Paper 2007/410
Inverted Edwards coordinates
Daniel J. Bernstein and Tanja Lange
Abstract
Edwards curves have attracted great interest for several reasons. When curve parameters are chosen properly, the addition formulas use only $10M+1S$. The formulas are {\it strongly unified}, i.e., work without change for doublings; even better, they are {\it complete}, i.e., work without change for all inputs. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. This paper introduces {\it inverted Edwards coordinates}. Inverted Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(Z_1/X_1,Z_1/Y_1)$ on an Edwards curve; for comparison, standard Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(X_1/Z_1,Y_1/Z_1)$. This paper presents addition formulas for inverted Edwards coordinates using only $9M+1S$. The formulas are not complete but still are strongly unified. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. Inverted Edwards coordinates thus save $1M$ for each addition, without slowing down doubling or tripling.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- Elliptic curvesadditiondoublingexplicit formulasEdwards coordinatesinverted Edwards coordinatesside-channel countermeasuresunified addition formulasstrongly unified addition formulas.
- Contact author(s)
- tanja @ hyperelliptic org
- History
- 2007-10-26: received
- Short URL
- https://ia.cr/2007/410
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2007/410,
author = {Daniel J. Bernstein and Tanja Lange},
title = {Inverted Edwards coordinates},
howpublished = {Cryptology ePrint Archive, Paper 2007/410},
year = {2007},
note = {\url{https://eprint.iacr.org/2007/410}},
url = {https://eprint.iacr.org/2007/410}
}
