Extended twisted Edwards curve坐标系及相互转换

最新推荐文章于 2023-02-07 18:27:19 发布

mutourend

最新推荐文章于 2023-02-07 18:27:19 发布

阅读量1.7k

点赞数

本文链接：https://blog.csdn.net/mutourend/article/details/98597316

版权

1. 引言

1.1 Edwards curve定义

Edwards curve的定义为：
$x^2+y^2=1+dx^2y^2,d\notin {0,1}, characteristic不为2$

对于Curve25519，其Montgomery form为：
$v^2=u^3+486662u^2+u, q=2^{255}-19$
对应的Edwards curve表示为：
$x^2+y^2=1+(121665/121666)x^2y^2$
相互之间的变换关系为：
$(x,y)\mapsto (u,v): u=(1+y)/(1-y),v=\sqrt{486664}u/x$
$(u,v)\mapsto (x,y): x=\sqrt{486664}u/v,y=(u-1)/(u+1)$

Every Edwards curve has a point of order 4.

curve25519 co-factor为8 sage脚本验证：

sage: q=2^255-19
sage: E=EllipticCurve(GF(q),[0,486662,0,1,0])
sage: n=E.cardinality()
sage: n
57896044618658097711785492504343953926856930875039260848015607506283634007912
sage: factor(n)
2^3 * 7237005577332262213973186563042994240857116359379907606001950938285454250989
sage: r=2^252+27742317777372353535851937790883648493
sage: n/r
8

在这里插入图片描述

1.2 Twisted Edwards Curve定义

根据论文《Twisted Edwards Curves》中的Definition 2.1定义：
在这里插入图片描述

根据此定义可知，每条Edwards curve，都是twisted Edwards curve。

在这里插入图片描述

1.3 isomorphic elliptic curve定义

在这里插入图片描述

1.4 edwards25519

对于Curve25519的Edwards curve表示：
$x^2+y^2=1+dx^2y^2,d=(121665/121666),q=2^{255}-19$
由于-1在Fq(q=2^255-19)域内存在平方根，所以可做如下映射：
$(x,y)\mapsto (\frac{x}{\sqrt{-1}},y)$
对应的曲线表示为：
$-x^2+y^2=1+d'x^2y^2, d'=-(121665/121666),q=2^{255}-19$
该曲线与 $x^2+y^2=1+dx^2y^2$ 具有同构性isomomorphic。

《Elliptic Curves for Security》中，将 $-x^2+y^2=1+d'x^2y^2, d'=-(121665/121666),q=2^{255}-19$ 被称为edwards25519。

magma脚本为：

clear;
q:=2^255-19;
LegendreSymbol(-1, q);  //1,即-1是域Fq内的平方值。

sage脚本为：

sage: q=2^255-19
sage: (q-1)/4
14474011154664524427946373126085988481658748083205070504932198000989141204987
sage:
sage: mod(-121665/121666,q)
37095705934669439343138083508754565189542113879843219016388785533085940283555

在这里插入图片描述

1.5 edwards25519与Curve25519映射关系

$v^2=u^3+486662u^2+u, q=2^{255}-19$
与
$-x^2+y^2=1+d'x^2y^2, q=2^{255}-19,d'=-(121665/121666)\equiv 37095705934669439343138083508754565189542113879843219016388785533085940283555(mod\ q)$
的相互转换关系为：
$(x,y)\mapsto (u,v): x=\sqrt{-486664}u/v,y=(u-1)/(u+1)$
$(u,v)\mapsto (x,y): u=(1+y)/(1-y),v=\sqrt{-486664}u/x$

2. 坐标系表示

根据论文《Twisted Edwards Curves Revisited》，常见的affine和projective坐标系表示：

affine coordinate: $(x, y)$
projective coordinate: $(X, Y, Z)$

由此可知，对于twisted Edwards curve affine coordinate表示:
$ax^2+y^2=1+dx^2y^2$
对应的同态projective coordinate表示为 $(x,y)\mapsto (X/Z,Y/Z)$ ：
$aX^2+Y^2)Z^2=Z^4+dX^2Y^2$

相应的，identity element为(0:1:1)，(X:Y:Z)的负数为(-X:Y:Z)，同时对于所有的非零值 $\lambda\in q, (X:Y:Z)=(\lambda X:\lambda Y:\lambda Z)$ 。

2.1 affine coordinate模式下twisted Edwards curve的point加法运算

对于affine coordinate模式下twisted Edwards curve的point加法运算为：
$(x_1,y_1)+(x_2,y_2)=(\frac{x_1y_2+y_1x_2}{1+dx_1y_1x_2y_2},\frac{y_1y_2-ax_1x_2}{1-dx_1y_1x_2y_2})=(x_3,y_3)$
论文《Twisted Edwards Curves Revisited》中，进一步演化为与 $d$ 值无关的计算公式为：
$(x_1,y_1)+(x_2,y_2)=(\frac{x_1y_1+x_2y_2}{y_1y_2+ax_1x_2},\frac{x_1y_1-x_2y_2}{x_1y_2-y_1x_2})=(x_3,y_3)$
以上算法中，存在求倒数的情况。

2.2 projective coordinate模式下twisted Edwards curve的point加法运算

在论文《Twisted Edwards Curves》中有：
在这里插入图片描述
由此可知，将twisted Edwards curve的point加法运算转换到projective coordinate坐标系下计算，将没有affine coordinate下的求倒数运算，效率更高。

2.3 Extened Twisted Edwards coordinate下的point加法运算

2.3.1 Extened Twisted Edwards coordinate

针对 $ax^2+y^2=1+dx^2y^2$ 增加一个辅助坐标 $t = x y$ 来表示point点 $(x, y)$ ， $(x, y, t)$ 即可称为extended affine coordinate，可通过map $(x,y,t)\mapsto (x:y:t:1)$ 转换为extended projective coordinate。

对于所有的非零值 $\lambda\in q, (X:Y:T:Z)=(\lambda X:\lambda Y:\lambda T :\lambda Z)$ 。

论文《Twisted Edwards Curves Revisited》中的转换细节不好理解，可参看 https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html 更直观好理解。

在curve25519中以edwards25519为例来讲解如何转换为extended model：
$x^2+y^2=1+dx^2y^2$
设 $x = X / Z, y = Y / T$ 带入上面公式，清除分母，有：
$X^2T^2+Y^2Z^2=Z^2T^2+dX^2Y^2$

进行Segre embedding转换：
$\sigma :((X:Z),(Y:T))\mapsto(XY:XT:ZY:ZT)\mapsto (W_0:W_1:W_2:W_3)$

/// A `CompletedPoint` is a point \\(((X:Z), (Y:T))\\) on the \\(\mathbb
/// P\^1 \times \mathbb P\^1 \\) model of the curve.
/// A point (x,y) in the affine model corresponds to \\( ((x:1),(y:1))
/// \\).
///
/// More details on the relationships between the different curve models
/// can be found in the module-level documentation.
#[derive(Copy, Clone)]
#[allow(missing_docs)]
pub struct CompletedPoint {
    pub X: FieldElement,
    pub Y: FieldElement,
    pub Z: FieldElement,
    pub T: FieldElement,
}

从而可有方程组来代表edwards25519：
$\left\{\begin{matrix} W_0W_3=W_1W_2 \\ -W_1^2+W_2^2=W_3^2+dW_0^2 \end{matrix}\right.$

$W_0:W_1:W_2:W_3)$ 即为extended 坐标系。

/// An `EdwardsPoint` represents a point on the Edwards form of Curve25519.
#[derive(Copy, Clone)]
#[allow(missing_docs)]
pub struct EdwardsPoint {
    pub(crate) X: FieldElement,
    pub(crate) Y: FieldElement,
    pub(crate) Z: FieldElement,
    pub(crate) T: FieldElement,
}

通过 $(W_0:W_1:W_2:W_3)\mapsto (W_1:W_2:W_3)$ ，有：
$\frac{W_1}{W_3}=\frac{XT}{ZT}=\frac{X}{Z}=x$
$\frac{W_2}{W_3}=\frac{YZ}{ZT}=\frac{Y}{T}=y$

/// A `ProjectivePoint` is a point \\((X:Y:Z)\\) on the \\(\mathbb
/// P\^2\\) model of the curve.
/// A point \\((x,y)\\) in the affine model corresponds to
/// \\((x:y:1)\\).
///
/// More details on the relationships between the different curve models
/// can be found in the module-level documentation.
#[derive(Copy, Clone)]
pub struct ProjectivePoint {
    pub X: FieldElement,
    pub Y: FieldElement,
    pub Z: FieldElement,
}

其中identity element为 $(0 : 1 : 0 : 1)$ ， $(X : Y : T : Z)$ 的负数为 $(- X : Y : - T : Z)$ 。

尽管 $T$ 和 $Z$ 可取任意值，不过在curve25519-dalek实现中，为了简化计算，取的是 $T = X * Y, Z = 1$ 。

在这里插入图片描述

2.3.2 Extened Twisted Edwards coordinate下的point加法运算

求 $X_1:Y_1:T_1:Z_1)+(X_2:Y_2:T_2:Z_2)=(X_3:Y_3:T_3:Z_3)$ ，其中：
$X_3=(X_1Y_2+Y_1X_2)(Z_1Z_2-dT_1T_2)$
$Y_3=(Y_1Y_2-aX_1X_2)(Z_1Z_2+dT_1T_2)$
$T_3=(Y_1Y_2-aX_1X_2)(X_1Y_2+Y_1X_2)$
$Z_3=(Z_1Z_2-dT_1T_2)(Z_1Z_2+dT_1T_2)$

论文《Twisted Edwards Curves Revisited》中，进一步演化为与 $d$ 值无关的计算公式为：
在这里插入图片描述

3. 总结

注意，在Extended坐标系下，可提供更快的加法运算，在Projective坐标系下，可提供更快的double运算！！！实际使用时，可根据不同的计算选择不同的坐标系。

从CompletedPoint【 $\sigma :((X:Z),(Y:T))$ ，即为affine坐标系】转换为EdwardsPoint【即为Extended 坐标系】，相应的代码为：

impl CompletedPoint {

    /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1
    /// \\) model to the \\( \mathbb P\^3 \\) model.
    ///
    /// This costs \\(4 \mathrm M \\).
    pub fn to_extended(&self) -> EdwardsPoint {
        EdwardsPoint {
            X: &self.X * &self.T,
            Y: &self.Y * &self.Z,
            Z: &self.Z * &self.T,
            T: &self.X * &self.Y,
        }
    }
}

从CompletedPoint【 $\sigma :((X:Z),(Y:T))$ ，即为affine坐标系】转换为ProjectivePoint【即为Projective坐标系】的实现代码为：

impl CompletedPoint {
    /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1
    /// \\) model to the \\( \mathbb P\^2 \\) model.
    ///
    /// This costs \\(3 \mathrm M \\).
    pub fn to_projective(&self) -> ProjectivePoint {
        ProjectivePoint {
            X: &self.X * &self.T,
            Y: &self.Y * &self.Z,
            Z: &self.Z * &self.T,
        }
    }
}

从ProjectivePoint【即为Projective坐标系】转换为EdwardsPoint【即为Extended 坐标系】的实现代码为：

impl ProjectivePoint {
    /// Convert this point from the \\( \mathbb P\^2 \\) model to the
    /// \\( \mathbb P\^3 \\) model.
    ///
    /// This costs \\(3 \mathrm M + 1 \mathrm S\\).
    pub fn to_extended(&self) -> EdwardsPoint {
        EdwardsPoint {
            X: &self.X * &self.Z,
            Y: &self.Y * &self.Z,
            Z: self.Z.square(),
            T: &self.X * &self.Y,
        }
    }
}

从EdwardsPoint【即为Extended 坐标系】转换为MontgomeryPoint【即affine坐标系下，只取x坐标】，两者的映射关系为2-to-1：

    /// Convert this `EdwardsPoint` on the Edwards model to the
    /// corresponding `MontgomeryPoint` on the Montgomery model.
    ///
    /// This function has one exceptional case; the identity point of
    /// the Edwards curve is sent to the 2-torsion point \\((0,0)\\)
    /// on the Montgomery curve.
    ///
    /// Note that this is a one-way conversion, since the Montgomery
    /// model does not retain sign information.
    pub fn to_montgomery(&self) -> MontgomeryPoint {
        // We have u = (1+y)/(1-y) = (Z+Y)/(Z-Y).
        //
        // The denominator is zero only when y=1, the identity point of
        // the Edwards curve.  Since 0.invert() = 0, in this case we
        // compute the 2-torsion point (0,0).
        let U = &self.Z + &self.Y;
        let W = &self.Z - &self.Y;
        let u = &U * &W.invert();
        MontgomeryPoint(u.to_bytes())
    }

从MontgomeryPoint【即affine坐标系下，只取x坐标】转换为EdwardsPoint【即为Extended 坐标系】，两者的映射关系为1-to-2，所以要带上符号标识符sign，表示相应的EdwardsPoint的X坐标是整数还是负数：

/// Attempt to convert to an `EdwardsPoint`, using the supplied
    /// choice of sign for the `EdwardsPoint`.
    ///
    /// # Return
    ///
    /// * `Some(EdwardsPoint)` if `self` is the \\(u\\)-coordinate of a
    /// point on (the Montgomery form of) Curve25519;
    ///
    /// * `None` if `self` is the \\(u\\)-coordinate of a point on the
    /// twist of (the Montgomery form of) Curve25519;
    ///
    pub fn to_edwards(&self, sign: u8) -> Option<EdwardsPoint> {
        // To decompress the Montgomery u coordinate to an
        // `EdwardsPoint`, we apply the birational map to obtain the
        // Edwards y coordinate, then do Edwards decompression.
        //
        // The birational map is y = (u-1)/(u+1).
        //
        // The exceptional points are the zeros of the denominator,
        // i.e., u = -1.
        //
        // But when u = -1, v^2 = u*(u^2+486662*u+1) = 486660.
        //
        // Since this is nonsquare mod p, u = -1 corresponds to a point
        // on the twist, not the curve, so we can reject it early.

        let u = FieldElement::from_bytes(&self.0);

        if u == FieldElement::minus_one() { return None; }

        let one = FieldElement::one();

        let y = &(&u - &one) * &(&u + &one).invert();

        let mut y_bytes = y.to_bytes();
        y_bytes[31] ^= sign << 7;

        CompressedEdwardsY(y_bytes).decompress()
    }

参考资料：
[1] 论文《Twisted Edwards Curves Revisited》
[2] https://en.wikipedia.org/wiki/Edwards_curve
[3] 论文《Faster addition and doubling on elliptic curves》
[4] 论文《High-speed high-security signatures》
[5] 《Elliptic Curves for Security》
[6] 书《Guide to elliptic curve cryptography》
[7] 论文《Twisted Edwards Curves》
[8] https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html