XZ coordinates for Montgomery curves

Cisco Saeed

2/24/24, 5:46 PM

I am learning about Elliptic curve and I reached to Montgomery curve with XZ coordinates with this equation: b*y2=x3+a*x2+x and regarding the information from this link: XZ coordinates add and doubling

and I made this small code in matlab to understand the concepts:

% Define the elliptic curve parameters
a = 1;
b = 1;
p = 23;
% Define the base point
X1 = 8;
Y1 = 3;
Z1=1;
%Doubling
X3 = mod((X1^2-Z1^2)^2,p);
Z3 = mod(4*X1*Z1*(X1^2+a*X1*Z1+Z1^2),p);
%Addition
A = X2+Z2; %X2,Z2 Values?
B = X2-Z2;
C = X3+Z3; %X3,Z3 Does this come from Doubling?
D = X3-Z3;
DA = D*A;
CB = C*B;
X5 = (DA+CB)^2;
Z5 = X1*(DA-CB)^2; %X1 Does this come from Base Point?

in Doubling phase I can Understand X1, Z1 comes from Base Point, but in Addition phase I want to understand the values X2,Z2,X3,Z3,X1 come from where?

Because what I understand that I have base point then from doubling the base point then I got second point so obviously I have base Point X1,Z1 and from doubling I have X3,Z3 what about X2,Z2?

117

1 + 4

elliptic-curves

montgomery-multiplication

Cisco Saeed

2/25/24, 12:20 PM

Any idea about it?

Myria

2/28/24, 2:11 AM

My trouble in understanding that web page is that I don't know what "differential addition" is.

Cisco Saeed

2/28/24, 12:50 PM

@Myria what I understand it is to take `-R` Value as pseudo value, I am still testing it in Matlab and will come back with solution soon, I hope so!

fgrieu

3/28/24, 8:08 AM

[This answer](https://crypto.stackexchange.com/a/6383/555) explains differential addition. Basically, you add point $P$ and $Q$ also knowing $R=Q-P$ (or is it $R=P-Q$) in advance. Unfortunately I can't immediately tell per what order indices $1/2/3$ map to $P/Q/R$, else I would make that an answer. Also I think the question's formula assumes $Z_1=1$, and otherwise you need [these](https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#diffadd-dadd-1987-m-3) slightly more complex formulas (and more modular reductions). If you solved your problem already, please make and accept an answer!

Score:2

Crypto

Glathil

3/28/24, 7:09 AM

I'm a novice, so I can't guarantee the correct answer, sorry.

For the initial values you mentioned, in the algorithm for curve25519, such as in this paper, it is specified in Algorithm 1 as: X1 = xP; X2 = 1; Z2 = 0; X3 = xP ; Z3 = 1, where P2 (1, 0) should refer to the point at infinity, which makes P1 and P3 the same point. When you replace the 121666 in Algorithm 2 with (A+2)/4, you can apply to the general Montgomery curve. This is also mentioned in Section 4.4.3 of this article.

I hope it helps:)

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: XZ coordinates for Montgomery curves

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.