Extended twisted Edwards curve坐标系及相互转换

1. 引言

1.1 Edwards curve定义

Edwards curve的定义为：
$x^2+y^2=1+d{x}^2{y}^2,d\notin 0,1,characteristic不为2$

对于Curve25519，其Montgomery form为：
$v^2=u^3+486662u^2+u,q=2^{255}-19$
对应的Edwards curve表示为：
$x^2+y^2=1+(121665/121666)x^2{y}^2$
相互之间的变换关系为：
$(x,y)\mapsto (u,v):u=(1+y)/(1-y),v=\sqrt{486664}u/x$
$(u,v)\mapsto (x,y):x=\sqrt{486664}u/v,y=(u-1)/(u+1)$

---

Every Edwards curve has a point of order 4.

---

curve25519 co-factor为8 sage脚本验证：

sage: q=2^255-19
sage: E=EllipticCurve(GF(q),[0,486662,0,1,0])
sage: n=E.cardinality()
sage: n
57896044618658097711785492504343953926856930875039260848015607506283634007912
sage: factor(n)
2^3 * 7237005577332262213973186563042994240857116359379907606001950938285454250989
sage: r=2^252+27742317777372353535851937790883648493
sage: n/r
8

1.2 Twisted Edwards Curve定义

根据论文《Twisted Edwards Curves》中的Definition 2.1定义：

---

根据此定义可知，每条Edwards curve，都是twisted Edwards curve。

---

1.3 isomorphic elliptic curve定义

1.4 edwards25519

对于Curve25519的Edwards curve表示：
$x^2+y^2=1+d{x}^2{y}^2,d=(121665/121666),q=2^{255}-19$
由于-1在Fq(q=2^255-19)域内存在平方根，所以可做如下映射：
$(x,y)\mapsto (\frac{x}{\sqrt{-1}},y)$
对应的曲线表示为：
$-x^2+y^2=1+d^{\prime }{x}^2{y}^2,d^{\prime }=-(121665/121666),q=2^{255}-19$
该曲线与$x^2+y^2=1+d{x}^2{y}^2$具有同构性isomomorphic。

《Elliptic Curves for Security》中，将$-x^2+y^2=1+d^{\prime }{x}^2{y}^2,d^{\prime }=-(121665/121666),q=2^{255}-19$被称为edwards25519。

magma脚本为：

clear;
q:=2^255-19;
LegendreSymbol(-1, q);  //1,即-1是域Fq内的平方值。

sage脚本为：

sage: q=2^255-19
sage: (q-1)/4
14474011154664524427946373126085988481658748083205070504932198000989141204987
sage:
sage: mod(-121665/121666,q)
37095705934669439343138083508754565189542113879843219016388785533085940283555

1.5 edwards25519与Curve25519映射关系

$v^2=u^3+486662u^2+u,q=2^{255}-19$
与
$-x^2+y^2=1+d^{\prime }{x}^2{y}^2,q=2^{255}-19,d^{\prime }=-(121665/121666)\equiv 37095705934669439343138083508754565189542113879843219016388785533085940283555(modq)$
的相互转换关系为：
$(x,y)\mapsto (u,v):x=\sqrt{-486664}u/v,y=(u-1)/(u+1)$
$(u,v)\mapsto (x,y):u=(1+y)/(1-y),v=\sqrt{-486664}u/x$

2. 坐标系表示

根据论文《Twisted Edwards Curves Revisited》，常见的affine和projective坐标系表示：

• affine coordinate: $(x,y)$
• projective coordinate: $(X,Y,Z)$

由此可知，对于twisted Edwards curve affine coordinate表示:
$a{x}^2+y^2=1+d{x}^2{y}^2$
对应的同态projective coordinate表示为$(x,y)\mapsto (X/Z,Y/Z)$：
$(a{X}^2+Y^2)Z^2=Z^4+d{X}^2{Y}^2$

相应的，identity element为(0:1:1)，(X:Y:Z)的负数为(-X:Y:Z)，同时对于所有的非零值$\lambda \in q,(X:Y:Z)=(\lambda X:\lambda Y:\lambda Z)$。

2.1 affine coordinate模式下twisted Edwards curve的point加法运算

对于affine coordinate模式下twisted Edwards curve的point加法运算为：
$(x_1,y_1)+(x_2,y_2)=(\frac{x_1{y}_2+y_1{x}_2}{1+d{x}_1{y}_1{x}_2{y}_2},\frac{y_1{y}_2-a{x}_1{x}_2}{1-d{x}_1{y}_1{x}_2{y}_2})=(x_3,y_3)$
论文《Twisted Edwards Curves Revisited》中，进一步演化为与$d$值无关的计算公式为：
$(x_1,y_1)+(x_2,y_2)=(\frac{x_1{y}_1+x_2{y}_2}{y_1{y}_2+a{x}_1{x}_2},\frac{x_1{y}_1-x_2{y}_2}{x_1{y}_2-y_1{x}_2})=(x_3,y_3)$
以上算法中，存在求倒数的情况。

2.2 projective coordinate模式下twisted Edwards curve的point加法运算

在论文《Twisted Edwards Curves》中有：

由此可知，将twisted Edwards curve的point加法运算转换到projective coordinate坐标系下计算，将没有affine coordinate下的求倒数运算，效率更高。

2.3 Extened Twisted Edwards coordinate下的point加法运算

2.3.1 Extened Twisted Edwards coordinate

针对$a{x}^2+y^2=1+d{x}^2{y}^2$增加一个辅助坐标$t=xy$来表示point点$(x,y)$，$(x,y,t)$即可称为extended affine coordinate，可通过map $(x,y,t)\mapsto (x:y:t:1)$转换为extended projective coordinate。

对于所有的非零值$\lambda \in q,(X:Y:T:Z)=(\lambda X:\lambda Y:\lambda T:\lambda Z)$。

论文《Twisted Edwards Curves Revisited》中的转换细节不好理解，可参看 https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html 更直观好理解。

在curve25519中以edwards25519为例来讲解如何转换为extended model：
$-x^2+y^2=1+d{x}^2{y}^2$
设$x=X/Z,y=Y/T$带入上面公式，清除分母，有：
$-X^2{T}^2+Y^2{Z}^2=Z^2{T}^2+d{X}^2{Y}^2$

进行Segre embedding转换：
$\sigma :((X:Z),(Y:T))\mapsto (XY:XT:ZY:ZT)\mapsto (W_0:W_1:W_2:W_3)$

/// A `CompletedPoint` is a point \\(((X:Z), (Y:T))\\) on the \\(\mathbb
/// P\^1 \times \mathbb P\^1 \\) model of the curve.
/// A point (x,y) in the affine model corresponds to \\( ((x:1),(y:1))
/// \\).
///
/// More details on the relationships between the different curve models
/// can be found in the module-level documentation.
#[derive(Copy, Clone)]
#[allow(missing_docs)]
pub struct CompletedPoint {
    pub X: FieldElement,
    pub Y: FieldElement,
    pub Z: FieldElement,
    pub T: FieldElement,
}

从而可有方程组来代表edwards25519：
$\{\begin{array}{c}{W}_0{W}_3=W_1{W}_2\\ -W_1^2+W_2^2=W_3^2+d{W}_0^2\end{array}$

$(W_0:W_1:W_2:W_3)$即为extended 坐标系。

/// An `EdwardsPoint` represents a point on the Edwards form of Curve25519.
#[derive(Copy, Clone)]
#[allow(missing_docs)]
pub struct EdwardsPoint {
    pub(crate) X: FieldElement,
    pub(crate) Y: FieldElement,
    pub(crate) Z: FieldElement,
    pub(crate) T: FieldElement,
}

通过$(W_0:W_1:W_2:W_3)\mapsto (W_1:W_2:W_3)$，有：
$\frac{W_1}{W_3}=\frac{XT}{ZT}=\frac{X}{Z}=x$
$\frac{W_2}{W_3}=\frac{YZ}{ZT}=\frac{Y}{T}=y$

/// A `ProjectivePoint` is a point \\((X:Y:Z)\\) on the \\(\mathbb
/// P\^2\\) model of the curve.
/// A point \\((x,y)\\) in the affine model corresponds to
/// \\((x:y:1)\\).
///
/// More details on the relationships between the different curve models
/// can be found in the module-level documentation.
#[derive(Copy, Clone)]
pub struct ProjectivePoint {
    pub X: FieldElement,
    pub Y: FieldElement,
    pub Z: FieldElement,
}

其中identity element为$(0:1:0:1)$，$(X:Y:T:Z)$的负数为$(-X:Y:-T:Z)$。

---

尽管$T$和$Z$可取任意值，不过在curve25519-dalek实现中，为了简化计算，取的是$T=X\ast Y,Z=1$。

---

2.3.2 Extened Twisted Edwards coordinate下的point加法运算

求$(X_1:Y_1:T_1:Z_1)+(X_2:Y_2:T_2:Z_2)=(X_3:Y_3:T_3:Z_3)$，其中：
$X_3=(X_1{Y}_2+Y_1{X}_2)(Z_1{Z}_2-d{T}_1{T}_2)$
$Y_3=(Y_1{Y}_2-a{X}_1{X}_2)(Z_1{Z}_2+d{T}_1{T}_2)$
$T_3=(Y_1{Y}_2-a{X}_1{X}_2)(X_1{Y}_2+Y_1{X}_2)$
$Z_3=(Z_1{Z}_2-d{T}_1{T}_2)(Z_1{Z}_2+d{T}_1{T}_2)$

论文《Twisted Edwards Curves Revisited》中，进一步演化为与$d$值无关的计算公式为：

3. 总结

---

注意，在Extended坐标系下，可提供更快的加法运算，在Projective坐标系下，可提供更快的double运算！！！实际使用时，可根据不同的计算选择不同的坐标系。

---

从CompletedPoint【$\sigma :((X:Z),(Y:T))$，即为affine坐标系】转换为EdwardsPoint【即为Extended 坐标系】，相应的代码为：

impl CompletedPoint {

    /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1
    /// \\) model to the \\( \mathbb P\^3 \\) model.
    ///
    /// This costs \\(4 \mathrm M \\).
    pub fn to_extended(&self) -> EdwardsPoint {
        EdwardsPoint {
            X: &self.X * &self.T,
            Y: &self.Y * &self.Z,
            Z: &self.Z * &self.T,
            T: &self.X * &self.Y,
        }
    }
}

从CompletedPoint【$\sigma :((X:Z),(Y:T))$，即为affine坐标系】转换为ProjectivePoint【即为Projective坐标系】的实现代码为：

impl CompletedPoint {
    /// Convert this point from the \\( \mathbb P\^1 \times \mathbb P\^1
    /// \\) model to the \\( \mathbb P\^2 \\) model.
    ///
    /// This costs \\(3 \mathrm M \\).
    pub fn to_projective(&self) -> ProjectivePoint {
        ProjectivePoint {
            X: &self.X * &self.T,
            Y: &self.Y * &self.Z,
            Z: &self.Z * &self.T,
        }
    }
}

从ProjectivePoint【即为Projective坐标系】转换为EdwardsPoint【即为Extended 坐标系】的实现代码为：

impl ProjectivePoint {
    /// Convert this point from the \\( \mathbb P\^2 \\) model to the
    /// \\( \mathbb P\^3 \\) model.
    ///
    /// This costs \\(3 \mathrm M + 1 \mathrm S\\).
    pub fn to_extended(&self) -> EdwardsPoint {
        EdwardsPoint {
            X: &self.X * &self.Z,
            Y: &self.Y * &self.Z,
            Z: self.Z.square(),
            T: &self.X * &self.Y,
        }
    }
}

从EdwardsPoint【即为Extended 坐标系】转换为MontgomeryPoint【即affine坐标系下，只取x坐标】，两者的映射关系为2-to-1：

    /// Convert this `EdwardsPoint` on the Edwards model to the
    /// corresponding `MontgomeryPoint` on the Montgomery model.
    ///
    /// This function has one exceptional case; the identity point of
    /// the Edwards curve is sent to the 2-torsion point \\((0,0)\\)
    /// on the Montgomery curve.
    ///
    /// Note that this is a one-way conversion, since the Montgomery
    /// model does not retain sign information.
    pub fn to_montgomery(&self) -> MontgomeryPoint {
        // We have u = (1+y)/(1-y) = (Z+Y)/(Z-Y).
        //
        // The denominator is zero only when y=1, the identity point of
        // the Edwards curve.  Since 0.invert() = 0, in this case we
        // compute the 2-torsion point (0,0).
        let U = &self.Z + &self.Y;
        let W = &self.Z - &self.Y;
        let u = &U * &W.invert();
        MontgomeryPoint(u.to_bytes())
    }

从MontgomeryPoint【即affine坐标系下，只取x坐标】转换为EdwardsPoint【即为Extended 坐标系】，两者的映射关系为1-to-2，所以要带上符号标识符sign，表示相应的EdwardsPoint的X坐标是整数还是负数：

/// Attempt to convert to an `EdwardsPoint`, using the supplied
    /// choice of sign for the `EdwardsPoint`.
    ///
    /// # Return
    ///
    /// * `Some(EdwardsPoint)` if `self` is the \\(u\\)-coordinate of a
    /// point on (the Montgomery form of) Curve25519;
    ///
    /// * `None` if `self` is the \\(u\\)-coordinate of a point on the
    /// twist of (the Montgomery form of) Curve25519;
    ///
    pub fn to_edwards(&self, sign: u8) -> Option<EdwardsPoint> {
        // To decompress the Montgomery u coordinate to an
        // `EdwardsPoint`, we apply the birational map to obtain the
        // Edwards y coordinate, then do Edwards decompression.
        //
        // The birational map is y = (u-1)/(u+1).
        //
        // The exceptional points are the zeros of the denominator,
        // i.e., u = -1.
        //
        // But when u = -1, v^2 = u*(u^2+486662*u+1) = 486660.
        //
        // Since this is nonsquare mod p, u = -1 corresponds to a point
        // on the twist, not the curve, so we can reject it early.

        let u = FieldElement::from_bytes(&self.0);

        if u == FieldElement::minus_one() { return None; }

        let one = FieldElement::one();

        let y = &(&u - &one) * &(&u + &one).invert();

        let mut y_bytes = y.to_bytes();
        y_bytes[31] ^= sign << 7;

        CompressedEdwardsY(y_bytes).decompress()
    }

参考资料：
[1] 论文《Twisted Edwards Curves Revisited》
[2] https://en.wikipedia.org/wiki/Edwards_curve
[3] 论文《Faster addition and doubling on elliptic curves》
[4] 论文《High-speed high-security signatures》
[5] 《Elliptic Curves for Security》
[6] 书《Guide to elliptic curve cryptography》
[7] 论文《Twisted Edwards Curves》
[8] https://doc-internal.dalek.rs/curve25519_dalek/backend/serial/curve_models/index.html