Edwards curve的定义为:
x 2 + y 2 = 1 + d x 2 y 2 , d ∉ 0 , 1 , c h a r a c t e r i s t i c 不 为 2 x^2+y^2=1+dx^2y^2,d\notin {0,1}, characteristic不为2 x2+y2=1+dx2y2,d∈/0,1,characteristic不为2
对于Curve25519,其Montgomery form为:
v 2 = u 3 + 486662 u 2 + u , q = 2 255 − 19 v^2=u^3+486662u^2+u, q=2^{255}-19 v2=u3+486662u2+u,q=2255−19
对应的Edwards curve表示为:
x 2 + y 2 = 1 + ( 121665 / 121666 ) x 2 y 2 x^2+y^2=1+(121665/121666)x^2y^2 x2+y2=1+(121665/121666)x2y2
相互之间的变换关系为:
( x , y ) ↦ ( u , v ) : u = ( 1 + y ) / ( 1 − y ) , v = 486664 u / x (x,y)\mapsto (u,v): u=(1+y)/(1-y),v=\sqrt{486664}u/x (x,y)↦(u,v):u=(1+y)/(1−y),v=486664u/x
( u , v ) ↦ ( x , y ) : x = 486664 u / v , y = ( u − 1 ) / ( u + 1 ) (u,v)\mapsto (x,y): x=\sqrt{486664}u/v,y=(u-1)/(u+1) (u,v)↦(x,y):x=486664u/v,y=(u−1)/(u+1)
Every Edwards curve has a point of order 4.
curve25519 co-factor为8 sage脚本验证:
sage: q=2^255-19
sage: E=EllipticCurve(GF(q),[0,486662,0,1,0])
sage: n=E.cardinality()
sage: n
57896044618658097711785492504343953926856930875039260848015607506283634007912
sage: factor(n)
2^3 * 7237005577332262213973186563042994240857116359379907606001950938285454250989
sage: r=2^252+27742317777372353535851937790883648493
sage: n/r
8
根据论文《Twisted Edwards Curves》中的Definition 2.1定义:
根据此定义可知,每条Edwards curve,都是twisted Edwards curve。
对于Curve25519的Edwards curve表示:
x 2 + y 2 = 1 + d x 2 y 2 , d = ( 121665 / 121666 ) , q = 2 255 − 19 x^2+y^2=1+dx^2y^2,d=(121665/121666),q=2^{255}-19 x2+y2=1+dx2y2,d=(121665/121666),q=2255−19
由于-1在Fq(q=2^255-19)域内存在平方根,所以可做如下映射:
( x , y ) ↦ ( x − 1 , y ) (x,y)\mapsto (\frac{x}{\sqrt{-1}},y) (x,y)↦(−1x,y)
对应的曲线表示为:
− x 2 + y 2 = 1 + d ′ x 2 y 2 , d ′ = − ( 121665 / 121666 ) , q = 2 255 − 19 -x^2+y^2=1+d'x^2y^2, d'=-(121665/121666),q=2^{255}-19 −x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19
该曲线与 x 2 + y 2 = 1 + d x 2 y 2 x^2+y^2=1+dx^2y^2 x2+y2=1+dx2y2具有同构性isomomorphic。
《Elliptic Curves for Security》中,将 − x 2 + y 2 = 1 + d ′ x 2 y 2 , d ′ = − ( 121665 / 121666 ) , q = 2 255 − 19 -x^2+y^2=1+d'x^2y^2, d'=-(121665/121666),q=2^{255}-19 −x2+y2=1+d′x2y2,d′=−(121665/121666),q=2255−19被称为edwards25519。
magma脚本为:
clear;
q:=2^255-19;
LegendreSymbol(-1, q); //1,即-1是域Fq内的平方值。
sage脚本为:
sage: q=2^255-19
sage: (q-1)/4
14474011154664524427946373126085988481658748083205070504932198000989141204987
sage:
sage: mod(-121665/121666,q)
37095705934669439343138083508754565189542113879843219016388785533085940283555
v 2 = u 3 + 486662 u 2 + u , q = 2 255 − 19 v^2=u^3+486662u^2+u, q=2^{255}-19 v2=u3+486662u2+u,q=2255−19
与
− x 2 + y 2 = 1 + d ′ x 2 y 2 , q = 2 255 − 19 , d ′ = − ( 121665 / 121666 ) ≡ 37095705934669439343138083508754565189542113879843219016388785533085940283555 ( m o d q ) -x^2+y^2=1+d'x^2y^2, q=2^{255}-19,d'=-(121665/121666)\equiv 37095705934669439343138083508754565189542113879843219016388785533085940283555(mod\ q) −x2+y2=1+d′x2y2,q=2255−19,d′=−(121665/121666)≡37095705934669439343138083508754565189542113879843219016388785533085940283555(mod q)
的相互转换关系为:
( x , y ) ↦ ( u , v ) : x = − 486664 u / v , y = ( u − 1 ) / ( u + 1 ) (x,y)\mapsto (u,v): x=\sqrt{-486664}u/v,y=(u-1)/(u+1) (x,y)↦(u,v):x=−486664u/v,y=(u−1)/(u+1)
( u , v ) ↦ ( x , y ) : u = ( 1 + y ) / ( 1 − y ) , v = − 486664 u / x (u,v)\mapsto (x,y): u=(1+y)/(1-y),v=\sqrt{-486664}u/x (u,v)↦(x,y):u=(1+y)/(1−y),v=−486664u/x
根据论文《Twisted Edwards Curves Revisited》,常见的affine和projective坐标系表示:
由此可知,对于twisted Edwards curve affine coordinate表示:
a x 2 + y 2 = 1 + d x 2 y 2 ax^2+y^2=1+dx^2y^2 ax2+y2=1+dx2y2
对应的同态projective coordinate表示为 ( x , y ) ↦ ( X / Z , Y / Z ) (x,y)\mapsto (X/Z,Y/Z) (x,y)↦(X/Z,Y/Z):
( a X 2 + Y 2 ) Z 2 = Z 4 + d X 2 Y 2 (aX^2+Y^2)Z^2=Z^4+dX^2Y^2 (aX2+Y2)Z2=Z4+dX2Y2
相应的,identity element为(0:1:1),(X:Y:Z)的负数为(-X:Y:Z),同时对于所有的非零值 λ ∈ q , ( X : Y : Z ) = ( λ X : λ Y : λ Z ) \lambda\in q, (X:Y:Z)=(\lambda X:\lambda Y:\lambda Z) λ∈q,(X:Y:Z)=(λX:λY:λZ)。
对于affine coordinate模式下twisted Edwards curve的point加法运算为:
( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 1 y 2 + y 1 x 2 1 + d x 1 y 1 x 2 y 2 , y 1 y 2 − a x 1 x 2 1 − d x 1 y 1 x 2 y 2 ) = ( x 3 , y 3 ) (x_1,y_1)+(x_2,y_2)=(\frac{x_1y_2+y_1x_2}{1+dx_1y_1x_2y_2},\frac{y_1y_2-ax_1x_2}{1-dx_1y_1x_2y_2})=(x_3,y_3) (x1,y1)+(x2,y2)=(1+dx1y1x2y2x1y2+y1x2,1−dx1y1x2y2y1y2−ax1x2)=(x3,y3)
论文《Twisted Edwards Curves Revisited》中,进一步演化为与 d d d值无关的计算公式为:
( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 1 y 1 + x 2 y 2 y 1 y 2 + a x 1 x 2 , x 1 y 1 − x 2 y 2 x 1 y 2 − y 1 x 2 ) = ( x 3 , y 3 ) (x_1,y_1)+(x_2,y_2)=(\frac{x_1y_1+x_2y_2}{y_1y_2+ax_1x_2},\frac{x_1y_1-x_2y_2}{x_1y_2-y_1x_2})=(x_3,y_3) (x1,y1)+(x2,y2)=(y1y2+ax1x2x1y1+x2y2,x1y2−y1x2x1y1−x2y2)=(x3,y3)
以上算法中,存在求倒数的情况。
在论文《Twisted Edwards Curves》中有:
由此可知,将twisted Edwards curve的point加法运算转换到projective coordinate坐标系下计算,将没有affine coordinate下的求倒数运算,效率更高。
针对 a x 2 + y 2 = 1 + d x 2 y 2 ax^2+y^2=1+dx^2y^2 ax2+y2=1+dx2y2增加一个辅助坐标 t = x y t=xy t=xy来表示point点 ( x , y ) (x,y) (x,y), ( x , y , t ) (x,y,t) (x,y,t)即可称为extended affine coordinate,可通过map ( x , y , t ) ↦ ( x : y : t : 1 ) (x,y,t)\mapsto (x:y:t:1) (x,y,t)↦(x:y:t:1)转换为extended projective coordinate。
对于所有的非零值 λ ∈ q , ( X : Y : T : Z ) = ( λ X : λ Y : λ T : λ Z ) \lambda\in q, (X:Y:T:Z)=(\lambda X:\lambda Y:\lambda T :\lambda Z) λ∈q,(X:Y:T:Z)=(λX:λY:λT:λZ)。
论文《Twisted Edwards Curves Revisited》中的转换细节不好理解,可参看 https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html 更直观好理解。
在curve25519中以edwards25519为例来讲解如何转换为extended model:
− x 2 + y 2 = 1 + d x 2 y 2 -x^2+y^2=1+dx^2y^2 −x2+y2=1+dx2y2
设 x = X / Z , y = Y / T x=X/Z,y=Y/T x=X/Z,y=Y/T带入上面公式,清除分母,有:
− X 2 T 2 + Y 2 Z 2 = Z 2 T 2 + d X 2 Y 2 -X^2T^2+Y^2Z^2=Z^2T^2+dX^2Y^2 −X2T2+Y2Z2=Z2T2+dX2Y2
进行Segre embedding转换:
σ : ( ( X : Z ) , ( Y : T ) ) ↦ ( X Y : X T : Z Y : Z T ) ↦ ( W 0 : W 1 : W 2 : W 3 ) \sigma :((X:Z),(Y:T))\mapsto(XY:XT:ZY:ZT)\mapsto (W_0:W_1:W_2:W_3) σ:((X:Z),(Y:T))↦(XY:XT:ZY:ZT)↦(W0:W1:W2:W3)
/// A `CompletedPoint` is a point \\(((X:Z), (Y:T))\\) on the \\(\mathbb
/// P\^1 \times \mathbb P\^1 \\) model of the curve.
/// A point (x,y) in the affine model corresponds to \\( ((x:1),(y:1))
/// \\).
///
/// More details on the relationships between the different curve models
/// can be found in the module-level documentation.
#[derive(Copy, Clone)]
#[allow(missing_docs)]
pub struct CompletedPoint {
pub X: FieldElement,
pub Y: FieldElement,
pub Z: FieldElement,
pub T: FieldElement,
}
从而可有方程组来代表edwards25519:
{ W 0 W 3 = W 1 W 2 − W 1 2 + W 2 2 = W 3 2 + d W 0 2 \left\{\begin{matrix} W_0W_3=W_1W_2 \\ -W_1^2+W_2^2=W_3^2+dW_0^2 \end{matrix}\right. {W0W3=W1W2−W12+W22=W32+dW02
( W 0 : W 1 : W 2 : W 3 ) (W_0:W_1:W_2:W_3) (W0:W1:W2:W3)即为extended 坐标系。
/// An `EdwardsPoint` represents a point on the Edwards form of Curve25519.
#[derive(Copy, Clone)]
#[allow(missing_docs)]
pub struct EdwardsPoint {
pub(crate) X: FieldElement,
pub(crate) Y: FieldElement,
pub(crate) Z: FieldElement,
pub(crate) T: FieldElement,
}
通过 ( W 0 : W 1 : W 2 : W 3 ) ↦ ( W 1 : W 2 : W 3 ) (W_0:W_1:W_2:W_3)\mapsto (W_1:W_2:W_3) (W0:W1:W2:W3)↦(W1:W2:W3),有:
W 1 W 3 = X T Z T = X Z = x \frac{W_1}{W_3}=\frac{XT}{ZT}=\frac{X}{Z}=x W3W1=ZTXT=ZX=x
W 2 W 3 = Y Z Z T = Y T = y \frac{W_2}{W_3}=\frac{YZ}{ZT}=\frac{Y}{T}=y W3W2=ZTYZ=TY=y
/// A `ProjectivePoint` is a point \\((X:Y:Z)\\) on the \\(\mathbb
/// P\^2\\) model of the curve.
/// A point \\((x,y)\\) in the affine model corresponds to
/// \\((x:y:1)\\).
///
/// More details on the relationships between the different curve models
/// can be found in the module-level documentation.
#[derive(Copy, Clone)]
pub struct ProjectivePoint {
pub X: FieldElement,
pub Y: FieldElement,
pub Z: FieldElement,
}
其中identity element为 ( 0 : 1 : 0 : 1 ) (0:1:0:1) (0:1:0:1), ( X : Y : T : Z ) (X:Y:T:Z) (X:Y:T:Z)的负数为 ( − X : Y : − T : Z ) (-X:Y:-T:Z) (−X:Y:−T:Z)。
尽管 T T T和 Z Z Z可取任意值,不过在curve25519-dalek实现中,为了简化计算,取的是 T = X ∗ Y , Z = 1 T=X*Y,Z=1 T=X∗Y,Z=1。
求 ( X 1 : Y 1 : T 1 : Z 1 ) + ( X 2 : Y 2 : T 2 : Z 2 ) = ( X 3 : Y 3 : T 3 : Z 3 ) (X_1:Y_1:T_1:Z_1)+(X_2:Y_2:T_2:Z_2)=(X_3:Y_3:T_3:Z_3) (X1:Y1:T1:Z1)+(X2:Y2:T2:Z2)=(X3:Y3:T3:Z3),其中:
X 3 = ( X 1 Y 2 + Y 1 X 2 ) ( Z 1 Z 2 − d T 1 T 2 ) X_3=(X_1Y_2+Y_1X_2)(Z_1Z_2-dT_1T_2) X3=(X1Y2+Y1X2)(Z1Z2−dT1T2)
Y 3 = ( Y 1 Y 2 − a X 1 X 2 ) ( Z 1 Z 2 + d T 1 T 2 ) Y_3=(Y_1Y_2-aX_1X_2)(Z_1Z_2+dT_1T_2) Y3=(Y1Y2−aX1X2)(Z1Z2+dT1T2)
T 3 = ( Y 1 Y 2 − a X 1 X 2 ) ( X 1 Y 2 + Y 1 X 2 ) T_3=(Y_1Y_2-aX_1X_2)(X_1Y_2+Y_1X_2) T3=(Y1Y2−aX1X2)(X1Y2+Y1X2)
Z 3 = ( Z 1 Z 2 − d T 1 T 2 ) ( Z 1 Z 2 + d T 1 T 2 ) Z_3=(Z_1Z_2-dT_1T_2)(Z_1Z_2+dT_1T_2) Z3=(Z1Z2−dT1T2)(Z1Z2+dT1T2)
论文《Twisted Edwards Curves Revisited》中,进一步演化为与 d d d值无关的计算公式为:
注意,在Extended坐标系下,可提供更快的加法运算,在Projective坐标系下,可提供更快的double运算!!!实际使用时,可根据不同的计算选择不同的坐标系。
从CompletedPoint
【 σ : ( ( X : Z ) , ( Y : T ) ) \sigma :((X:Z),(Y:T)) σ:((X:Z),(Y:T)),即为affine坐标系】转换为EdwardsPoint
【即为Extended 坐标系】,相应的代码为:
impl CompletedPoint {
/// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1
/// \\) model to the \\( \mathbb P\^3 \\) model.
///
/// This costs \\(4 \mathrm M \\).
pub fn to_extended(&self) -> EdwardsPoint {
EdwardsPoint {
X: &self.X * &self.T,
Y: &self.Y * &self.Z,
Z: &self.Z * &self.T,
T: &self.X * &self.Y,
}
}
}
从CompletedPoint
【 σ : ( ( X : Z ) , ( Y : T ) ) \sigma :((X:Z),(Y:T)) σ:((X:Z),(Y:T)),即为affine坐标系】转换为ProjectivePoint
【即为Projective坐标系】的实现代码为:
impl CompletedPoint {
/// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1
/// \\) model to the \\( \mathbb P\^2 \\) model.
///
/// This costs \\(3 \mathrm M \\).
pub fn to_projective(&self) -> ProjectivePoint {
ProjectivePoint {
X: &self.X * &self.T,
Y: &self.Y * &self.Z,
Z: &self.Z * &self.T,
}
}
}
从ProjectivePoint
【即为Projective坐标系】转换为EdwardsPoint
【即为Extended 坐标系】的实现代码为:
impl ProjectivePoint {
/// Convert this point from the \\( \mathbb P\^2 \\) model to the
/// \\( \mathbb P\^3 \\) model.
///
/// This costs \\(3 \mathrm M + 1 \mathrm S\\).
pub fn to_extended(&self) -> EdwardsPoint {
EdwardsPoint {
X: &self.X * &self.Z,
Y: &self.Y * &self.Z,
Z: self.Z.square(),
T: &self.X * &self.Y,
}
}
}
从EdwardsPoint
【即为Extended 坐标系】转换为MontgomeryPoint
【即affine坐标系下,只取x坐标】,两者的映射关系为2-to-1:
/// Convert this `EdwardsPoint` on the Edwards model to the
/// corresponding `MontgomeryPoint` on the Montgomery model.
///
/// This function has one exceptional case; the identity point of
/// the Edwards curve is sent to the 2-torsion point \\((0,0)\\)
/// on the Montgomery curve.
///
/// Note that this is a one-way conversion, since the Montgomery
/// model does not retain sign information.
pub fn to_montgomery(&self) -> MontgomeryPoint {
// We have u = (1+y)/(1-y) = (Z+Y)/(Z-Y).
//
// The denominator is zero only when y=1, the identity point of
// the Edwards curve. Since 0.invert() = 0, in this case we
// compute the 2-torsion point (0,0).
let U = &self.Z + &self.Y;
let W = &self.Z - &self.Y;
let u = &U * &W.invert();
MontgomeryPoint(u.to_bytes())
}
从MontgomeryPoint
【即affine坐标系下,只取x坐标】转换为EdwardsPoint
【即为Extended 坐标系】,两者的映射关系为1-to-2,所以要带上符号标识符sign
,表示相应的EdwardsPoint
的X坐标是整数还是负数:
/// Attempt to convert to an `EdwardsPoint`, using the supplied
/// choice of sign for the `EdwardsPoint`.
///
/// # Return
///
/// * `Some(EdwardsPoint)` if `self` is the \\(u\\)-coordinate of a
/// point on (the Montgomery form of) Curve25519;
///
/// * `None` if `self` is the \\(u\\)-coordinate of a point on the
/// twist of (the Montgomery form of) Curve25519;
///
pub fn to_edwards(&self, sign: u8) -> Option {
// To decompress the Montgomery u coordinate to an
// `EdwardsPoint`, we apply the birational map to obtain the
// Edwards y coordinate, then do Edwards decompression.
//
// The birational map is y = (u-1)/(u+1).
//
// The exceptional points are the zeros of the denominator,
// i.e., u = -1.
//
// But when u = -1, v^2 = u*(u^2+486662*u+1) = 486660.
//
// Since this is nonsquare mod p, u = -1 corresponds to a point
// on the twist, not the curve, so we can reject it early.
let u = FieldElement::from_bytes(&self.0);
if u == FieldElement::minus_one() { return None; }
let one = FieldElement::one();
let y = &(&u - &one) * &(&u + &one).invert();
let mut y_bytes = y.to_bytes();
y_bytes[31] ^= sign << 7;
CompressedEdwardsY(y_bytes).decompress()
}
参考资料:
[1] 论文《Twisted Edwards Curves Revisited》
[2] https://en.wikipedia.org/wiki/Edwards_curve
[3] 论文《Faster addition and doubling on elliptic curves》
[4] 论文《High-speed high-security signatures》
[5] 《Elliptic Curves for Security》
[6] 书《Guide to elliptic curve cryptography》
[7] 论文《Twisted Edwards Curves》
[8] https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html