Complete Addition Law for Montgomery Curves

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11975)


Montgomery curves allow efficient and side-channel resistant computation of ECDH using the Montgomery ladder. But the addition law of a Montgomery curve derived from the chord-tangent method is less efficient than other curve models such as a short Weierstrass curve and an Edwards curve. So, the usage of a Montgomery curve is strictly limited to ECDH only, such as \(\mathsf {X25519}\) and \(\mathsf {X448}\) functions in IETF RFC 7748. For other operations including fixed-base and multiple scalar multiplications, their birationally-equivalent (twisted) Edwards curves are recommended for use since the conversions between Montgomery curves and their Edwards equivalents are simple. This conversion enables the use of the efficient complete addition law of the Edwards curve that works for all pairs of input points with no exceptional cases. As a result, the combination allows secure and exception-free implementations, but at the expense of additional storage for the two curve parameters and for the conversion between them. However, smart devices in IoT environments that mainly operate ECDH (for example, RawPublicKey mode of IETF RFC 7250) do not need to implement such a conversion if a complete addition law does exist for the Montgomery curves.

To make such implementations possible, we provide a complete addition law on Montgomery curves. The explicit formulas for the complete addition law are not as efficient as those of Edwards curves, but they can make the Montgomery curve addition operation more efficient compared to using the conversion to the (twisted) Edwards equivalent. We also confirmed the validity of the comparison by implementing such two methods of realizing the addition operation on \(\text {Curve25519}\).


Elliptic curves Montgomery curve Complete addition law 



We are grateful to the anonymous reviewers for their help in improving the quality of the paper. This work was supported by Institute for Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (MSIT) (No.2017-0-00267).

Supplementary material


  1. 1.
    Aranha, D.F., Barreto, P.S., Pereira, G.C., Ricardini, J.E.: A note on high-security general-purpose elliptic curves. Cryptology ePrint Archive, Report 2013/647 (2013).
  2. 2.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). Scholar
  3. 3.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). Scholar
  4. 4.
    Bernstein, D.J., Chuengsatiansup, C., Kohel, D., Lange, T.: Twisted Hessian curves. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 269–294. Springer, Cham (2015). CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). Scholar
  6. 6.
    Bernstein, D.J., Lange, T.: A complete set of addition laws for incomplete Edwards curves. J. Number Theory 131(5), 858–872 (2011). Scholar
  7. 7.
    Bos, J.W., Costello, C., Longa, P., et al.: Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptogr. Eng. 6, 259 (2016). Scholar
  8. 8.
    Bosma, W., Lenstra, H.: Complete systems of two addition laws for elliptic curves. J. Number Theory 53(2), 229–240 (1995). Scholar
  9. 9.
    Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. 8, 227 (2018). Scholar
  10. 10.
    Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44(3), 393–422 (2007). Scholar
  11. 11.
    Farashahi, R.R., Joye, M.: Efficient arithmetic on Hessian curves. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 243–260. Springer, Heidelberg (2010). Scholar
  12. 12.
    Garcia-Morchon, O., Kumar, S., Sethi, M.: Internet of Things (IoT) Security: State of the Art and Challenges. IETF RFC 8576 (2019).
  13. 13.
    Hamburg, M.: Ed448-Goldilocks, a new elliptic curve. Cryptology ePrint Archive, Report 2015/625 (2015).
  14. 14.
    Hart, W.: FLINT: Fast Library for Number Theory (2016).
  15. 15.
    Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. IETF RFC 7748 (2016).
  16. 16.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987). Scholar
  17. 17.
    Nir, Y., Josefsson, S.: Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement. IETF RFC 8031 (2016).
  18. 18.
    Nir, Y., Josefsson, S., Pégourié-Gonnard, M.: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier. IETF RFC 8422 (2018).
  19. 19.
    Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016). Scholar
  20. 20.
    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. IETF RFC 8446 (2018).
  21. 21.
    Shelby, Z., Hartke, K., Bormann, C.: The Constrained Application Protocol (CoAP). IETF RFC 7252 (2014).
  22. 22.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 186, 2nd edn. Springer, New York (2009). Scholar
  23. 23.
    Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., Kivinen, T.: Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). IETF RFC 7250 (2014).

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.The Affiliated Institute of ETRIDaejeonKorea
  2. 2.Kookmin UniversitySeoulKorea

Personalised recommendations