LogoLogo
LogoLogo
  • Introduction
    • About Us
    • Notations & Definitions
      • MPC
      • ZK
    • Contribute to this Site!
  • Primitives
    • Multiplication
      • Karatsuba Multiplication
      • Toom-Cook Multiplication
    • NAF (Non-adjacent form)
    • Chinese Remainder Theorem (CRT)
    • Euclidean Algorithm
      • Extended Euclidean Algorithm
      • Binary Euclidean Algorithm
      • Extended Binary Euclidean Algorithm
    • Coding Theory
      • Linear Code
    • Number Theoretic Transform
    • Abstract Algebra
      • Group
        • -Morphisms
        • Batch Inverse
      • Elliptic Curve
        • Weierstrass Curve
          • Coordinate Forms
          • Fast Elliptic Curve Arithmetic and Improved WEIL Pairing Evaluation
        • Edwards Curve
          • Coordinate Forms
          • Twisted Edwards ↔ Short Weierstrass Transformation
        • Batch Inverse for Batch Point Additions
        • Scalar Multiplication
          • Double-and-add
          • GLV Decomposition
        • MSM
          • Pippenger's Algorithm
          • Signed Bucket Index
          • CycloneMSM
          • EdMSM
          • cuZK
        • 2-Chain and 2-Cycle of Elliptic Curves
    • Encryption Scheme
      • ElGamal Encryption
    • Modular Arithmetic
      • Modular Reduction
        • Barrett Reduction
        • Montgomery Reduction
      • Modular Inverse
        • Bernstein-Yang's Inverse
    • Multiset Check
    • Sumcheck
    • Commitment Scheme
      • Fflonk
      • SHPlonk
      • Zeromorph
  • MPC
    • Yao's Garbled Circuits
    • GMW
    • BMR
  • ZK
    • Arithmetization
      • R1CS
      • PLONK
      • AIR
    • Folding
      • LatticeFold
      • Nova
        • Nova over Cycles of Curves
    • Lookup
      • Lasso
      • LogUp-GKR
    • SNARK
      • Groth16
      • HyperPlonk
      • Spartan
        • SPARK
    • STARK
      • Additive NTT
      • Basefold
      • Binius
      • Brakedown
      • CircleSTARK
      • FRI
        • FRI Security Features and Optimizations
      • DEEP FRI
      • STIR
      • WHIR
    • Distributed ZK
      • Ryan's Trick for Distributed Groth16
  • Application
    • zkLogin
    • zkHoldem
    • zkTLS
      • DECO
      • Proxying is enough
  • zkVM
Powered by GitBook
On this page
  • Definition
  • Addition (Twisted Edwards Form)
  • Negation (Twisted Edwards Form)
  • Why does this work?
  • Benefits of Edwards Curves
  • References
Export as PDF
  1. Primitives
  2. Abstract Algebra
  3. Elliptic Curve

Edwards Curve

PreviousFast Elliptic Curve Arithmetic and Improved WEIL Pairing EvaluationNextCoordinate Forms

Last updated 1 month ago

Definition

An Edwards Curve is a special form of elliptic curve introduced by Harold Edwards in 2007, defined over a field Fq\mathbb{F}_qFq​ by the following equation:

x2+y2=1+dx2y2x^2 + y^2 = 1 + dx^2y^2x2+y2=1+dx2y2

where d∈Fq∖{0,1}d \in \mathbb{F}_q \setminus \{0, 1\}d∈Fq​∖{0,1}. This form is called the (original) Edwards Form. In practice, a more general and widely used variant is the Twisted Edwards Form:

ax2+y2=1+dx2y2ax^2 + y^2 = 1 + dx^2y^2ax2+y2=1+dx2y2

where a,d∈Fqa, d \in \mathbb{F}_qa,d∈Fq​, a≠0a \ne 0a=0, d≠0d \ne 0d=0, and the curve is non-singular if a≠da \ne da=d.

Edwards curves are particularly useful in cryptography because they offer efficient and complete point addition formulas and resist many implementation bugs like those caused by exceptions in traditional .

Addition (Twisted Edwards Form)

Let P1=(x1,y1)P_1 = (x_1, y_1)P1​=(x1​,y1​) and P2=(x2,y2)P_2 = (x_2, y_2)P2​=(x2​,y2​) be two points on a Twisted Edwards curve defined by:

ax2+y2=1+dx2y2ax^2 + y^2 = 1 + dx^2y^2ax2+y2=1+dx2y2

Then the sum P3=P1+P2=(x3,y3)P_3 = P_1 + P_2 = (x_3, y_3)P3​=P1​+P2​=(x3​,y3​) is given by:

x3=x1y2+y1x21+dx1x2y1y2y3=y1y2−ax1x21−dx1x2y1y2x_3 = \frac{x_1 y_2 + y_1 x_2}{1 + d x_1 x_2 y_1 y_2} \\ y_3 = \frac{y_1 y_2 - a x_1 x_2}{1 - d x_1 x_2 y_1 y_2}x3​=1+dx1​x2​y1​y2​x1​y2​+y1​x2​​y3​=1−dx1​x2​y1​y2​y1​y2​−ax1​x2​​

These formulas are complete over prime fields if ddd is a non-square, meaning they work for all inputs, unlike the Weierstrass formulas which require case distinctions and exception handling (e.g., P=QP = QP=Q, y=0y = 0y=0, etc.).

Negation (Twisted Edwards Form)

The additive inverse of a point P=(x,y)P = (x, y)P=(x,y) on a Twisted Edwards curve is:

−P=(−x,y)-P = (-x, y)−P=(−x,y)

This is because:

  • The x-coordinate changes sign,

  • The y-coordinate remains the same,

  • And:

(x,y)+(−x,y)=O(x, y) + (-x, y) = \mathcal{O}(x,y)+(−x,y)=O

where O=(0,1)\mathcal{O} = (0, 1)O=(0,1) is the identity element of the group (just like O\mathcal{O}O or "point at infinity" in Weierstrass form).

Why does this work?

Let’s verify algebraically:

Using the addition formula:

  • x1=xx_1 = xx1​=x, y1=yy_1 = yy1​=y

  • x2=−xx_2 = -xx2​=−x, y2=yy_2 = yy2​=y

Then:

x3=xy+y(−x)1+dx(−x)yy=01−dx2y2=0y3=yy−ax(−x)1−dx(−x)yy=y2+ax21−dx2y2x_3 = \frac{x y + y (-x)}{1 + d x (-x) y y} = \frac{0}{1 - d x^2 y^2} = 0 \\ y_3 = \frac{y y - a x (-x)}{1 - d x (-x) y y} = \frac{y^2 + a x^2}{1 - d x^2 y^2}x3​=1+dx(−x)yyxy+y(−x)​=1−dx2y20​=0y3​=1−dx(−x)yyyy−ax(−x)​=1−dx2y2y2+ax2​

If you substitute this back into the curve equation, you’ll find that the result corresponds to the identity point O=(0,1)\mathcal{O} = (0,1)O=(0,1), confirming that (x,y)+(−x,y)=O(x,y) + (-x,y) = \mathcal{O}(x,y)+(−x,y)=O.

Benefits of Edwards Curves

  • ✅ Complete addition formulas (no exceptions)

  • ✅ Efficient computation (fewer field multiplications than Weierstrass)

  • ✅ Better resistance to side-channel attacks due to uniform operation patterns

  • ✅ Symmetry in xxx and yyy makes certain transformations easier

These features make Edwards curves a popular choice in cryptographic systems such as:

  • Ed25519: widely used digital signature scheme (used in Signal, SSH, OpenSSH, etc.)

  • Curve25519: used for key exchange (X25519 in TLS, etc.)

References

Written by from A41

Daniel J. Bernstein et al., "Twisted Edwards Curves"
ryan Kim
Weierstrass addition