Edwards Curve
Definition
An Edwards Curve is a special form of elliptic curve introduced by Harold Edwards in 2007, defined over a field by the following equation:
where . This form is called the (original) Edwards Form. In practice, a more general and widely used variant is the Twisted Edwards Form:
where , , , and the curve is non-singular if .
Edwards curves are particularly useful in cryptography because they offer efficient and complete point addition formulas and resist many implementation bugs like those caused by exceptions in traditional Weierstrass addition.
Addition (Twisted Edwards Form)
Let and be two points on a Twisted Edwards curve defined by:
Then the sum is given by:
These formulas are complete over prime fields if is a non-square, meaning they work for all inputs, unlike the Weierstrass formulas which require case distinctions and exception handling (e.g., , , etc.).
Negation (Twisted Edwards Form)
The additive inverse of a point on a Twisted Edwards curve is:
This is because:
The x-coordinate changes sign,
The y-coordinate remains the same,
And:
where is the identity element of the group (just like or "point at infinity" in Weierstrass form).
Why does this work?
Let’s verify algebraically:
Using the addition formula:
,
,
Then:
If you substitute this back into the curve equation, you’ll find that the result corresponds to the identity point , confirming that .
Benefits of Edwards Curves
✅ Complete addition formulas (no exceptions)
✅ Efficient computation (fewer field multiplications than Weierstrass)
✅ Better resistance to side-channel attacks due to uniform operation patterns
✅ Symmetry in and makes certain transformations easier
These features make Edwards curves a popular choice in cryptographic systems such as:
Ed25519: widely used digital signature scheme (used in Signal, SSH, OpenSSH, etc.)
Curve25519: used for key exchange (X25519 in TLS, etc.)
References
Written by ryan Kim from A41
Last updated