I'm trying to understand benefits of using Twisted Edwards curve over regular Edwards curve. I'm aware of some properties of Twisted Edwards curve that regular Edwards curve missing like isomorphism and fact that every twisted Edwards curve is birationally equivalent to an elliptic curve in Montgomery form. But I can't get idea why it is beneficial for digital signature.
Asked
Active
Viewed 1,016 times
1 Answers
9
Little history;
1997 Peter L. Montgomery introduced the Montgomery curves in 1987 for speeding up the Speeding the Pollard and Elliptic Curve Methods of Factorization. This work is now famous due to the Montgomery Ladder that works on Montgomery curves ( there is Joye Ladder for other curve, however, that is slower compared to Montgomery Ladder)
1996 Paul C. Kocher represented the side-channel attack on their seminal work;
Kocher's paper increased the value of Montgomery Ladder from 1996 since the Mongtomery ladder provides side-channel resistance by design and have complete formula ( i.e. there is no additional handling for spacial cases like identity elements, etc. for details See 4.4.4 of Montgomery curves and the Montgomery ladder, Bernstein and Lange .
2007 Harold Edwards introduced Edwards curve in A normal form for elliptic curves at age 72.
2008 Bernstein et al. show that Every Montgomery curve can be expressed as a twisted Edwards curve, and vice versa.
As a conclusion, if we combine these works, we can see the reason as easy side-channel free implementations due to Montgomery Ladder on the Twisted Edwards and fast addition formulas.
Performance notes;
- Some details from the 2008 paper for explanation for performance of Twisted Edward curve;
This phenomenon is not an accident. Montgomery curves EM,A,B are normally chosen so that $(A + 2)/4$ is a small integer: this speeds up $u$-coordinate arithmetic, as Montgomery pointed out in 1997. The corresponding twisted Edwards curves have $d/a$ equal to $(A − 2)/(A + 2)$, a ratio of small integers, allowing fast arithmetic in twisted Edwards form.
Ed25519 has batch verification of 64 sigantures enables greater speed advantage.
More benefits of Ed25519 can be found at Bernstin's pages https://ed25519.cr.yp.to/
Note: While talking about fast formulas we should be careful since everything can change in the target platforms. As Squeamish Ossifrage pointed in the comment of the answer of Why Curve25519 for encryption but Ed25519 for signatures?
In certain circumstances it may be worthwhile to use X25519 with a Montgomery ladder even for signatures: qDSA seems to outperform EdDSA on microcontrollers, at substantially less memory and code size than other Edwards alternatives like FourQ
kelalaka
- 49,797
- 12
- 123
- 211