Twisted Edwards Curves for Digital Signatures

Edwards curves are pivotal ones in crypto field. The normal form Harold Edwards studied was x² + y² = c² + c²x²y². Previously, we have proven the addition formula of this form. Bernstein and Lange firstly transform the equation to simpler form x² + y² = 1 + dx²y² . Thereafter, they modified regular Edwards curves and introduced twisted Edwards curves ax² + y² = 1 + dx²y².

Twisted Edward curves look like a bird’s-eye roundabout intersection of a road.

---

🙋‍♂️ You may consider to enroll my top-rated cryptography course on Udemy

---

Regular Edwards curves are special form of twisted Edwards curves where a = 1. We can prove the addition formula of twisted ones similarly. Besides, proof of twisted Edwards curves will also prove the regular Edwards forms Bernstein and Tanja simplified.

Lemma

Suppose that (x₁, y₁) and (x₂, y₂) are points on the curve ax² + y² = 1 + dx²y². In this case, (x₃, y₃) derived from the following formula will be on the same curve.

x₃ = (x₁y₂ + y₁x₂)/(1 + dx₁x₂y₁y₂)

y₃ = (y₁y₂ – ax₁x₂)/(1 – dx₁x₂y₁y₂)

Proof

We can validate the addition formula by putting (x₃, y₃) values to the twisted edwards curve equation.

ax₃² + y₃² = 1 + dx₃²y₃²

a(x₁y₂ + y₁x₂)²/(1 + dx₁x₂y₁y₂)² + (y₁y₂ – ax₁x₂)²/(1 – dx₁x₂y₁y₂)² = 1 + d(x₁y₂ + y₁x₂)²(y₁y₂ – ax₁x₂)²/(1 + dx₁x₂y₁y₂)²(1 – dx₁x₂y₁y₂)²

Make denominators same

---

---

a(x₁y₂ + y₁x₂)²(1 – dx₁x₂y₁y₂)²/(1 + dx₁x₂y₁y₂)²(1 – dx₁x₂y₁y₂)² + (y₁y₂ – ax₁x₂)²(1 + dx₁x₂y₁y₂)²/(1 – dx₁x₂y₁y₂)²(1 + dx₁x₂y₁y₂)² = (1 – dx₁x₂y₁y₂)²(1 + dx₁x₂y₁y₂)²/(1 – dx₁x₂y₁y₂)²(1 + dx₁x₂y₁y₂)² + d(x₁y₂ + y₁x₂)²(y₁y₂ – ax₁x₂)²/(1 + dx₁x₂y₁y₂)²(1 – dx₁x₂y₁y₂)²

Now, all denominators are same, we can simplify them. Note that (1 + dx₁x₂y₁y₂)²(1 – dx₁x₂y₁y₂)² cannot be 0.

a(x₁y₂ + y₁x₂)²(1 – dx₁x₂y₁y₂)² + (y₁y₂ – ax₁x₂)²(1 + dx₁x₂y₁y₂)² = (1 – dx₁x₂y₁y₂)²(1 + dx₁x₂y₁y₂)² + d(x₁y₂ + y₁x₂)²(y₁y₂ – ax₁x₂)²

Set P to x₁x₂y₁y₂ to express this complex equation simpler.

a(x₁y₂ + y₁x₂)²(1 – dP)² + (y₁y₂ – ax₁x₂)²(1 + dP)² = (1 – dP)²(1 + dP)² + d(x₁y₂ + y₁x₂)²(y₁y₂ – ax₁x₂)²

The term (1 – dP)²(1 + dP)² can also be written as [(1 – dP)(1 + dP)]² = (1 – d²P²)²

a(x₁y₂ + y₁x₂)²(1 – dP)² + (y₁y₂ – ax₁x₂)²(1 + dP)² = (1 – d²P²)²  + d(x₁y₂ + y₁x₂)²(y₁y₂ – ax₁x₂)²

Evaluate the powers except (1 – d²P²)²

a(x₁²y₂² + y₁²x₂² + 2P)(1 + d²P² – 2dP) + (y₁²y₂² + a²x₁²x₂² – 2aP)(1 + d²P² + 2dP) = (1 – d²P²)² + d(x₁²y₂² + y₁²x₂² + 2P)(y₁²y₂² + a²x₁²x₂² – 2aP)

Focus on the left side. We can separate 1 + d²P² and 2dP multipliers.

---

---

(1 + d²P²)(a(x₁²y₂² + y₁²x₂² + 2P) + y₁²y₂² + a²x₁²x₂² – 2aP) + (2dP)(a(- x₁²y₂² – y₁²x₂² – 2P) + y₁²y₂² + a²x₁²x₂² – 2aP)

Move a multiplier into the paranthesis

(1 + d²P²)(ax₁²y₂² + ay₁²x₂² + 2aP + y₁²y₂² + a²x₁²x₂² – 2aP) + (2dP)(- ax₁²y₂² – ay₁²x₂² – 2aP + y₁²y₂² + a²x₁²x₂² – 2aP)

Plus and minus 2aP terms exist in the first paranthesis. We can remove them.

(1 + d²P²)(ax₁²y₂² + ay₁²x₂² + y₁²y₂² + a²x₁²x₂²) + (2dP)(- ax₁²y₂² – ay₁²x₂² – 2aP + y₁²y₂² + a²x₁²x₂² – 2aP)

We can rewrite the term (ax₁²y₂² + ay₁²x₂² + y₁²y₂² + a²x₁²x₂²) as (ax₁² + y₁²)(ax₂² + y₂²). Similarly, the term (- ax₁²y₂² – ay₁²x₂² – 2aP + y₁²y₂² + a²x₁²x₂² – 2aP) can be rewritten as ((ax₁² – y₁²)(ax₂² – y₂²) – 4aP).

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) + (2dP)[(ax₁² – y₁²)(ax₂² – y₂²) – 4aP].

Move 2dP into the paranthesis

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) + (2dP)(ax₁² – y₁²)(ax₂² – y₂²) – 8adP²

Now, focus on the right side.

---

---

(1 – d²P²)² + d(x₁²y₂² + y₁²x₂² + 2P)(y₁²y₂² + a²x₁²x₂² – 2aP)

Move 2P term to the outside of the paranthesis

(1 – d²P²)² + d[(x₁²y₂² + y₁²x₂²)(y₁²y₂² + a²x₁²x₂²) + 2P(y₁²y₂² + a²x₁²x₂² – ax₁²y₂² + ay₁²x₂²) – 4aP²]

The term (y₁²y₂² + a²x₁²x₂² – ax₁²y₂² + ay₁²x₂²) can be rewritten as (ax₁² – y₁²)(ax₂² – y₂²)

(1 – d²P²)² + d[(x₁²y₂² + y₁²x₂²)(y₁²y₂² + a²x₁²x₂²) + 2P(ax₁² – y₁²)(ax₂² – y₂²)- 4aP²]

Also, (x₁²y₂² + y₁²x₂²)(y₁²y₂² + a²x₁²x₂²) can be rewritten as (x₁²y₁²y₂⁴ + a²x₁⁴x₂²y₂² + x₂²y₁⁴y₂² + a²x₁²x₂⁴y₁²)

(1 – d²P²)² + d[(x₁²y₁²y₂⁴ + a²x₁⁴x₂²y₂² + x₂²y₁⁴y₂² + a²x₁²x₂⁴y₁²) + 2P(ax₁² – y₁²)(ax₂² – y₂²)- 4aP²]

The left side of the equation has (1 + d²P²). We can refactor the term (1 – d²P²)² on the right side.

(1 – d²P²)² = (1 + d²P²)² – 4d²P² = (1 + d²P²)(1 + d²P²) – 4d²P²

We got the term (1 + d²P²). Now, replace P value with original one in the multiplier.

---

---

(1 + d²P²)(1 + d²x₁²x₂²y₁²y₂²) – 4d²P²

Adding and substracting dx₁²y₁² and dx₂²y₂² values would not change the content.

(1 + d²P²)(1 + d²x₁²x₂²y₁²y₂² + dx₁²y₁² + dx₂²y₂² – dx₁²y₁² – dx₂²y₂²) – 4d²P²

Separate plus and minus sign terms in same side.

(1 + d²P²)(1 + d²x₁²x₂²y₁²y₂² + dx₁²y₁² + dx₂²y₂²) +(1 + d²P²)( – dx₁²y₁² – dx₂²y₂²) – 4d²P²

We can rewrite the term (1 + d²x₁²x₂²y₁²y₂² + dx₁²y₁² + dx₂²y₂²) as (1 + dx₁²y₁²)(1 + dx₂²y₂²)

(1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) + (1 + d²P²)( – dx₁²y₁² – dx₂²y₂²) – 4d²P²

Rewrite (1 + d²P²)( – dx₁²y₁² – dx₂²y₂²)

(1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) – dx₁²y₁² – dx₂²y₂² – d³x₂²y₂²(x₁⁴y₁⁴) – d³x₁²y₁²(x₂⁴y₂⁴) – 2d²x₁²y₁²x₂²y₂² – 2d²x₁²y₁²x₂²y₂²

Combine the parts that containing dx₁²y₁² and dx₂²y₂²

---

---

(1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) – dx₁²y₁²(1 + d²x₂⁴y₂⁴ + 2dx₂²y₂²) – dx₂²y₂²(1 + d²x₁⁴y₁⁴ + 2dx₁²y₁²)

The second and third terms can be expressed as power of an addition.

(1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

Combine left and right sides

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) + (2dP)(ax₁² – y₁²)(ax₂² – y₂²) – 8adP² = d[(x₁²y₁²y₂⁴ + a²x₁⁴x₂²y₂² + x₂²y₁⁴y₂² + a²x₁²x₂⁴y₁²) + 2P(ax₁² – y₁²)(ax₂² – y₂²)- 4aP²] + (1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

Move d multiplier into the paranthesis

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) + (2dP)(ax₁² – y₁²)(ax₂² – y₂²) – 8adP² = dx₁²y₁²y₂⁴ + da²x₁⁴x₂²y₂² + dx₂²y₁⁴y₂² + da²x₁²x₂⁴y₁² + 2dP(ax₁² – y₁²)(ax₂² – y₂²)- 4adP² + (1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

The both left and right side have (2dP)(ax₁² – y₁²)(ax₂² – y₂²). We can remove these terms.

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) – 8adP² = dx₁²y₁²y₂⁴ + da²x₁⁴x₂²y₂² + dx₂²y₁⁴y₂² + da²x₁²x₂⁴y₁² – 4adP² + (1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

Move – 8adP² to the right side.

---

---

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) = dx₁²y₁²y₂⁴ + da²x₁⁴x₂²y₂² + dx₂²y₁⁴y₂² + da²x₁²x₂⁴y₁² + 4adP² + (1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²) – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

Put the real value of P in 4adP²

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) = dx₁²y₁²y₂⁴ + da²x₁⁴x₂²y₂² + dx₂²y₁⁴y₂² + da²x₁²x₂⁴y₁² + 2adx₁²x₂²y₁²y₂² + 2adx₁²x₂²y₁²y₂² + (1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²)  – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

Combine terms that containing x₁²y₁² and x₂²y₂²

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) = dx₁²y₁²(y₂⁴ + ax₂⁴ + 2ax₂²y₂²) + dx₂²y₂²(y₁⁴ + ax₁⁴ + 2ax₁²y₁²) + (1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²)  – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

We can rewrite the term (y₂⁴ + ax₂⁴ + 2ax₂²y₂²) as (ax₂² + y₂²)² and (y₁⁴ + ax₁⁴ + 2ax₁²y₁²) as (ax₁² + y₁²)²

(1 + d²P²)(ax₁² + y₁²)(ax₂² + y₂²) = dx₁²y₁²(ax₂² + y₂²)² + dx₂²y₂²(ax₁² + y₁²)²+ (1 + d²P²)(1 + dx₁²y₁²)(1 + dx₂²y₂²)  – dx₁²y₁²(1 + dx₂²y₂²)² – dx₂²y₂²(1 + dx₁²y₁²)²

Combine the terms that containing (1 + d²P²)

(1 + d²P²)[(ax₁² + y₁²)(ax₂² + y₂²) – (1 + dx₁²y₁²)(1 + dx₂²y₂²) ] = dx₁²y₁²(ax₂² + y₂²)² – dx₁²y₁²(1 + dx₂²y₂²)² + dx₂²y₂²(ax₁² + y₁²)² – dx₂²y₂²(1 + dx₁²y₁²)²

Still, we can combine terms containing dx₁²y₁² and dx₂²y₂²

---

---

(1 + d²P²)[(ax₁² + y₁²)(ax₂² + y₂²) – (1 + dx₁²y₁²)(1 + dx₂²y₂²) ] = dx₁²y₁²[(ax₂² + y₂²)² – (1 + dx₂²y₂²)²]+ dx₂²y₂²[(ax₁² + y₁²)² – (1 + dx₁²y₁²)²]

All terms in brackets must be equal to zero based on the twisted Edwards curve equation. This proves the theorem as claimed.

Regular Edwards curves (simplified version)

We have already proven the addition formula for regular Edward curves Bernstein and Tanja introduced by setting variable a to 1.

x² + y² = 1 + dx²y²

x₃ = (x₁y₂ + y₁x₂)/(1 + dx₁x₂y₁y₂)

y₃ = (y₁y₂ – ax₁x₂)/(1 – dx₁x₂y₁y₂) = (y₁y₂ – x₁x₂)/(1 – dx₁x₂y₁y₂)

So, we haven proven addition formula for both twisted and regular Edwards curves. In particular, twisted ones are backbones of edwards curve based digital signatures. This signatures offer either high speed and high security. Every security specialist must put Edwards curves in their toolbox.

---

Like this blog? Support me on Patreon

---