1

I have noticed that DBL/diffadd in Edward/Montgomery form almost double fast than Weierstrass form(EFD), and curve25519 is empressive high-performance.The transformation between these forms can be covered by two ModInvs at most(even two ModMults). So the scalar multiplication in specific elliptic curves like p256 or Secp256k1 could transfer to scalar_mult in Edward/Montgomery form.

  1. Could these tranformation&AdditionChain&diffAdd be faster than the ordinary MADD&w-NAF&preCom methods?

  2. Of course Curve25519 is designed for Montgomery form, but the wide spread Weierstrass curves also have well-designed prime number. To what extent will the curve parameters affected the performance of Montgomery/Edward scalar_mult?

jfq
  • 23
  • 3

1 Answers1

2

Curves P-256 and Secp256k1 cannot be converted to Montgomery or Edwards forms because they are of prime order.

Let's take the example of Secp256k1 and try to convert it to a Montgomery curve:

A Montgomery curve $by^2=x^3+ax^2+x$ has a point of order 2. Such a point verifies $2P=\mathcal{O}$ or think of it equivalently $P=-P$ which means $(x,y)=(x,-y)$ so these points are on the $x$-axis. It is obvious then that the point $(0,0)$ on a Montgomery curve has order 2. Now given the secp256k1 curve $y^2\equiv x^3+7 \pmod p$ where $p=2^{256}-2^{32}-2^9-2^8-2^7-2^6-2^4-1$, we are looking for points on the $x$-axis which means those that satisfy $x^3 \equiv -7 \pmod p$. There is no solution to this modular cubic equation.

In general curve P-256 and Secp256k1 cannot be converted to Montgomery form because they have a prime order ($\ne 2$) and thus they cannot have a point of order $2$ (otherwise $2$ would divide a prime number beacause of Lagrange's theorem).

The same reasoning works for Edwards curve $x^2+y^2=1+dx^2y^2$ because the point $(0,-1)$ has order $2$ and the points $(\pm 1, 0)$ have order $4$.

Youssef El Housni
  • 704
  • 7
  • 9