I'm trying to understand benefits of using Twisted Edwards curve over regular Edwards curve. I'm aware of some properties of Twisted Edwards curve that regular Edwards curve missing like isomorphism and fact that every twisted Edwards curve is birationally equivalent to an elliptic curve in Montgomery form. But I can't get idea why it is beneficial for digital signature.
Asked
Active
Viewed 617 times
1 Answers
6
Little history;
1997 Peter L. Montgomery introduced the Montgomery curves in 1987 for speeding up the Speeding the Pollard and Elliptic Curve Methods of Factorization. This work is now famous due to the Montgomery Ladder that works on Montgomery curves ( there is Joye Ladder for other curve, however, that is slower compared to Montgomery Ladder)
1996 Paul C. Kocher represented the side-channel attack on their seminal work;
Kocher's paper increased the value of Montgomery Ladder from 1996 since the Mongtomery ladder provides side-channel resistance by design and have complete formula ( i.e. there is no additional handling for spacial cases like identity elements, etc. for details See 4.4.4 of Montgomery curves and the Montgomery ladder, Bernstein and Lange .
2007 Harold Edwards introduced Edwards curve in A normal form for elliptic curves at age 72.
2008 Bernstein et al. show that Every Montgomery curve can be expressed as a twisted Edwards curve, and vice versa.
As a conclusion, if we combine these works, we can see the reason as easy side-channel free implementations due to Montgomery Ladder on the Twisted Edwards and fast addition formulas.
Performance notes;
- Some details from the 2008 paper for explanation for performance of Twisted Edward curve;
This phenomenon is not an accident. Montgomery curves EM,A,B are normally chosen so that $(A + 2)/4$ is a small integer: this speeds up $u$-coordinate arithmetic, as Montgomery pointed out in 1997. The corresponding twisted Edwards curves have $d/a$ equal to $(A − 2)/(A + 2)$, a ratio of small integers, allowing fast arithmetic in twisted Edwards form.
Ed25519 has batch verification of 64 sigantures enables greater speed advantage.
More benefits of Ed25519 can be found at Bernstin's pages https://ed25519.cr.yp.to/
Note: While talking about fast formulas we should be careful since everything can change in the target platforms. As Squeamish Ossifrage pointed in the comment of the answer of Why Curve25519 for encryption but Ed25519 for signatures?
In certain circumstances it may be worthwhile to use X25519 with a Montgomery ladder even for signatures: qDSA seems to outperform EdDSA on microcontrollers, at substantially less memory and code size than other Edwards alternatives like FourQ
kelalaka
- 48,443
- 11
- 116
- 196
-
seems like regular untwisted elliptic curves are also side-channel free and have fast formulas. Please, correct me, if I'm mistaken. – pacman Sep 12 '23 at 12:31
-
Yes, there is Joye's ladder, however, the are slow compared to Montgomery's ladder. – kelalaka Sep 12 '23 at 12:34
-
If both twisted Edward curves and regular untwisted Edward curves have the same level of security, why did developers of ed25519 pick twisted Edward curves but not regular untwisted Edward curves? – pacman Sep 12 '23 at 12:41
-
1Mongomery Ladder provides the side-channel resistance by design. One should to bad implementation to not achieve that. I've added a referent to see that. – kelalaka Sep 12 '23 at 12:46
-
I got it. Every twisted Edwards curve can be transformed to Montgomery curve and vice versa. But it doesn't work for regular untwisted Edwards curve. Are there any other advantages of twisted Edwards curve over regular untwisted Edward curves? – pacman Sep 12 '23 at 13:11
-
1It may depend on the need, however, safey curce points no failures see E as Edwards https://safecurves.cr.yp.to/index.html – kelalaka Sep 12 '23 at 13:19
-
seems like Curve25519 (it is in Mongomery form) also have all the advantages of twisted Edward curves mentioned in your answer. Why do developers of ed25519 didn't use it and chosen twisted Edward curve? – pacman Sep 12 '23 at 13:30
-
1@pacman One reason is that Curve25519 is faster for ECDH (faster variable-base scalar mults), and Ed25519 is faster for signatures (faster variable-base scalar mult added to a fixed-base scalar mult). The speed difference is something like 15-20% – knaccc Sep 12 '23 at 14:30
-
@knaccc yes that was another that I miss. Could you link some references for those? – kelalaka Sep 12 '23 at 14:42
-
@kelalaka the last detail to clarify: what advantages of twisted Edwards curves over regular untwisted Edwards curve are used in ed25519? – pacman Sep 12 '23 at 14:43
-
@pacman Since twisted Edward curves are bi-rationally equivalent to Montgomery curves the provides easy side-channel free implementations and people generated fast formulas for those. What Knaccc pointed is answered here Why Curve25519 for encryption but Ed25519 for signatures? – kelalaka Sep 12 '23 at 14:52
-
@kelalaka This is from tests I did myself about 5 years ago on the SUPERCOP implementation. Also of note is that converting points between ed25519 and curve25519 in order to try and speed things up (e.g. speed up an ECDH operation by converting points from ed25519 to curve25519) will not be a net benefit, since the conversion requires expensive field inversion operations – knaccc Sep 12 '23 at 21:55
-
@knaccc why did you not published your result as a paper? Do the codes still around? While there are tons of crap paper, some will benefit from your test. Cudos for you. Yes, many academician omits those details, that I've noticed during my thesis. – kelalaka Sep 12 '23 at 21:58
-
@kelalaka I'm not an academic, I'm practitioner. I'll take a look. I have so many code fragments lying around that it'd probably be easier to write it again from scratch than to find the right snippet – knaccc Sep 12 '23 at 23:25
-
@knaccc it is not about being academic, it is about helping other in some other ways while doing your task. See Googles harddisk failure analysis https://static.googleusercontent.com/media/research.google.com/en//archive/disk_failures.pdf they are just published their results in proper way. – kelalaka Sep 12 '23 at 23:28
-
@kelalaka "it is not about being academic, it is about helping other in some other ways while doing your task" < that's why I'm on stackexchange :) – knaccc Sep 12 '23 at 23:32
-
@knaccc you mentioned that conversion from twisted Edwards form to Montgomery form requires expensive field inversion operations. Seems like this birational equivalent is not an advantage of twisted Edward curves over regular untwisted Edward curves. https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures this post answer why twisted Edward curves are appropriate for ed25519. But I want to understand why developers didn't use regular untwisted Edwards curves instead. – pacman Sep 13 '23 at 04:30
-
1@pacman see page 14 of https://eprint.iacr.org/2008/013.pdf - there is a performance benefit of using Twisted Edwards over Edwards – knaccc Sep 13 '23 at 10:15
-
Pacman, I think you did not understood what @knaccc said. If one want to get the benefit of the speed is not preferable due to conversion. Curve25519 is used for DHKE only for $x$ coordinate and named X25519. Ed25519 designed for fast optimization for EdDSA where batch signature verification is possible. – kelalaka Sep 13 '23 at 10:22
-
Pacman, read the comments under this [Ed25519 to X25519 transportation](https://crypto.stackexchange.com/q/98561/18298. Is it hard to store 2 32-byte keys? – kelalaka Sep 13 '23 at 12:59
-
@knaccc The paper you sent a link to is answering all my questions, thanks! – pacman Sep 13 '23 at 15:28