*^{2}) and corresponds
to the affine point (*Z*/*X*, *Z*/*Y*) on the Edwards curve *x*^{2} + *y*^{2} = 1 + *dx*^{2}*y*^{2} with XYZ ≠ 0.

**Inverted Edwards coordinates**, unlike standard Edwards coordinates, do not have complete addition formulas: some points, such as the neutral element, must be handled separately. But the addition formulas still have the advantage of strong unification: they can be used without change to double a point.

For more information about operations with these coordinates see http://hyperelliptic.org/EFD/g1p/auto-edwards-inverted.html

## Extended Coordinates for Edward Curves

There is another coordinates system with which an Edwards curve can be represented. These new coordinates are called **extended coordinates**^{[6]} and are even faster than inverted coordinates. For more information about the time-cost required in the operations with these coordinates see:
http://hyperelliptic.org/EFD/g1p/auto-edwards.html

## See also

For more information about the running-time required in a specific case, see Table of costs of operations in elliptic curves.

## Notes

- ↑
^{1.0}^{1.1}Daniel. J. Bernstein , Tanja Lange, pag. 3,*Faster addition and doubling on elliptic curves* - ↑ Christophe Arene; Tanja Lange (2009). "Faster Computation of the Tate Pairing". http://eprint.iacr.org/2009/155. Retrieved 28 February 2010.
- ↑ Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson.
*Twisted Edwards curves revisited*. In ASIACRYPT 2008, pages 326–343, 2008 - ↑ Bernstein et al., Optimizing Double-Base Elliptic curve single-scalar Multiplication
- ↑ Daniel J.Bernstein . Tanja Lange , pag.2,
*Inverted Edward coordinates* - ↑ H. Hisil, K. K. Wong, G. Carter, E. Dawson
*Faster group operations on elliptic curves*

## References

- Faster Addition and Doubling on Elliptic curves, 2007, http://cr.yp.to/newelliptic/newelliptic-20070906.pdf
- Edwards, Harold M. (9 April 2007), "A normal form for elliptic curves",
*Bulletin of the American Mathematical Society***44**(3): 393–422, doi:10.1090/s0273-0979-07-01153-6, ISSN 0002-9904 *Faster Group Operations on Elliptic curves*, H. Hisil, K. K. Wong, G. Carter, E. Dawson- D.J.Bernstein, P.Birkner. T. Lange, C.Peters, Optimizing Double-Base Elliptic-Curve Single-Scalar Multiplication, http://cr.yp.to/antiforgery/doublebase-20071028.pdf
- Washington, Lawrence C. (2008),
*Elliptic Curves: Number Theory and Cryptography*, Discrete Mathematics and its Applications (2nd ed.), Chapman & Hall/CRC, ISBN 978-1-4200-7146-7 - , http://cr.yp.to/newelliptic/inverted-20071009.pdf

## External links

Original source: https://en.wikipedia.org/wiki/Edwards curve.
Read more |