Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

Parameterization of Edwards curves on the

rational field Q with given torsion subgroups
Tung Linh Vo
Abstract— Extending Harold Edwards’s study an example originally from Euler and Gauss,
of a new normal form of elliptic curves, Bernstein et Edwards introduced a new addition law for the
al. generalized a family of curves, called the twisted curves ( ) defined over a
Edwards curve, defined over a non-binary field non-binary field . Although the paper of
given by an equation , where
Edwards did not focus on applying this normal
* + . The authors focused on the
construction of efficient formulae of point adding on
form of elliptic curves in cryptography, but
these curves in order to use them in the secure gradually, with subsequent studies, this form has
cryptographic schemes. Theoretically, the authors shown desirable and useful cryptographic
showed how to parameteries Edwards curves properties by comparison with Weierstrass
having torsion subgroup or normal form.
over the rational field . In the main result of this
paper, we use the method which Bersntein et al.
Following this work, in [1, 2, 3, 4], Bernstein
suggested to parameterise Edwards curves with the et al. generalized Edwards study to generalize
given torsion subgroups which are , , or curves given by an equation of the form
over . , with * +. They
Tóm tắt— Để mở rộng nghiên cứu của Harold combined the Edwards idea of addition formula
Edwards về một dạng chuẩn tắc mới cho các đường and dual addition law which was proposed by
cong elliptic, Bernstein cùng cộng sự đã tổng quát Hisil et al. in [6] to propose the unique formula for
hóa một lớp các đường cong, gọi là các đường cong both addition and doubling laws. This is an
Edwards cuộn, định nghĩa trên trường có đặc số essential proposal to result a group structure for a
khác 2 cho bởi phương trình set of points on twisted Edwards curves in
, trong đó * + . Các tác giả đã general, and Edwards curves in particular. This
tập trung vào việc xây dựng các công thức cộng unique formula is a basic concept to use the
điểm hiệu quả trên lớp đường cong này phục vụ cho normal form of Edwards in cryptography to be
mục tiêu sử dụng chúng trong các lược đồ mật mã
against channel attacks that exploits a power
an toàn. Về mặt lý thuyết, các tác giả đã chỉ ra cách
tham số hóa các đường cong Edwards có nhóm con difference in computation between addition and
xoắn hoặc trên trường hữu tỉ doubling formulas.
. Trong kết quả chính của bài báo này, chúng tôi The use of addition law, Bernstein et al. [2]
sẽ sử dụng phương pháp của Bernstein và cộng sự showed a parameterization method of Edwards
để tham số hóa đường cong Edwards với nhóm con
curves so that they have torsion subgroups given
xoắn đã biết là , , hoặc trên
trường .
on the rational field . However, authors only
presented the parameterization for two case of
Keywords: Edwards curve; twisted Edwards
torsion subgroups ⁄ and ⁄ ⁄ . In
curve; torsion subgroup.
this paper, we present this method for remaining
Từ khóa: Đường cong Edwards; đường cong
of torsion subgroups which are ⁄ , ⁄ , and
Edwards cuộn; nhóm con xoắn.
⁄ ⁄ .
I. INTRODUCTION The rest of paper is constructed as follow. The
section II presents basic concepts of the normal
In 2007, Harold Edwards [5] proposed a new
form of Edwards curves, i.e. Edwards and twisted
normal form for elliptic curves. By generalizing
Edwards curves. The next section presents the
parameterization of Edwards curves to have
This manuscript is received on December 12, 2017. It is torsion subgroups given on . In the section IV,
commented on January 11, 2018 and is accepted on January we summarize the main results of paper.
21, 2018 by the first reviewer. It is commented on , January
22, 2018 and is accepted on January 31, 2018 by the second
reviewer.

Số 2.CS (06) 2017 3

Journal of Science and Technology on Information security

II. EDWARDS NORMAL FORM other words, a Montgomery curve is a particular

case of elliptic curves with general Weierstrass form.
A. Definitions
The next lemma gives a relationship between
In this section, we present Edwards curves
a twisted Edward curve and a Montgomery curve.
and twisted Edwards curves from the general form
of Bernstein et al. [1]. Lemma 1 ([1]). Every twisted Edwards curve
Definition 1 ([1]). Let be a field whose over is birationally equivalent to a
characteristic is not , and an element Montgomery curve ,
* +. The Edwards curve with coefficient , where ( )⁄ ( ) and
called , is a curve given by an equation: ⁄( ).
(1) B. Addition Law
A Twisted Edwards curve with coefficients
Bernstein et al. [1] constructed the addition
, called is a curve given by an law on twisted Edwards curve which is a
equation: generality of the addition formula of Edwards
(2) presented in [5].
where * + . Definition 4 ([1]). Let be a field with
Definition 2 ([1]). Assuming that is a curve ( ) , and ,
over . A quadratic twist of is a curve that is with * + is a twisted Edwards
isomorphic to on the Galois field with curve over . Let ( )( ) be two points
, - . on . Then the sum of these points over
It can be easily seen that the twisted Edwards is defined by
curve is a ( ) ( ) ( )
quadratic twist of the Edwards curve . / (6)
( ) . The map ( )
( √ ) ( ) is an isomorphism from The neutral element is ( ), and the negative
to over the Galois field (√ ). Therefore, of ( ) is (– ).
if is a square in then is isomorphic to As it was shown by authors in [1], the
on . addition law in Definition 5 is correct and
Here is a definition of Montgomery elliptic complete if is a square in and is a nonsquare
curve that is necessary for results represented in in , i.e. the addition law is well-defined on every
next sections. pair of points on twisted Edwards curve .
Moreover, this law works for doubling, i.e. the
Definition 3 ([1]). The Montgomery curve, case in which ( ) ( ). However, there
, defined over a field is a curve given by is a case in which this addition is not well-defined,
an equation: i.e. denominators in the above formula equal 0, in
(3) other words * +. The following
lemma shows particular cases of the exception.
where * + and * +.
Lemma 2. Let be a twisted Edwards
Due to * +, we can divide two sides of curve over . Assuming there exists such
this equations by , and get: that . Given two arbitrary points
( )( ) on the curve. Then,
. / . / . / . / (4) * + if and only if ( ) in which is a
Set , we get an equation of set of points . /, . /, . /,
Weierstrass form: . /, . /, . /, . /,
(5) . /.

Therefore, a map ( ) . / transforms Proof. Necessity: Assume that

a curve of Montgomery to a Weierstrass form. In * +. Then, , and if we fix

4 Số 2.CS (06) 2017

 Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

, then are roots of the system of these formulas have drawbacks that exists
equations exception cases to not make the addition work. It
means that they are not a well-defined operation
( )( )
{ (7) on a set of points, called ( ), of twisted
Edwards curve with * +
By solving the system of equations above, we arbitrary. To overcome this drawback and
get ( ) being points given by the statement of construct a binary operation on the whole set of
the lemma. points of the twisted Edwards curves, D.J.
Bernstein and T. Lange [4] provide a solution as
Sufficiency: Conversely, by substituting the
follows. They embed the set of twisted Edwards
points of for ( ), we compute and get
directly results from the lemma. curve into in , and indicate cases in
which the addition law in Definition 5 does not
It can be easily seen that the addition law in work to use the formulae of Dual Addition and
Definition 5 contains two coefficients of the vice versa. Then the addition law is really a binary
curve. By a requirement to reduce a dependence operation on the whole set of points of the twisted
on these coefficients when computing the addition Edwards curves.
law, Hisil, Carter, Wong, and Dawson in [6] built
a new addition law, called Dual Addition as follows: Fixed a twisted Edwards curve, ,
defined by an equation
( ) ( ) ( )
(8)
( )
over the field whose characteristic is not ,
* +, . The projective closure of
This addition formula only depends on a
unique coefficient of the curve. The authors in in is
[6] have shown that, this formula and the addition ̅ ( )
law in Definition 5 have the same results when the (( )( ))
both are defined. However, there is a weakness of { } (9)
the Dual Addition that it does not work for
doubling computation: if ( ) ( ) the Each point ( ) on affine curve ,
computation of second coordinate embedded as usual into by ( )
( )⁄( ) results . (( )( )). Conversely, a point
Despite of this weakness, the well-defined of dual (( )( )) ̅ ( ) with is
addition have advantages on an efficient of corresponding to a point of coordinate
computation [6]. ( ⁄ ⁄ ) on affine curve .
Similar to the addition in Definition 5, we
For , we consider two cases ( )
indicate exception cases of the dual addition on
( ) or ( ) ( ).
the twisted Edwards curve when are squares
on . If ( ) ( ) the equation of the curve
becomes . Then, we have two points
Lemma 3 ([6]) . With an assumption similar
to Lemma 2, then ( )( (( )( )) .( )( √ )/, and
) if and only if ( ) , where these points are defined over the extension field
is a set containing points ( ), (√ ). The authors in [4] show that these
( ), . /, . /, . /, points correspond to ( ) in projective closure
of in .
. /, . /, . / if they are
If ( ) ( ), then the equation of the
well-defined.
curve becomes . Then, we also have
C. A complete addition formula two points (( )( )) .( √ )( )/,
In the previous subsection, we represent two and these points are defined over the extension
addition formulas on the twisted Edwards curve. field (√ ).
However, as seen on Lemmas 6 and 7, both of

Số 2.CS (06) 2017 5

Journal of Science and Technology on Information security

The authors in [4] also show that these points Then, we have a fact on the set of points over
correspond to ( ) in projective closure of twisted Edwards curve.
in . By using the represent of Theorem 3 ([4]). By the addition law defined
coordinating points, the authors [4] proved the as in the Theorem 2, the set of points ̅ ( ) is
following results to construct a complete addition
an Abel group whose neutral element is
law over twisted Edwards curves.
(( )( )) and the negative of
Theorem 1 ([4]). Let be a twisted (( )( )) is (( )( )).
Edwards curve defined over . Assuming Moreover, the group ̅ ( ) is isomorphic to
̅ ( ) with (( )( )) and ̅ ( ), where
(( )( )). We define
̅ ( )
( ) { }

is the projective closure in of the

Montgomery curve
,
and with ( )⁄( ) and
⁄( ).
By a directive way of computation, we can
determine particular points of low order in the
group ̅ ( ) of a twisted Edwards curve.
Theorem 4 ([2]). Assume that
is a twisted Edwards curve over
Then, and . whose ( ) . Then:
Moreover, at least one of following case are hold: 1. The point of order 1 or the neutral element in
 ( ) ( ) and ( ) ( ), ̅ ( ) is (( )( )).

 ( ) ( ) and ( ) 2. The points of order 2 in ̅ ( ) are:

( )  (( )( )).
By the above theorem, an addition law over
twisted Edwards curve is constructed as follow.  .( )( √ )/ if .

Theorem 2 ([4]). Let be a twisted 3. The points of order in ̅ ( ) are:

Edwards curve and define
 .( √ )( )/ if .
, as in
Theorem 1. Define as follow:
 .( √ )( )/ if .
 (( )( )) if ( )
( ) and ( ) ( );  (. √ ⁄ / ( √ )) if ⁄ ,
 .( )( )/ if and ⁄ are squares in , where the
signs may be chosen independently.
( ) ( ) and ( )
( ); 4. The points of order in ̅ ( ) doubling to

 If both cases are applicable, then is

.( √ )( )/ are:
defined arbitrarily by one of the above  (( )( )) with , ,
definitions.
satisfied .
Then ̅ ( ).
5. The points of order in ̅ ( ) doubling to
.( √ )( )/ are:

6 Số 2.CS (06) 2017

 Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

 (( )( )) with , Then, from Theorem 3, the point group of

satisfied . is isomorphic to the point group of the elliptic
curve :
6. The points of order in ̅ ( ) are:
(( )( )) with * + satisfied
. where ( )⁄( ) and
⁄( ). The map ( ) ( ) . /
III. PARAMETERIZATION OF EDWARDS transform into an elliptic curve of
CURVES WITH TORSION SUBGROUPS
Weierstrass form.
GIVEN OVER RATIONAL FIELD
Assuming that is an elliptic curve over the
rational field , and notate ( ) be a group of
points of this curve. According to the Mordell- or
Weil theorem ([7, Theo.8.17]), we have ( ) to ( )
be a finitely generated abelian group. In particular,
using the theorem on structure of a finitely
generated abelian group ([7, Theo.B.4]), it can be Then, we have an isomorphism
shown that ( ) ( )
( ) ( ) According to the case 3 of Theorem 4, the
in which ( ) notates a finite subgroup, called Edwards curve always has a point of order
torsion subgroup of the elliptic curve over , that is ( ), in other words, it is (( )( )),
and is an integer, called the rank of ( ). so from Mazur’s Theorem, it follows that, the
In a simple way, it can be called that ( ) is torsion subgroup ( ) of can only be
the torsion part and is the free part of the group isomorphic to one of groups ⁄ , ⁄ , ⁄ ,
of points on elliptic curve ( ). Therefore, to ⁄ ⁄ or ⁄ ⁄ .
determine the group of points of elliptic curves
Mazur’s Theorem and Note 1 give us the
over , we must identify the torsion subgroup ( ) of
possibility of torsion subgroup
( ) and the free rank . In this section, we
Edwards curve defined over without knowing
consider the torsion subgroup of curves of
of what parameters to provide that torsion
Edwards forms.
subgroup. To solve this, in [2] the authors point
Related to the structure of torsion subgroups out the parameterization of Edwards curves whose
on elliptic curves over the field , the following torsion subgroups are ⁄ and ⁄ ⁄ ,
classical theorem, called Mazur Theorem, respectively. The following theorems provides of
indicates that: particular results.
Theorem 5 (Mazur Theorem [7]). Let be Theorem 6 ([2]). The Edwards curve
an elliptic curve defined over . Then the torsion defined over has a
subgroup, ( ), of ( ) is isomorphic to one point of order , or equivalently, the torsion
of the following: subgroup ( ) of is isomorphic to ⁄ if
and only if
( )
⁄ ( ) ( )
{ * +
⁄ ⁄ ( ) ( )
Now, we consider a case of Edwards Theorem 7 ([2]). The Edwards curve
defined over the field with * +. defined over has
We consider following note. torsion subgroup ( ) isomorphic to ⁄
⁄ and has points of order doubling to
Note 1. Asssume that
( ) if and only if
is an Edwards curve defined over with
.

Số 2.CS (06) 2017 7

Journal of Science and Technology on Information security

( ) ( ) Then the Edwards curve defined over

( )
* +
has only a point of order 2 and two points of
For the remaining of paper, we present the order 4 because of Theorem 4. Moreover, by
parameterization of Edwards curves defined over assumption ( )⁄ leads to satisfies
whose torsion subgroups are ⁄ , ⁄ or the equation so, by the
⁄ ⁄ , respectively. Theorem 4, it implies that ( ) are points of
order 8 on . Due to is not a square, the
Theorem 8. The Edwards curve equation has only two roots
, * + has torsion subgroup
of and – in . Therefore, all of points of order
( ) isomorphic to ⁄ if and only if is
8 of are ( ), ( ), ( ), and
not square in and ( )⁄ where
* +. (– ). Lastly, we use the Mazur's theorem to
get
Proof. Necessity: Assume that an Edwards
curve defined over ( ) ⁄
such that Theorem 9. The Edwards curve
( ) ⁄ defined over has the torsion
subgroup ( ) isomorphic to ⁄ ⁄ if
Due to ⁄ has only a point of order , so and only if where * + such as
the group of points of are the same. By the ( )( ) for
second case of Theorem 4, has a point of order all .
2 which is ( ), it means the point
(( )( )), and it is a unique point of order Proof. Necessity: Assume an Edwards curve
has a torsion subgroup ( ) ⁄
on if and only if is not a square. In addition,
⁄ . Then, due to ⁄ ⁄ has only three
with this value of , has only two points of
order 4 by the third case of Theorem 4 which are points of order 2, four of order 4, and no points of
( ) and ( ). Now, we assume be a point order 8, it is the same for . According to
of order of . Following the fourth case of Theorem 4, this case appears if and only if
( ) where is a square in , i.e with * +.
Theorem 4, we have
* + satisfying the equation Moreover, due to does not have a point of order
. Due to is a point on , so we must have 8, so the equation ( )(
, because if it is not, it leads to , that ) does not have any roots on by
is against the assumption of . Moreover, the Theorem 4.
curve equation results to ( )⁄ and Sufficiency: Conversely, we have an Edwards
. We rewrite curve defined over in
which satisfies conditions from the theorem.
. / ( )( Then, use of Theorem 4 to compute directly, we
( )( )
) ( )( ). /. conclude the Edwards curve to contain only
three points of order 2, four of order 4, and no
Because is not a square, so that in point of order . Therefore, by the theorem of
. So, the equation has only Mazur, we obtain
two roots and – , and by the Theorem 4, has ( ) ⁄ ⁄
only four points of order : ( ), ( ),
( ) and ( ). From the above results, we have a
consequence on parameterization of Edwards
Therefore, if ( ) ⁄ , must satisfy curve over with given torsion subgroups.
to be not a square in and ( )⁄
with * +. Corollary 1. Given * +. An Edwards
curve defined over by an equation
Sufficiency: Conversely, if
( )⁄ for * + and is
not a square. So .

8 Số 2.CS (06) 2017

 Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin

has a torsion subgroup ( ) which is vol. 4833 of Lecture Notes in Computer Sciene,
isomorphic to ⁄ if and only if does not held pp. 29-50, Springer, 2007.
any conditions shown in above Theorems 6, 7, 8, 9. [4]. D.J. Bernstein, T. Lange, “A complete set of
Proof. We conclude the corollary by the use of addition laws for incomplete Edwards curves”,
Note 1 and Theorems 6, 7, 8, 9. Journal of Number Theory, vol. 131, pp. 858-872,
2011.
[5]. H.M. Edwards, “A normal form of elliptic curves”,
IV. CONCLUSION Bullentin of the American Mathematical Society,
In this paper, we represented basic concepts on vol. 44, pp. 393-422, 2007.
the generality of Edwards curves called twisted [6]. H. Hisil, K.K-H. Wong, G. Carter, E. Dawson,
Edwards curve, and the addition law from the set “Twisted Edwards curves revisited”, In Asiacrypt
of their points. The paper focuses on the
2008, vol. 5350 of Lecture Notes in Computer
parameterization of Edwards curves having the
given torsion subgroup over the rational field Q. Science, pp. 326-343, Springer, Heidelberg, 2008.
The main results are presented in the Theorems [7]. L.C. Washington, “Elliptic Curve: Number Theory
16, 17 and Corollary 18. and Cryptography”, CRC Press, Boca Raton,
Studying the parameterization of Edwards 2008.
curves to be useful in construction a family of
Edwards curves which are suitable to ABOUT THE AUTHOR
cryptographic applications. In [2], the authors use MS. Tung Linh Vo
the parameterization of Edwards curves to Workplace: Institute of
construct the suitable curves for applying in the Cryptography Science and
Elliptic Curve Method (ECM) to factor in Technology.
factorization of integer numbers. Email: [email protected]
However, the parameterization in this paper is The education process: has received
considered only for the Edwards curves, not for a mathematical bachelor degree in
the case of twisted Edwards curves. The ability in Hanoi University of Science, in
cryptography application from these curves are 2005, and has received a
also not mentioned. These problems are clearly mathematical master degree in Hanoi University of
interesting with many practical meanings that Science, in 2014.
needs to further investigations. Research today: elliptic curve cryptography; public key
cryptography.
ACKNOWLEDGMENT
First of all, we would like to thank the
Editors, the critics who contributed deep, valuable
comments to complete the scientific content as
well as presentation form of the article. We would
also like to thank the colleagues for their helping
to the article.

REFERENCES

[1]. D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C.

Peters, “Twisted Edwards curves”, In Africacrypt
2008, vol. 5023 of Lecture Notes in Computer
Science, pp. 389-405, 2008.
[2]. D.J. Bernstein, P. Birkner, T. Lange, C. Peters,
“ECM using Edwards curves”, Mathematics of
Computation, vol. 82, pp. 1139-1179, AMS, 2013.
[3]. D.J. Bernstein, T. Lange, “Faster addition and
doubling on elliptic curves”, In Asiacrypt 2007,

Số 2.CS (06) 2017 9