Inverted Edwards coordinates

Edwards curves have attracted great interest for several reasons. When curve parameters are chosen properly, the addition formulas use only $10M+1S$. The formulas are {\it strongly unified}, i.e., work without change for doublings; even better, they are {\it complete}, i.e., work without change for all inputs. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. This paper introduces {\it inverted Edwards coordinates}. Inverted Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(Z_1/X_1,Z_1/Y_1)$ on an Edwards curve; for comparison, standard Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(X_1/Z_1,Y_1/Z_1)$. This paper presents addition formulas for inverted Edwards coordinates using only $9M+1S$. The formulas are not complete but still are strongly unified. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. Inverted Edwards coordinates thus save $1M$ for each addition, without slowing down doubling or tripling

Optimizing double-base elliptic-curve single-scalar multiplication

This paper analyzes the best speeds that can be obtained for single-scalar multiplication with variable base point by combining a huge range of options: • many choices of coordinate systems and formulas for individual group operations, including new formulas for tripling on Edwards curves; • double-base chains with many different doubling/tripling ratios, including standard base-2 chains as an extreme case; • many precomputation strategies, going beyond Dimitrov, Imbert, Mishra (Asiacrypt 2005) and Doche and Imbert (Indocrypt 2006). The analysis takes account of speedups such as S – M tradeoffs and includes recent advances such as inverted Edwards coordinates. The main conclusions are as follows. Optimized precomputations and triplings save time for single-scalar multiplication in Jacobian coordinates, Hessian curves, and tripling-oriented Doche/Icart/Kohel curves. However, even faster single-scalar multiplication is possible in Jacobi intersections, Edwards curves, extended Jacobi-quartic coordinates, and inverted Edwards coordinates, thanks to extremely fast doublings and additions; there is no evidence that double-base chains are worthwhile for the fastest curves. Inverted Edwards coordinates are the speed leader

Edwards curves and CM curves

Edwards curves are a particular form of elliptic curves that admit a fast, unified and complete addition law. Relations between Edwards curves and Montgomery curves have already been described. Our work takes the view of parameterizing elliptic curves given by their j-invariant, a problematic that arises from using curves with complex multiplication, for instance. We add to the catalogue the links with Kubert parameterizations of X0(2) and X0(4). We classify CM curves that admit an Edwards or Montgomery form over a finite field, and justify the use of isogenous curves when needed

Another approach to pairing computation in Edwards coordinates

The recent introduction of Edwards curves has significantly reduced the cost of addition on elliptic curves. This paper presents new explicit formulae for pairing implementation in Edwards coordinates. We prove our method gives performances similar to those of Miller\u27s algorithm in Jacobian coordinates and is thus of cryptographic interest when one chooses Edwards curve implementations of protocols in elliptic curve cryptography. The method is faster than the recent proposal of Das and Sarkar for computing pairings on supersingular curves using Edwards coordinates