Differential Addition in Edwards Coordinates Revisited and

a Short Note on Doubling in Twisted Edwards Form

Srinivasa Rao Subramanya Rao

Mathematical Sciences Institute, The Australian National University, Union Lane, Canberra ACT 2601, Australia

Keywords:

Scalar Multiplication, Montgomery Curves, Differential Addition, Edwards Curves, Twisted Edwards Curves,

Binary Edwards Curves, Homogeneous Projective, Inverted Coordinates, Extended Homogeneous Projective

Coordinates, w-coordinate Differential addition.

Abstract:

Cryptographic algorithms in smart cards and other constrained environments increasingly rely on Elliptic

Curves and thus it is desirable to have fast algorithms for elliptic curve arithmetic. In this paper, we provide

(i) faster differential addition formulae for elliptic curve arithmetic on Generalized Edwards’ Curves

improving upon the currently known formulae in the literature, proposed by Justus and Loebenberger at

IWSEC 2010,

(ii) more efﬁcient afﬁne differential addition formulae for a new model of Binary Edwards Curves

proposed by Wu, Tang and Feng at INDOCRYPT 2012 and

(iii) an algorithm for point doubling on Twisted Edwards Curves with a smaller footprint when the

implementation is desired to work across Homogeneous Projective, Inverted and Extended Homogeneous

Projective Coordinates.

1 INTRODUCTION

Security in smart devices and mobile networks

require an efﬁcient implementation of cryptographic

algorithms owing to the computational, bandwidth,

power and memory constraints experienced in these

environments. With its smaller key sizes, Elliptic

Curve Cryptography(ECC) is increasingly seen as an

alternative to traditional public key algorithms such as

RSA, especially in constrained environments such as

mobile devices. Thus while ECC is attractive for the

success of lightweight applications such as security

for mobile and/or embedded applications, RFID and

in the context of ”Internet for Things”, optimized

low-cost ECC implementations are crucial for this

success.

In recent years, amongst other things, research

in ECC has focused on efﬁcient implementations.

As is well known, the set of points on an elliptic

curve deﬁned over a ﬁnite ﬁeld along with the

point at inﬁnity form a group when appropriate

group operations are deﬁned. Elliptic curve groups

have an additive notation and thus the operation of

exponentiation in a group with multiplicative notation

becomes a multiplication operation in Elliptic curve

groups over a ﬁnite ﬁeld. Point multiplication is at

the core of most ECC applications and dominates

ECC. Thus efﬁcient methods for point multiplication

are crucial for ECC. A very good source for point

multiplication formula is the EFD(Explicit Forms

Database) (Bernstein and Lange, 2007). The usual

convention in the literature is to denote the cost

of a ﬁeld inversion by I, a ﬁeld multiplication by

M and a ﬁeld squaring by S. In this paper we

will denote the cost of a ﬁeld multiplication with a

constant by M

c

. Field Multiplications by 2,3 or 4 can

be achieved by ﬁeld additions and are thus ignored

in cost comparisons in this paper. Lately, a new

form of an elliptic curve called ”Edwards Curve” has

received attention in the research community mainly

due to its low ﬁnite ﬁeld operation count for point

multiplication. Differential addition, a concept used

earlier in the context of Montgomery curves has been

adapted to other forms of elliptic curves including

Edwards curves.

In this paper, we review some formulae presented

in the literature towards differential addition on

Edwards Curves and work towards speeding up the

same. Speciﬁcally, we look at formulae proposed

by Justus and Loebenberger at IWSEC 2010 and

at formulae proposed by Wu, Tang and Feng at

INDOCRYPT 2012. The rest of the paper is

organized as follows: In Section-2, we review

(i) differential addition and (ii) some formulae

336

Rao, S.

Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form.

DOI: 10.5220/0005970603360343

In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications (ICETE 2016) - Volume 4: SECRYPT, pages 336-343

ISBN: 978-989-758-196-0

Copyright

c

2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

presented in the literature for differential addition

on Generalized Edwards Curves and Binary Edwards

Curves. In section 3, we provide faster algorithms

to evaluate some of the formulae reviewed in

Section 2. In Section 4, we review point doubling

in Twisted Edwards Curves for the Homogeneous

Projective, Inverted and Extended Homogeneous

Projective coordinate forms and provide an alternate

algorithm for point doubling. This alternate algorithm

does not improve on the operation counts of currently

known algorithms in the literature, but the similarity

of the algorithms across coorodinate forms means that

it may be possible to have a smaller footprint when

implementing algorithms that work with all of these

three coordinate systems simultaneously. We ﬁnally

conclude in Section-4.

2 DIFFERENTIAL ADDITION

The problem of reducing the number of

group operations required while computing an

exponentiation (multiplication whilst in a additive

group) is probably best seen in the context of addition

chains. A ﬁnite sequence of integers a

0

,a

1

,...a

r

is

called an addition chain (section 4.63 in (D.Knuth,

1998)) for a

r

if for each element a

i

, there exists a

j

and a

k

in the sequence such that a

0

= 1 and for all

i = 1,2,... , r

a

i

= a

j

+ a

k

, for some k ≤ j < i (1)

Addition chains are applicable both in the context

of multiplicative groups and additive groups such as

Elliptic curve groups over a ﬁnite ﬁeld.

In 1987, Montgomery proposed a special type

of an elliptic curve, now known as Montgomery

form of an elliptic curve or simply Montgomery

curve (P.L.Montgomery, 1987). The arithmetic on

a Montgomery curve relies on ’x-coordinate’ only

arithmetic and also requires the ’difference’ of two

group elements (points) to be known prior to the

computation of addition of these two elements.

Thus ordinary addition chains and improvements

of these chains cannot be directly utilized for

scalar multiplication on Montgomery curves where

’x-coordinate’ only formale are used. A special form

of addition chain called Lucas chains is useful in

this context. A Lucas chain is a restricted variant

of an addition chain where the indices in equation

(1) above are such that either j = k or the difference

a

k

− a

j

is already part of the chain. A special case

of Lucas chains occur when either j = k or a

k

− a

j

=

a

0

= 1 and these are called binary chains. A good

reference for Lucas chains is (Montgomery, 1992).

Lucas chains are also known as differential addition

chains in the literature (Bernstein, 2006b). Below we

review differential addition formulae for Montgomery

curves. A Montgomery curve deﬁned over a ﬁnite

ﬁeld F

p

is given by

E

m

: By

2

= x

3

+ Ax

2

+ x

If P = (x

1

,y

1

) is a point on the E

m

, P can be written

in projective coordinates as P = (X

1

,Y

1

,Z

1

). If

[n]P = (X

n

: Y

n

: Z

n

), the sum [n + m]P = [n]P + [m]P

can be computed using the differential addition

formulae below:

Addition: (n 6= m)

X

m+n

=

Z

m−n

((X

m

− Z

m

)(X

n

+ Z

n

) + (X

m

+ Z

m

)(X

n

− Z

n

))

2

Z

m+n

=

X

m−n

((X

m

− Z

m

)(X

n

+ Z

n

) − (X

m

+ Z

m

)(X

n

− Z

n

))

2

Doubling: (n = m)

4X

n

Z

n

= (X

n

+ Z

n

)

2

− (X

n

− Z

n

)

2

X

2n

= (X

n

+ Z

n

)

2

(X

n

− Z

n

)

2

Z

2n

= 4X

n

Z

n

((X

n

− Z

n

)

2

+ ((A + 2)/4)(4X

n

Z

n

))

In the above formulae, we can see that the

Y -coordinate is not required in the computation of

X-coordinate of [n + m]P, provided we are supplied

with the value of [n − m]P. This is employed by

the Montgomery ladder for scalar multiplication. A

good reference for Montgomery ladders is (M.Joye

and S.Yen, 2002).

The idea of differential addition has been extended

to other forms of elliptic curves. Lopez and Dahab

(J.Lopez and R.Dahab, 1999) generalized this idea

to Weierstrass form binary curves and Brier and

Joye (E.Brier and M.Joye, 2002) generalized it to

Weierstrass Curves deﬁned over GF(p). Justus

and Loebenberger (R.Justus and Loebenberger, 2010)

extended differential addition to Generalized Edwards

Elliptic Curve form in a paper presented at IWSEC

2010. Wu, Tang and Feng (H.Wu et al., 2012)

proposed differential addition formulae for a new

model of Binary elliptic curves. In this paper, we

try to speed up some of the formulae proposed in

(R.Justus and Loebenberger, 2010) and the afﬁne

w-Coordinate differential addition proposed in (H.Wu

et al., 2012). In the remainder of this section, we

review some of the Differential addition formulae

for Generalized Edwards’ Curves as provided in

(R.Justus and Loebenberger, 2010) and the afﬁne

w-Coordinate differential addition formulae for a new

model of Binary elliptic curve as provided in (H.Wu

Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

337

et al., 2012).

Generalized Edwards Curves over a ﬁnite ﬁeld F

p

are given by (curve parameters c,d ∈ F

p

)

E

c,d

: x

2

+ y

2

= c

2

(1 + dx

2

y

2

)

It turns out that the differential addition formulae for

generalized Edwards curves uses y-only coordinates

instead of x-only coordinates for Montgomery

curves. Let P = (x

1

,y

1

) be a point on E

c,d

.

In projective coordinates, P can be written as

P = (X

1

,Y

1

,Z

1

) and let [n]P = (X

n

: Y

n

: Z

n

). If

c,d 6= 0, dc

4

6= 1 and d is not a square in GF(p), the

sum [n + m]P = [n]P + [m]P, as provided in (R.Justus

and Loebenberger, 2010) is reproduced below:

A. Differential Addition for Generalised Edwards

Coordinates: m > n

(Operation count given by authors in (R.Justus and

Loebenberger, 2010) is 6M + 4S).

Y

m+n

= Z

m−n

(Y

2

m

(Z

2

n

− c

2

dY

2

n

) + Z

2

m

(Y

2

n

− c

2

Z

2

n

))

Z

m+n

= Y

m−n

(dY

2

m

(Y

2

n

− c

2

Z

2

n

) + Z

2

m

(Z

2

n

− c

2

dY

2

n

))

B. Differential Doubling for Generalised Edwards

Coordinates: n = m

(Operation count given by authors in (R.Justus and

Loebenberger, 2010) is 1M + 4S).

Y

2n

= −c

2

dY

4

n

+ 2Y

2

n

Z

2

n

− c

2

Z

4

n

Z

2n

= dY

4

n

− 2c

2

dY

2

n

Z

2

n

+ Z

4

n

In (R.Justus and Loebenberger, 2010), point tripling

formula are provided as well, which we reproduce

below:

C. Tripling for Generalised Edwards Coordinates:

(Operation count given by authors in (R.Justus and

Loebenberger, 2010) is 4M + 7S).

Y

3n

= Y

n

(c

2

(3Z

4

n

− dY

4

n

)

2

−

Z

4

n

(8c

2

Z

4

n

+ (Y

2

n

(c

3

d + c

−1

) − 2cZ

2

n

)

2

−

c

−2

(c

4

d + 1)

2

Y

4

n

))

Z

3n

= Z

n

(c

2

(Z

4

n

− 3dY

4

n

)

2

+

dY

4

n

(4c

2

Z

4

n

− (Y

2

n

(c

3

d + c

−1

) − 2cZ

2

n

)

2

+

c

−2

((c

4

d + 1)

2

− 12c

4

d)

2

Y

4

n

))

In (R.Justus and Loebenberger, 2010), an alternate

parameterization is provided by the authors, where

only the squares of the points (Y

m

: Z

m

), (Y

n

: Z

n

)

and (Y

m−n

: Z

m−n

) are utilized. We call this ”Squares

Only” or SQO parametrization. The authors provide

addition, doubling and tripling formulae for this

parametrization. Here we reproduce the doubling

and the tripling formulae from (R.Justus and

Loebenberger, 2010) for SQO parametrization.

D. SQO Doubling for Generalised Edwards

Coordinates: n = m

(Operation count given in (R.Justus and

Loebenberger, 2010) is 5S).

Y

2

2n

= ((1 − c

2

d)Y

4

n

+ (1 − c

2

)Z

4

n

− (Y

2

n

− Z

2

n

)

2

)

2

Z

2

2n

= (dc

2

(Y

2

n

− Z

2

n

)

2

− d(c

2

− 1)Y

4

n

+ (c

2

d − 1)Z

4

n

)

2

E. SQO Tripling for Generalised Edwards

Coordinates: m = 2n

(Operation count in (R.Justus and Loebenberger,

2010) is 4M + 7S).

Y

2

3n

= Y

2

n

(c

2

(3Z

4

n

− dY

4

n

)

2

−

Z

4

n

(8c

2

Z

4

n

+ (Y

2

n

(c

3

d + c

−1

) − 2cZ

2

n

)

2

−

c

−2

(c

4

d + 1)

2

Y

4

n

))

2

Z

2

3n

= Z

2

n

(c

2

(Z

4

n

− 3dY

4

n

)

2

+

dY

4

n

(4c

2

Z

4

n

− (Y

2

n

(c

3

d + c

−1

) − 2cZ

2

n

)

2

+

c

−2

((c

4

d + 1)

2

− 12c

4

d)Y

4

n

))

2

In (H.Wu et al., 2012), the authors propose a new

model of Binary Edwards Curve given by

S

t

: x

2

y + xy

2

+txy + x + y = 0

where (x,y) ∈ K

2

and K is a ﬁeld of characteristic

2. Further, in section 6 of this paper, the authors

construct differential addition formula for S

t

. We

reproduce the approach and the formulae here.

F. Afﬁne w-coordinate Differential Addition and

Doubling for a new model of Binary Edwards

Curves proposed in (H.Wu et al., 2012):

(Operation count for addition and doubling as given

in (H.Wu et al., 2012) is 1I + 2M + 2S + 1M

c

and

1I + 1M + 2S + 1M

c

respectively.)

Utilizing w-coordinate differential addition that was

initially proposed by Bernstein in (Bernstein et al.,

2008a), the authors in (H.Wu et al., 2012) propose

w-coordinate differential addition and doubling for S

t

,

i.e., they present formulae to compute w(P + Q) and

w(2P) from w(P), w(Q) and w(Q−P). If P = (x,y) is

a point on S

t

, then the w-function is deﬁned as w(P) =

xy. If P = (x

2

,y

2

), Q = (x

3

,y

3

), Q − P = (x

1

,y

1

),

2P = (x

4

,y

4

) and Q + P = (x

5

,y

5

), we write w

i

= x

i

y

i

for i = 1, 2, 3, 4, 5. Then w

2

= w(P), w

4

= w(2P),

w

5

= w(P + Q), w

1

= w(Q − P) and w

3

= w(Q).

The afﬁne differential addition formulae on S

t

, as

developed and presented in (H.Wu et al., 2012) are

as follows:

w

4

=

1 + w

4

2

t

2

w

2

2

and w

5

= w

1

+

t

2

w

2

w

3

w

2

2

+ w

2

3

SECRYPT 2016 - International Conference on Security and Cryptography

338

3 ALTERNATE ALGORITHMS

AND NEWER OPERATION

COUNTS

In this section we show that the operation counts in

formulae (B-F) of Section 2 can be improved. For

clarity in comparison, the subsections that describe

and compare our improvements to (B-F) of Section-2

are labeled as (BB-FF) respectively.

BB. Differential Doubling for Generalised

Edwards Coordinates:

The operation count of formula (B) in Section 2 is

1M + 4S as the formula can be computed using the

following algorithm:

A ← Y

2

n

( = Y

2

n

) S

B ← Z

2

n

( = Z

2

n

) S

D ← A ∗ B ( = Y

2

n

Z

2

n

) M

A ← A

2

( = Y

4

n

) S

B ← B

2

( = Z

4

n

) S

Y

2n

= −c

2

dA+ ( = −c

2

dY

4

n

+ 2M

c

2D − c

2

B 2Y

2

n

Z

2

n

− c

2

Z

4

n

)

Z

2n

= dA − 2c

2

dD + B ( = dY

4

n

− 2M

c

2c

2

dY

2

n

Z

2

n

+ Z

4

n

)

Thus the total complexity, if one takes into

consideration the cost of multiplication by a constant

other than 1 or 2 or 3, is (1M + 4M

c

+ 4S). The

formulae (B) in Section 2 can be rewritten as

Y

2n

= −c

2

dY

4

n

+ 2Y

2

n

Z

2

n

− c

2

Z

4

n

= 2Y

2

n

Z

2

n

− c

2

(Z

4

n

+ dY

4

n

)

Z

2n

= dY

4

n

− 2c

2

dY

2

n

Z

2

n

+ Z

4

n

= −c

2

d(2Y

2

n

Z

2

n

) + (Z

4

n

+ dY

4

n

)

The rewritten formulae above can be computed

using the algorithm below:

A ← Y

2

n

( = Y

2

n

) S

B ← Z

2

n

( = Z

2

n

) S

E ← A

2

( = Y

4

n

) S

F ← B

2

( = Z

4

n

) S

G ← (A + B)

2

( = 2Y

2

n

Z

2

n

) S

− E − F

Y

2n

= G− ( = 2Y

2

n

Z

2

n

− 2M

c

c

2

(F + dE) c

2

(Z

4

n

+ dY

4

n

))

Z

2n

= (−c

2

d)G+ ( = −c

2

d(2Y

2

n

Z

2

n

)+ 1M

c

(F + dE) (Z

4

n

+ dY

4

n

))

Thus the new complexity is 5S + 3M

c

. As

1S < 1M, the new complexity 5S + 3M

c

is less than

the older complexity (1M + 4M

c

+ 4S)

CC. Tripling for Generalised Edwards

Coordinates:

The operation count of formula (C) in Section 2

of this paper is 4M + 7S. In addition to this, by

inspection, one can count 8M

c

operations as required

to compute the requisite formula. Thus the total

complexity of formula(C) is 4M + 7S + 8M

c

From section 3.1 in (R.Justus and Loebenberger,

2010), we have

y

3

=

y(c

2

d

2

y

8

− 6c

2

dy

4

+ 4(c

4

d + 1)y

2

− 3c

2

)

−3c

2

d

2

y

8

+ 4d(c

4

d + 1)y

6

− 6c

2

dy

4

+ c

2

writing y = Y /Z in projective coordinates, the

above formula can be written as

Y

3n

Z

3n

=

Y

n

Z

n

.

(c

2

d

2

Y

8

n

− 6c

2

dY

4

n

Z

4

n

+ 4(c

4

d + 1)Y

2

n

Z

6

n

− 3c

2

Z

8

n

)

−3c

2

d

2

Y

8

n

+ 4d(c

4

d + 1)Y

6

n

Z

2

n

− 6c

2

dY

4

n

Z

4

n

+ c

2

Z

8

n

Then

Y

3n

= Y

n

[c

2

d

2

Y

8

n

− 6c

2

dY

4

n

Z

4

n

+ 4(c

4

d + 1)Y

2

n

Z

6

n

− 3c

2

Z

8

n

]

and

Z

3n

= Z

n

[−3c

2

d

2

Y

8

n

+ 4d(c

4

d + 1)Y

6

n

Z

2

n

− 6c

2

dY

4

n

Z

4

n

+ c

2

Z

8

n

]

The above rewritten formulae can now be computed

using the algorithm below:

A ← Y

2

n

( = Y

2

n

) S

B ← Z

2

n

( = Z

2

n

) S

E ← A

2

( = Y

4

n

) S

F ← B

2

( = Z

4

n

) S

G ← (A + B)

2

(=(Y

2

n

+ Z

2

n

)

2

S

− E − F −Y

4

n

− Z

4

n

= 2Y

2

n

Z

2

n

)

H ← G

2

( = 4Y

4

n

Z

4

n

) S

J ← E

2

( = Y

8

n

) S

K ← F

2

( = Z

8

n

) S

M ← (G + F)

2

[ = (2Y

2

n

Z

2

n

+ Z

4

n

)

2

− Z

8

n

S

− K − H − 4Y

4

n

Z

4

n

] = 4Y

2

n

Z

6

n

N ← (G + E)

2

[ = (2Y

2

n

Z

2

n

+Y

4

n

)

2

S

− J − H −Y

8

n

− 4Y

4

n

Z

4

n

] = 4Y

6

n

Z

2

n

Finally,

Y

3n

← Y

n

[(c

2

d

2

)J − (

3

2

c

2

d)H + (c

2

d + 1)M − (3c

2

)K]

which costs 1M + 3M

c

and

Z

3n

← Z

n

[(−3c

2

d

2

)J − d(c

4

d + 1)N − (

3

2

c

2

d)H + (c

2

)K]

which costs 1M + 2M

c

. In the above, once (c

2

)K

is computed, the cost of computing (3c

2

)K is

ignored. The complexity of the new algorithm is

(10S + 2M + 5M

c

). If 3S < 2M + 3M

c

, then the new

Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

339

complexity of (10S + 2M + 5M

c

) is less than the

older complexity of (7S + 4M + 8M

c

). In (Bernstein,

2006a), 2M = 3S and thus 3S < 2M + 3M

c

.

DD. SQO Doubling for Generalised Edwards

Coordinates:

By inspecting formula(D) in Section 2 and taking into

consideration that we are provided with X

2

2n

and Y

2

2n

,

we can see that the total complexity of the formula(D)

is (5S + 5M

c

). We can improve upon this. Using the

doubling formula(BB) in this section, we can write

Y

2

2n

=

2Y

2

n

Z

2

n

− c

2

(Z

4

n

+ dY

4

n

)

2

Z

2

2n

=

− c

2

d(2Y

2

n

Z

2

n

) + (Z

4

n

+ dY

4

n

)

2

Given that only squares of the coordinates are

stored, the above formula can be computed using the

following algorithm:

A ← (Y

2

n

)

2

( = Y

4

n

) 1S

B ← (Z

2

n

)

2

( = Z

4

n

) 1S

E ← (Y

2

n

+ Z

2

n

)

2

− A − B ( = 2Y

2

n

Z

2

n

) 1S

Y

2

2n

←

E− ( =

2Y

2

n

Z

2

n

1S + 2M

c

c

2

(B + dA)

2

− c

2

(Z

4

n

+ dY

4

n

)

2

Z

2

2n

←

− c

2

dE+ ( =

− c

2

d(2Y

2

n

Z

2

n

) 1S + M

c

(B + dA)

2

2

+ (Z

4

n

+ dY

4

n

)

2

The complexity of the new algorithm is

(5S + 3M

c

) while the older complexity was

(5S + 5M

c

)

EE. SQO Tripling for Generalised Edwards

Coordinates:

By inspecting formula(E) in Section 2, we can see

that the total complexity of formula(E) is (4M + 7S +

8M

c

). The algorithm used to compute Y

3n

and Z

3n

in formula(CC) of this section can be adapted to

compute the requisite formulae. The ﬁrst two steps

can be omitted as squares are already available and

the last two steps can be replaced with

Y

2

3n

← Y

2

n

(c

2

d

2

)J − (

3

2

c

2

d)H +(c

2

d + 1)M − (3c

2

)K

2

Z

2

3n

← Z

2

n

(−3c

2

d

2

)J − d(c

4

d + 1)N − (

3

2

c

2

d)H +(c

2

)K

2

The complexity of this algorithm would

be the same as that of formula(CC) which is

(10S + 2M + 5M

c

). We can take 2M = 3S (Bernstein,

2006a). Thus 3S < (2M + 3M

c

) and the new

algorithm with complexity (10S + 2M + 5M

c

)

is better than the older one with complexity

(7S + 4M + 8M

c

).

FF. Afﬁne w-coordinate Differential Addition and

Doubling for a new model of Binary Edwards

Curves proposed in (H.Wu et al., 2012):

The operation count of computing w

4

in formula (F)

in Section 2 is 1I + 1M + 1M

c

+2S as the formula can

be computed using the algorithm below:

A = w

2

2

( = w

2

2

) 1S

B = A

2

( = w

4

2

) 1S

C = t

2

A ( = t

2

w

2

2

) 1M

c

D = C

−1

=

1

t

2

w

2

2

1I

w

4

= (1 + B)D

=

1 + w

4

2

t

2

w

2

2

1M

Now w

4

can be rewritten as

w

4

=

1

t

2

1

w

2

2

+ w

2

2

and

w

4

can be computed using the following algorithm:

A = w

2

2

( = w

2

2

) 1S

B =

1

A

=

1

w

2

2

1I

w

4

=

1

t

2

(A + B)

=

1

t

2

1

w

2

2

+ w

2

2

M

c

Thus the complexity of the new doubling

algorithm is 1I + 1S + 1M

c

resulting in a saving

of 1M + 1S. The formulae(F) for differential

addition(w

5

) in the previous section costs 1I + 2M +

2S + 1M

c

. Considering that w

2

2

is computed both

in the differential addition and doubling steps, w

2

2

can be computed just once. Thus the new total cost

of a differential addition and doubling is 2I + 2M +

2S + 2M

c

or 1I + 5M + 2S + 2M

c

with Montgomery’s

Inversion trick, as compared to the previous total cost

of 1I + 6M + 4S + 2M

c

resulting in an overall saving

of 1M + 2S.

4 DOUBLING IN TWISTED

EDWARDS CURVES

In this section, we look at the doubling formula

for Twisted Edwards Curves with a particular

parameterization and then propose alternate

formulae for the same. Building on the work of

Edwards(Edwards, 2007), the authors in (Bernstein

et al., 2008b) introduced Twisted Edwards Curves,

whose equation is given by

ax

2

+ y

2

= 1 + dx

2

y

2

(2)

SECRYPT 2016 - International Conference on Security and Cryptography

340

where K is a ﬁeld of odd characteristic a,d ∈ K with

ad(a − d) 6= 0. Here, we closely follow the treatment

in (Hisil, 2010), where, amongst others, the formulae

for Homogeneous Projective, Inverted and Extended

Homogeneous Projective coordinates are presented.

The triplet (X : Y : Z) satisﬁes the homogeneous

projective equation aX

2

Z

2

+Y

2

Z

2

= Z

4

+ dX

2

Y

2

.

Homogenous Projective Coordinates:

Here the triplet (X : Y : Z) corresponds to the afﬁne

point (X/Z,Y /Z) with Z 6= 0. If P = (X

1

: Y

1

: Z

1

)

then the doubling formula for [2]P = (X

2

: Y

2

: Z

2

) is

as below: (assuming Z

2

6= 0).

X

2

= 2X

1

Y

1

(2Z

2

1

−Y

2

1

− aX

2

1

)

Y

2

= (Y

2

1

− aX

2

1

)(Y

2

1

+ aX

2

1

)

Z

2

= (Y

2

1

+ aX

2

1

)(2Z

2

1

−Y

2

1

− aX

2

1

)

Evaluating the above doubling formulae as in

(Bernstein et al., 2008b) costs 3M + 4S + 1M

c

and is

computed using the following algorithm:

B ← (X

1

+Y

1

)

2

( = X

2

1

+Y

2

1

+ 2X

1

Y

1

) S

C ← X

2

1

( = X

2

1

) S

D ← Y

2

1

( = Y

2

1

) S

E ← aC ( = aX

2

1

) M

c

F ← E +D ( = Y

2

1

+ aX

2

1

)

H ← Z

2

1

( = Z

2

1

) S

J ← F − 2H ( = −(2Z

2

1

−Y

2

1

− aX

2

1

))

X

2

← (B −C − D)J ( = −(2X

1

Y

1

) M

(2Z

2

1

−Y

2

1

− aX

2

1

))

Y

2

← F(E − D) ( = −(Y

2

1

− aX

2

1

) M

(Y

2

1

+ aX

2

1

))

Z

2

← −FJ ( = (Y

2

1

+ aX

2

1

) M

(2Z

2

1

−Y

2

1

− aX

2

1

))

If a = 1, then the doubling costs 3M + 4S by

replacing the instruction X

2

← (B − C − D)J in the

above algorithm with X

2

← (B −F)J, as in (Bernstein

and T.Lange, 2007a).

If a = −1, then the doubling again costs 3M + 4S

and can be computed using the following algorithm

as provided in (Hisil, 2010):

A ← 2Z

2

1

( = 2Z

2

1

) S

B ← Y

2

1

( = Y

2

1

) S

C ← X

2

1

( = X

2

1

) S

D ← B +C ( = X

2

1

+Y

2

1

)

E ← B −C ( = Y

2

1

− X

2

1

)

F ← A − E ( = 2Z

2

1

+ X

2

1

−Y

2

1

)

X

2

← ((X

1

+Y

1

)

2

− D)F ( = (2X

1

Y

1

) S + M

(2Z

2

1

+ X

2

1

−Y

2

1

))

Y

2

← DE ( = (X

2

1

+Y

2

1

) M

(Y

2

1

− X

2

1

))

Z

2

← EF ( = (Y

2

1

− X

2

1

) M

(2Z

2

1

+ X

2

1

−Y

2

1

))

Inverted Coordinates:

Here the triplet (X : Y : Z) corresponds to the afﬁne

point (Z/X,Z/Y ) with Z 6= 0. If the triplet (X

1

:

Y

1

: Z

1

) satisﬁes the homogeneous projective equation

aX

2

Z

2

+ Y

2

Z

2

= Z

4

+ dX

2

Y

2

and X

1

Y

1

Z

1

6= 0, then

the doubling formulae for [2]P = (X

2

: Y

2

: Z

2

) is as

below: (assuming X

2

Y

2

Z

2

6= 0):

X

2

= (X

2

1

− aY

2

1

)(X

2

1

+ aY

2

1

)

Y

2

= 2X

1

Y

1

(X

2

1

+ aY

2

1

− 2dZ

2

1

)

Z

2

= 2X

1

Y

1

(X

2

1

− aY

2

1

)

Evaluating the above doubling formulae as in

(Bernstein et al., 2008b) costs 3M + 4S + 2M

c

and is

computed using the following algorithm:

A ← X

2

1

( = X

2

1

) S

B ← Y

2

1

( = Y

2

1

) S

U ← aB ( = aY

2

1

) M

c

C ← A +U ( = (X

2

1

+ aY

2

1

))

D ← A −U ( = (X

2

1

− aY

2

1

))

E ← (X

1

+Y

1

)

2

( = 2X

1

Y

1

) S

− A − B

X

2

← CD ( = (X

2

1

+ aY

2

1

)(X

2

1

− aY

2

1

)) M

Y

2

← E(C − (2d)Z

2

1

) ( = 2X

1

Y

1

M + M

c

+ S

(X

2

1

+ aY

2

1

− 2dZ

2

1

))

Z

2

← DE ( = 2X

1

Y

1

(X

2

1

− aY

2

1

)) M

If a = 1 then the doubling takes 3M + 4S + 1M

c

by computing E as (X

1

+Y

1

)

2

−C see (Bernstein and

T.Lange, 2007b).

If a = −1 then the doubling again takes

3M + 4S + 1M

c

by computing E as (X

1

+ Y

1

)

2

− D

and replacing U ← aB, C ← A +U, D ← A −U with

C ← A − B, D ← A + B as given in (Hisil, 2010).

Extended Homogenous Projective Coordinates:

In this system, each point (x,y) on ax

2

+ y

2

= 1 +

dx

2

y

2

is represented by the quadruplet (X : Y : T :

Z) which in turn corresponds to the afﬁne point

(X/Z,Y /Z) with the auxiliary coordinate T = XY /Z

and Z 6= 0. If (X

1

: Y

1

: T

1

: Z

1

) with Z

1

6= 0 and

Differential Addition in Edwards Coordinates Revisited and a Short Note on Doubling in Twisted Edwards Form

341

T

1

= X

1

Y

1

/Z

1

satisfy aX

2

Z

2

+ Y

2

Z

2

= Z

4

+ dX

2

Y

2

,

then the doubling formulae for [2](X

1

,Y

1

,T

1

,Z

1

) =

(X

2

: Y

2

: T

2

: Z

2

) is as follows (assuming Z

2

6= 0):

X

2

= 2X

1

Y

1

(2Z

2

1

−Y

2

1

− aX

2

1

)

Y

2

= (Y

2

1

− aX

2

1

)(Y

2

1

+ aX

2

1

)

T

2

= 2X

1

Y

1

(Y

2

1

− aX

2

1

)

Z

2

= (Y

2

1

+ aX

2

1

)(2Z

2

1

−Y

2

1

− aX

2

1

)

Evaluating the above doubling formulae as in

(Hisil, 2010) costs 4M + 4S + 1M

c

and is computed

using the following algorithm:

A ← X

2

1

( = X

2

1

) S

B ← Y

2

1

( = Y

2

1

) S

C ← 2Z

2

1

( = 2Z

2

1

) S

D ← aA ( = aX

2

1

) M

c

E ← B + D ( = Y

2

1

+ aX

2

1

)

F ← B − D ( = Y

2

1

− aX

2

1

)

G ← C − E ( = 2Z

2

1

− (Y

2

1

+ aX

2

1

))

H ← (X

1

+Y

1

)

2

( = 2X

1

Y

1

) S

− A − B

X

2

← GH ( = (2X

1

Y

1

) M

(2Z

2

1

−Y

2

1

− aX

2

1

))

Y

2

← EF ( = (Y

2

1

− aX

2

1

) M

(Y

2

1

+ aX

2

1

))

T

2

← FH ( = 2X

1

Y

1

(Y

2

1

− aX

2

1

)) M

Z

2

← EG ( = (Y

2

1

+ aX

2

1

) M

(2Z

2

1

−Y

2

1

− aX

2

1

))

If a = 1 then the doubling costs 4M + 4S

and can be computed by ﬁrst removing D ← aA

and then replacing E ← B + D, F ← B − D,

H ← (X

1

+Y

1

)

2

− A − B with E ← B + A, F ← B − A,

H ← (X

1

+Y

1

)

2

− E, respectively.

If a = −1 then the doubling costs 4M + 4S and

can be computed by ﬁrst removing D ← aA

and then replacing E ← B + D, F ← B − D,

H ← (X

1

+Y

1

)

2

− A − B with E ← B − A, F ← B + A,

H ← (X

1

+Y

1

)

2

− F, respectively.

New Alternate Algorithm to Compute Doubling

Formulae for Homogeneous Projective, Inverted

and Extended Homogeneous Projective

Coordinates (a = 1 or a = −1):

Here we provide an alternate algorithm to compute

a doubling on Twisted Edwards Curves. It is

possible to collect instructions that are common to

all the 3 computations, compute them separately

and then perform computations that are speciﬁc to

the coordinate system being used. Below, we ﬁrst

present instructions that are common to all the 3

coordinate systems considered here and then present

instructions that are speciﬁc to the coordinate system

being used. We note here that for all nonzero c ∈ K,

(X : Y : Z) = (cX : cY : cZ).

Instructions Common to all 3 Coordinate Systems:

A ← (X

1

+Y

1

)

2

( = X

2

1

+Y

2

1

+ 2X

1

Y

1

) S

B ← (X

1

−Y

1

)

2

( = X

2

1

+Y

2

1

− 2X

1

Y

1

) S

C ← A + B ( = 2(X

2

1

+Y

2

1

))

D ← A − B ( = 4X

1

Y

1

)

E ← (Z

1

+ Z

1

)

2

( = 4Z

2

1

) S

F ← (X

1

+ X

1

)

2

( = 4X

2

1

) S

G ← C − F ( = 2(Y

2

1

− X

2

1

))

Instructions Speciﬁc to Homogenous Projective

Coordinates:

Y

2

← CG ( = 4(Y

2

1

+ X

2

1

)(Y

2

1

− X

2

1

)) M

if a = +1

X

2

← D(E −C) ( = (4X

1

Y

1

)(4Z

2

1

− 2(X

2

1

+Y

2

1

))) M

Z

2

← C(E −C) ( = 2(X

2

1

+Y

2

1

) M

(4Z

2

1

− 2(X

2

1

+Y

2

1

)))

if a = −1

X

2

← D(E −G) ( = (4X

1

Y

1

)(4Z

2

1

− 2(Y

2

1

− X

2

1

))) M

Z

2

← G(E −G) ( = (2(Y

2

1

− X

2

1

))) M

(4Z

2

1

− 2(Y

2

1

− X

2

1

))

Instructions Speciﬁc to Inverted Coordinates:

X

2

← CG ( = 4(Y

2

1

+ X

2

1

)(Y

2

1

− X

2

1

)) M

if a = +1

Y

2

← D(dE −C) ( = (4X

1

Y

1

)(4dZ

2

1

− 2(X

2

1

+Y

2

1

)) M

Z

2

← DG ( = (4X

1

Y

1

)(2(Y

2

1

− X

2

1

))) M

if a = −1

Y

2

← D(dE + G) ( = (4X

1

Y

1

)(4dZ

2

1

+ 2(Y

2

1

− X

2

1

))) M

Z

2

← −DC ( = (−4X

1

Y

1

)(2(X

2

1

+Y

2

1

))) M

Instructions Speciﬁc to Extended Homogenous

Projective Coordinates:

Y

2

← CG ( = 4(X

2

1

+Y

2

1

)(Y

2

1

− X

2

1

)) M

if a = +1

X

2

← D(E −C) ( = (4X

1

Y

1

)(4Z

2

1

− 2(X

2

1

+Y

2

1

))) M

T

2

← DG ( = (4X

1

Y

1

)(2(Y

2

1

− X

2

1

))) M

Z

2

← C(E −C) ( = (2(X

2

1

+Y

2

1

)) M

(4Z

2

1

− 2(X

2

1

+Y

2

1

)))

if a = −1

SECRYPT 2016 - International Conference on Security and Cryptography

342

X

2

← D(E −G) ( = (4X

1

Y

1

)(4Z

2

1

− 2(Y

2

1

− X

2

1

)))M

T

2

← DC ( = (4X

1

Y

1

)(2(X

2

1

+Y

2

1

))) M

Z

2

← G(E −G) ( = (2(Y

2

1

− X

2

1

)) M

(4Z

2

1

− 2(Y

2

1

− X

2

1

)))

The cost of the new algorithm presented here

is the same as that of the currently known best

algorithms in the literature due to Bernstein and

Hisil depicted above (i.e., 3M + 4S operations each

for Homogeneous Projective and Inverted coordinates

and 4S + 4M operations for Extended Homogeneous

Projective coordinates when the curve parameter a =

1 or −1). However, in the new algorithm, the

non-coordinate speciﬁc instructions can be separated

from the coordinate speciﬁc instructions as shown

above(variables A . ..G are common to all coordinate

forms) and further within each coordinate system,

one instruction is independent of whether a = 1 or

−1. Thus the new algorithm’s footprint may be

lower than the sum of the footprints of currently

known algorithms for the three coordinate systems

under consideration. Thus the new algorithm may

be an attractive alternative when the implementation

is intended to work across the three coordinate

systems, namely Homogeneous Projective, Inverted

and Extended Homogeneous Projective Coordinates.

5 CONCLUSION

In this paper, we improved the arithmetic for

differential addition on Generalized Edwards curves.

We also improved the w-coordinate formulae for a

new model of elliptic curve proposed by Wu, Tang

and Feng. We also provided a new algorithm for point

doubling on Twisted Edwards Curves with a lower

foot print for implementation.

ACKNOWLEDGEMENTS

The author would like to sincerely thank the

anonymous reviewers of SECRYPT 2016 for their

extremely useful comments and suggestions.

REFERENCES

Bernstein, D. (2006a). Curve25519: New Difﬁe-Hellman

speed records. In Public Key Cryptography - PKC

2006, LNCS 3958.

Bernstein, D. (2006b). Differential Addition Chains.

Technical report, http://cr.yp.to/ecdh/diffchain-2006

0219.pdf accessed on 30th Nov 2015.

Bernstein, D. and Lange, T. (2007). Explicit Forms

Database(EFD). Technical report, http://hyperellip

tic.org/EFD/ accessed on 30th Nov 2015.

Bernstein, D., Lange, T., and Farashahi, T. (2008a). Binary

Edwards Curves. In Cryptographic Hardware and

Embedded Systems - CHES 2008, LNCS 5154.

Bernstein, D., P.Birkner, M.Joye, T.Lange, and C.Peters

(2008b). Twisted Edwards Curves. In AFRICACRYPT

2008, LNCS 5023.

Bernstein, D. and T.Lange (2007a). Faster addition and

doubling on Elliptic curves. In ASIACRYPT 2007,

LNCS 4833.

Bernstein, D. and T.Lange (2007b). Inverted Edwards

coordinates. In Applied Algebra, Algebraic

Algorithms and Error-Correcting Codes, AAECC-17,

LNCS 4851.

D.Knuth (1998). The Art of Computer Programming Vol 2.

Pearson Education.

E.Brier and M.Joye (2002). Weierstrass Elliptic Curves and

side channel attacks. In Public Key Cryptography -

PKC 2002, LNCS 2274.

Edwards, H. (2007). A normal form for elliptic curves.

Bulletin of the AMS, 44(3):393422.

Hisil, H. (2010). Elliptic Curves,Group Law, and Efﬁcient

Computation. PhD thesis, Queensland University of

Technology.

H.Wu, C.Tang, and R.Feng (2012). A new model of Binary

Elliptic Curves. In INDOCRYPT 2012, LNCS 7668.

J.Lopez and R.Dahab (1999). Fast multiplication on Elliptic

Curves over GF(2

m

) without precomputation. In

Cryptographic Hardware and Embedded Systems -

CHES 1999, LNCS 1717.

M.Joye and S.Yen (2002). The Montgomery Powering

Ladder. In Cryptographic Hardware and Embedded

Systems - CHES 2002, LNCS 2523.

Montgomery, P. L. (1992). Evaluating recurrences of form

X

m+n

= f (X

m

,X

n

,X

m−n

) via Lucas chains. Technical

report, ftp://ftp.cwi.nl/pub/pmontgom/Lucas.ps.gz

accessed on 30th Nov 2015.

P.L.Montgomery (1987). Speeding the Pollard and Elliptic

Curve methods of Factorization. In Mathematics of

Computation Vol 48, Issue 177 Jan 1987.

R.Justus and Loebenberger, D. (2010). Differential

Addition in Generalized Edwards Coordinates. In 5th

International Workshop on Security - IWSEC 2010,,

LNCS 6434.

343