Edwards normal form: Difference between revisions

An elliptic curve is in Edwards normal form^[1] if it can be described by the equation

${\displaystyle x^{2}+y^{2}=1+dx^{2}y^{2}}$

The more general original Edwards form has another parameter c

${\displaystyle x^{2}+y^{2}=c^{2}(1+dx^{2}y^{2})}$

but it is very simple to eliminate the scale parameter c and reduce this equation to its normal form for ease of performing algebraic group operations on rational points or finite fields.

The twist

There is also a “twisted” Edwards form

${\displaystyle ax^{2}+y^{2}=1+dx^{2}y^{2}}$

And this brings us back to the ancient Greek word στραγγός with the idea of using something “twisted” for strong cryptography.

Point group arithmetic

The point group operation on an elliptic curve in the twisted Edwards form as defined above is defined as ^[3]

${\displaystyle (x_{1},y_{1})\oplus (x_{2},y_{2})=\left({\frac {x_{1}y_{2}+y_{1}x_{2}}{1+dx_{1}x_{2}y_{1}y_{2}}},{\frac {y_{1}y_{2}-ax_{1}x_{2}}{1-dx_{1}x_{2}y_{1}y_{2}}}\right)}$.

Protestants find it offensive to refer to arithmetic or other operations as of some “law” or as works done through or under the “law” so to speak, although that term does appear as such in the original literature. It is something vaguely felt to be grammatically repulsive, almost as if in Spanish to imply, “bajo la ley” and not “sobre la ley” or above-board.

The term “law” is normally reserved in mathematical contexts for a formal probability measure over an event space. The abuse of the term in the cryptologic literature (hint, hint, there’s an arbitrary “law” involved in a mathematical operation) cannot be a coincidence. The FBI under Christopher Wray has for many years, and under other directors as well, been demanding “lawful access” to break the aforementioned encryption at will, and as usual, it’s “for the children” ^[4][5].

Example program in R

The point group “sum” of any two points on the curve should be derivable from geometric considerations of lines intersecting the curve and reflecting across axes as in the case of the Weierstraß normal form, but the precise rules seem a little bit more complicated, exactly which reflections to take where with so many axes of symmetry.

The R code here picks two points on the Ed448 curve at random and “sums” them.

#! /usr/bin/R -f

f <- function(x){sqrt((1-x^2)/(1+39081*x^2))}
g <- function(x1,y1,x2,y2,d=-39081){
	(x1*y2 + y1*x2) / (1 + d*x1*x2*y1*y2)
}
h <- function(x1,y1,x2,y2,d=-39081,a=1){
	(y1*y2 - a*x1*x2) / (1 - d*x1*x2*y1*y2)
}

x <- seq(0,1,0.0001); x <- c(rev(x),-x)
y <- f(x)
x <- c(x,rev(x)); y <- c(y,rev(-y))

xp <- (rbinom(2,100,0.5)-50)/100
yp <- f(xp) * (-1)^sample.int(2,1)

plot(x,y,type="l")
points(xp,yp)

points(g(xp[1],yp[1],xp[2],yp[2]),h(xp[1],yp[1],xp[2],yp[2]),pch=19)