Commit a59f2e2b authored by Niels Möller's avatar Niels Möller

Notes on the EdDSA twist.

parent 03d8c760
......@@ -26,11 +26,11 @@ Affine formulas for duplication, $(x_2, y_2) = 2(x_1, y_1)$:
Affine formulas for addition, $(x_3, y_3) = (x_1, y_1) + (x_2,
t &= (x_2 - x_1)^{-1} (y_2 - y_1) \\
x_3 &= t^2 - x_1 - x_2 \\
y_3 &= (x_1 - x_3) t - y_1
\section{Montgomery curve}
......@@ -105,6 +105,29 @@ This works also for doubling, but a more efficient variant is
Z_3 &= E J
The EdDSA paper (\url{})
suggests using the twisted Edwards curve,
-x^2 + y^2 = 1 + d x^2 y^2 \pmod{p}
Assuming -1 has a square root modulo $p$, a point $(x, y)$ lies on
this curve if and only if $(\sqrt{-1} x, p)$ lies of the non-twisted
Edwards curve. The point additin formulas for the twisted Edwards
curve are
t &= d x_1 x_2 y_1 y_2 \\
x_3 &= (1 + t)^{-1} (x_1 y_2 + y_1 x_2) \\
y_3 &= (1 - t)^{-1} (y_1 y_2 + x_1 x_2)
For the other formulas, it should be fine to just switch the sign of
terms involving $x_1 x_2$ or $x_1^2$. The paper suggests further
optimizations: For precomputed points, use the representation $(x-y,
x+y, dxy)$. And for temporary points, maintain an additional redundant
coordinate $T$, with $Z T = X Y$ (see
Curve25519 is defined as the Montgomery curve
......@@ -145,6 +168,25 @@ coordinates, $u = U/W$ and $v = V/W$, then
so we need to invert the value $(W-V) U$.
\subsection{Transforms for the twisted Edwards Curve}
If we use the twisted Edwards curve instead, let $\alpha = \sqrt{-1}
\pmod{p}$. Then we work with coordinates $(u', v)$, where $u' = \alpha
u$. The transform from Montgomery form $(x, y)$ is then
u &= (\alpha \sqrt{b+2}) \, x / y\\
v &= (x-1) / (x+1)
And the inverse transform is similarly
x &= (1+v) / (1-v) \\
y &= (\alpha \sqrt{b+2}) \, x / u
so it's just a change of the transform constant, effectively using
$\sqrt{-(b+2)}$ instead.
\subsection{Coordinates outside of the base field}
The curve25519 function is defined with an input point represented by
the $x$-coordinate only, and is specified as allowing any value. The
corresponding $y$ coordinate is given by
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment