CryptoDB
Inverted Edwards coordinates
Authors: |
- Daniel J. Bernstein
- Tanja Lange
|
Download: |
- URL: http://eprint.iacr.org/2007/410
- Search ePrint
- Search Google
|
Abstract: |
Edwards curves have attracted great interest for several reasons.
When curve parameters are chosen properly, the addition formulas use
only $10M+1S$. The formulas are {\it strongly unified}, i.e., work
without change for doublings; even better, they are {\it complete},
i.e., work without change for all inputs. Dedicated doubling formulas
use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$.
This paper introduces {\it inverted Edwards coordinates}. Inverted
Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point
$(Z_1/X_1,Z_1/Y_1)$ on an Edwards curve; for comparison, standard
Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point
$(X_1/Z_1,Y_1/Z_1)$.
This paper presents addition formulas for inverted Edwards coordinates
using only $9M+1S$. The formulas are not complete but still are
strongly unified. Dedicated doubling formulas use only $3M+4S$, and
dedicated tripling formulas use only $9M+4S$. Inverted Edwards
coordinates thus save $1M$ for each addition, without slowing down
doubling or tripling.
|
BibTeX
@misc{eprint-2007-13690,
title={Inverted Edwards coordinates},
booktitle={IACR Eprint archive},
keywords={public-key cryptography / Elliptic curves, addition, doubling, explicit formulas, Edwards coordinates, inverted Edwards coordinates, side-channel countermeasures, unified addition formulas, strongly unified addition formulas.},
url={http://eprint.iacr.org/2007/410},
note={ tanja@hyperelliptic.org 13811 received 25 Oct 2007},
author={Daniel J. Bernstein and Tanja Lange},
year=2007
}