Paper 2007/410

Inverted Edwards coordinates

Daniel J. Bernstein and Tanja Lange

Abstract

Edwards curves have attracted great interest for several reasons. When curve parameters are chosen properly, the addition formulas use only $10M+1S$. The formulas are {\it strongly unified}, i.e., work without change for doublings; even better, they are {\it complete}, i.e., work without change for all inputs. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. This paper introduces {\it inverted Edwards coordinates}. Inverted Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(Z_1/X_1,Z_1/Y_1)$ on an Edwards curve; for comparison, standard Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(X_1/Z_1,Y_1/Z_1)$. This paper presents addition formulas for inverted Edwards coordinates using only $9M+1S$. The formulas are not complete but still are strongly unified. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. Inverted Edwards coordinates thus save $1M$ for each addition, without slowing down doubling or tripling.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Elliptic curvesadditiondoublingexplicit formulasEdwards coordinatesinverted Edwards coordinatesside-channel countermeasuresunified addition formulasstrongly unified addition formulas.
Contact author(s)
tanja @ hyperelliptic org
History
2007-10-26: received
Short URL
https://ia.cr/2007/410
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2007/410,
      author = {Daniel J.  Bernstein and Tanja Lange},
      title = {Inverted Edwards coordinates},
      howpublished = {Cryptology {ePrint} Archive, Paper 2007/410},
      year = {2007},
      url = {https://eprint.iacr.org/2007/410}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.