Evaluation of the efficiency of differential addition of points of curves in the generalized Edwards form

A survey of the main properties of three classes of curves in the generalized Edwards form is given: complete, quadratic and twisted Edwards curves. The analysis of the Montgomery algorithm for differential addition of points for the Montgomery curve is carried out. An estimation of the record low cost of computing the scalar product kP of a point P is given, which is equal to 5M+4S+1U on one step of the iterative cycle (M is the cost of finite field multiplication, S is the cost of squaring, U is the cost of field multiplication by a known constant). A detailed derivation of the formulas for addition-subtraction and doubling points for the curve in the generalized Edwards form in projective coordinates of Farashahi-Hosseini is carried out. Moving from three-dimensional projective coordinates (X: Y: Z) to two-dimensional coordinates (W: Z) allows achieving the same minimum computational cost for the Edwards curves as for the Montgomery curve. Aspects of the choice of an Edwards-form curve acceptable for cryptography and its parameters optimization in the problem of differential addition of points are discussed. Twisted Edwards curves with the order of NE=4n (n is prime) at p≡5mod8 are recommended, minimizing the parameters a and d allows achieving the minimum cost estimation 5M+4S for one step of computing the point product. It is shown that the transition from the Weierstrass curves (the form used in modern cryptographic standards) to the Edwards curves makes it possible to obtain a potential gain in the speed of computing the scalar product of the point by a factor of 3.09.