Formal Proof of the Group Law for Edwards Elliptic Curves

Abstract

This article gives an elementary computational proof of the group law for Edwards elliptic curves. The associative law is expressed as a polynomial identity over the integers that is directly checked by polynomial division. Unlike other proofs, no preliminaries such as intersection numbers, Bézout’s theorem, projective geometry, divisors, or Riemann Roch are required. The proof of the group law has been formalized in the Isabelle/HOL proof assistant.

Introduction

Elliptic curve cryptography is a cornerstone of mathematical cryptography. Many cryptographic algorithms (such as the Diffie-Hellman key exchange algorithm which inaugurated public key cryptography) were first developed in the context of the arithmetic of finite fields. The preponderance of finite-field cryptographic algorithms have now been translated to an elliptic curve counterpart. Elliptic curve algorithms encompass many of the fundamental cryptographic primitives: pseudo-random number generation, digital signatures, integer factorization algorithms, and public key exchange.

One advantage of elliptic curve cryptography over finite-field cryptography is that elliptic curve algorithms typically obtain the same level of security with smaller keys than finite-field algorithms. This often means more efficient algorithms.

Elliptic curve cryptography is the subject of major international cryptographic standards (such as NIST). Elliptic curve cryptography has been implemented in widely distributed software such as NaCl [BLS12]. Elliptic curve algorithms appear in nearly ubiquitous software applications such as web browsers and digital currencies.

The same elliptic curve can be presented in different ways by polynomial equations. The different presentations are known variously as the Weierstrass curve $(y^2=\text{cubic in}x)$, Jacobi curve $(y^2=\text{quartic in}x)$, and Edwards curve (discussed below).

The set of points on an elliptic curve forms an abelian group. Explicit formulas for addition are given in detail below. The Weierstrass curve is the most familiar presentation of an elliptic curve, but it suffers from the shortcoming that the group law is not given by a uniform formula on all inputs. For example, special treatment must be given to the point at infinity and to point doubling: $P\mapsto 2P$. Exceptional cases are bad; they are the source of hazards such as side-channel attacks (timing attacks) by adversaries and implementation bugs [BJ02].

Edwards curves have been widely promoted for cryptographic algorithms because their addition law avoids exceptional cases and their hazards. Every elliptic curve (in characteristic different from 2) is isomorphic to an elliptic curve in Edwards form (possibly after passing to a quadratic extension). Thus, there is little loss of generality in considering elliptic curves in Edwards form. For most cryptographic applications, Edwards curves suffice.

The original contributions of this article are both mathematical and formal. Our proof that elliptic curve addition satisfies the axioms of an abelian group is new (but see the literature survey below for prior work). Our proofs were designed with formalization specifically in mind. To our knowledge, our proof of associativity in Sect. 3.3 is the most elementary proof that exists anywhere in the published literature (in a large mathematical literature on elliptic curves extending back to Euler’s work on elliptic integrals). Our proof avoids the usual machinery found in proofs of associativity (such as intersection numbers, Bézout’s theorem, projective geometry, divisors, or Riemann Roch). Our algebraic manipulations require little more than multivariate polynomial division with remainders, even avoiding Gröbner bases in most places. Based on this elementary proof, we give a formal proof in the Isabelle/HOL proof assistant that every Edwards elliptic curve (in characteristic other than 2) satisfies the axioms of an abelian group.1

It is natural to ask whether the proof of the associative law also avoids exceptional cases (encountered in Weierstrass curves) when expressed in terms of Edwards curves. Indeed, this article gives a two-line proof of the associative law for so-called complete Edwards curves that avoids case splits and all the usual machinery.

By bringing significant simplification to the fundamental proofs in cryptography, our paper opens the way for the formalization of elliptic curve cryptography in many proof assistants. Because of its extreme simplicity, we hope that our approach might be widely replicated and translated into many different proof assistants.

Published Literature

A number of our calculations are reworkings of calculations found in Edwards, Bernstein, Lange et al. [Edw07], [BBJ+08], [BL07]. A geometric interpretation of addition for Edwards elliptic curves appears in [ALNR11].

Working with the Weierstrass form of the curve, Friedl was the first to give a proof of the associative law of elliptic curves in a computer algebra system (in Cocoa using Gröbner bases) [Fri98, Fri17]. He writes, “The verification of some identities took several hours on a modern computer; this proof could not have been carried out before the 1980s.” These identities were later formalized in Coq with runtime one minute and 20 s [The07]. A non-computational Coq formalization based on the Picard group appears in [BS14]. By shifting to Edwards curves, we have eliminated case splits and significantly improved the speed of the computational proof.

An earlier unpublished note contains more detailed motivation, geometric interpretation, pedagogical notes, and expanded proofs [Hal16]. The earlier version does not include formalization in Isabelle/HOL. Our formalization uncovered and corrected some errors in the ideal membership problems in [Hal16] (reaffirming the pervasive conclusion that formalization catches errors that mathematicians miss).

Other formalizations of elliptic curve cryptography are found in Coq and ACL2 by different methods [Rus17]. After we posted our work to the arXiv, another formalization was given in Coq along our same idea [Erb17, EPG+17]. It goes further by including formalization of implementation of code, but it falls short of our work by not including the far more challenging and interesting case of projective curves.

We do not attempt to survey the various formalizations of cryptographic algorithms built on top of elliptic curves. Because of the critical importance of cryptography to the security industry, the formalization of cryptographic algorithms is rightfully a priority within the formalization community.

Group Axioms

This section gives an elementary proof of the group axioms for addition on Edwards curves (Theorem 1). We include proofs, because our approach is not previously published.

Our definition of Edwards curve is more inclusive than definitions stated elsewhere. Most writers prefer to restrict to curves of genus one and generally call a curve with $c\ne 1$ a twisted Edwards curve. We have interchanged the x and y coordinates on the Edwards curve to make it consistent with the group law on the circle.

Rings and Homomorphisms

In this section, we work algebraically over an arbitrary field k. We assume a basic background in abstract algebra at the level of a first course (rings, fields, homomorphisms, and kernels). We set things up in a way that all of the main identities to be proved are identities of polynomials with integer coefficients.

All rings are assumed to be commutatative with identity $1\ne 0$. If R is an integral domain and if $\delta \in R$, then we write $R[\frac{1}{\delta }]$ for the localization of R with respect to the multiplicative set $S=\{1,\delta ,{\delta }^2,\dots \}$; that is, the set of fractions with numerators in R and denominators in S. We will need the well-known fact that if $\varphi :R\to A$ is a ring homomorphism sending $\delta$ to a unit in A, then $\varphi$ extends uniquely to a map $R[\frac{1}{\delta }]\to A$ that maps a fraction $r/{\delta }^i$ to $\varphi (r)\varphi {({\delta }^i)}^{-1}$.

Lemma 1

(kernel property). Suppose that an identity $r=r_1{e}_1+r_2{e}_2+\cdots +r_k{e}_k$ holds in a commutative ring R. If $\varphi :R\to A$ is a ring homomorphism such that $\varphi (e_i)=0$ for all i, then $\varphi (r)=0$.

Proof

$\varphi (r)={\sum }_{i=1}^k\varphi (r_i)\varphi (e_i)=0.$    $\square$

We use the following rings: $R_0:=\mathbb{Z}[c,d]$ and $R_n:=R_0[x_1,y_1,\dots ,x_n,y_n]$. We introduce the polynomial for the Edwards curve. Let

$$\begin{array}{c}\hfill e(x,y)=x^2+c{y}^2-1-d{x}^2{y}^2\in R_0[x,y].\end{array}$$ 1

We write $e_i=e(x_i,y_i)$ for the image of the polynomial in $R_j$, for $i\le j$, under $x\mapsto x_i$ and $y\mapsto y_i$. Set ${\delta }_x={\delta }^{-}$ and ${\delta }_y={\delta }^{+}$, where

$$\begin{array}{c}\hfill {\delta }^{\pm }(x_1,y_1,x_2,y_2)=1\pm d{x}_1{y}_1{x}_2{y}_2\text{and}\end{array}$$

$$\delta (x_1,y_1,x_2,y_2)={\delta }_x{\delta }_y\in R_2.$$

We write ${\delta }_{\mathit{ij}}$ for its image of $\delta$ under $(x_1,y_1,x_2,y_2)\mapsto (x_i,y_i,x_j,y_j)$. So, $\delta ={\delta }_{12}$.

Inverse and Closure

We write $z_i=(x_i,y_i)$. We define a pair of rational functions that we denote using the symbol ${\oplus }_0$:

$$\begin{array}{c}\hfill z_1{\oplus }_0{z}_2=\left(\frac{x_1{x}_2-c{y}_1{y}_2}{1-d{x}_1{x}_2{y}_1{y}_2},\frac{x_1{y}_2+y_1{x}_2}{1+d{x}_1{x}_2{y}_1{y}_2}\right)\in R_2[\frac{1}{\delta }]\times R_2[\frac{1}{\delta }].\end{array}$$ 2

When specialized to $c=1$ and $d=0$, the polynomial $e(x,y)=x^2+y^2-1$ reduces to a circle, and (2) reduces to the standard group law on a circle. Commutativity is a consequence of the subscript symmetry $1\leftrightarrow 2$ evident in the pair of rational functions:

$$z_1{\oplus }_0{z}_2=z_2{\oplus }_0{z}_1.$$

If $\varphi :R_2[\frac{1}{\delta }]\to A$ is a ring homomorphism, we also write $P_1{\oplus }_0{P}_2\in A^2$ for the image of $z_1{\oplus }_0{z}_2$. We write $e(P_i)\in A$ for the image of $e_i=e(z_i)$ under $\varphi$. We often mark the image $\overline{r}=\varphi (r)$ of an element with a bar accent.

Let $\iota (z_i)=\iota (x_i,y_i)=(x_i,-y_i)$. The involution $z_i\to \iota (z_i)$ gives us an inverse with properties developed below.

There is an obvious identity element (1, 0), expressed as follows. Under a homomorphism $\varphi :R_2[\frac{1}{\delta }]\to A$, mapping $z_1\mapsto P$ and $z_2\mapsto (1,0)$, we have

$$\begin{array}{c}\hfill P{\oplus }_0(1,0)=P.\end{array}$$ 3

Lemma 2

(inverse). Let $\varphi :R_2[\frac{1}{\delta }]\to A$, with $z_1\mapsto P$, $z_2\mapsto \iota (P)$. If $e(P)=0$, then $P{\oplus }_0\iota (P)=(1,0)$.

Proof

Plug $P=(a,b)$ and $\iota P=(a,-b)$ into (2) and use $e(P)=0$.    $\square$

Lemma 3

(closure under addition). Let $\varphi :R_2[\frac{1}{\delta }]\to A$ with $z_i\mapsto P_i$. If $e(P_1)=e(P_2)=0$, then

$$e(P_1{\oplus }_0{P}_2)=0.$$

Proof

This proof serves as a model for several proofs that are based on multivariate polynomial division. We write

$$e(z_1{\oplus }_0{z}_2)=\frac{r}{{\delta }^2},$$

for some polynomial $r\in R_2$. It is enough to show that $\varphi (r)=0$. Polynomial division gives

$$\begin{array}{c}\hfill r=r_1{e}_1+r_2{e}_2,\end{array}$$ 4

for some polynomials $r_i\in R_2$. Concretely, the polynomials $r_i$ are obtained as the output of the one-line Mathematica command

$$\text{PolynomialReduce}[r,\{e_1,e_2\},\{x_1,x_2,y_1,y_2\}].$$

The result now follows from the kernel property and (4); $e(P_1)=e(P_2)=0$ implies $\varphi (r)=0$, giving $e(P_1{\oplus }_0{P}_2)=0$.    $\square$

Mathematica’s PolynomialReduce is an implementation of a naive multivariate division algorithm [CLO92]. In particular, our approach does not require the use of Gröbner bases until Sect. 5.3. We write

$$r\equiv r^{\prime }modS,$$

where $r-r^{\prime }$ is a rational function and S is a set of polynomials, to indicate that the numerator of $r-r^{\prime }$ has zero remainder when reduced by polynomial division with respect to S using PolynomialReduce. We also require the denominator of $r-r^{\prime }$ to be invertible in the localized polynomial ring. The zero remainder will give $\varphi (r)=\varphi (r^{\prime })$ in each application. We extend the notation to n-tuples

$$(r_1,\dots ,r_n)\equiv (r_1^{\prime },\dots ,r_n^{\prime })modS,$$

to mean $r_i\equiv r_i^{\prime }modS$ for each i. Using this approach, most of the proofs in this article almost write themselves.

Associativity

This next step (associativity) is generally considered the hardest part of the verification of the group law on curves. Our proof is two lines and requires little more than polynomial division. The polynomials ${\delta }_x,{\delta }_y$ appear as denominators in the addition rule. The polynomial denominators ${\Delta }_x,{\Delta }_y$ that appear when we add twice are more involved. Specifically, let $(x_3^{\prime },y_3^{\prime })=(x_1,y_1){\oplus }_0(x_2,y_2)$, let $(x_1^{\prime },y_1^{\prime })=(x_2,y_2){\oplus }_0(x_3,y_3)$, and set

$${\Delta }_x={\delta }_x(x_3^{\prime },y_3^{\prime },x_3,y_3){\delta }_x(x_1,y_1,x_1^{\prime },y_1^{\prime }){\delta }_{12}{\delta }_{23}\in R_3.$$

Define ${\Delta }_y$ analogously.

Lemma 4

(generic associativity). Let $\varphi :R_3[\frac{1}{{\Delta }_x{\Delta }_y}]\to A$ be a homomorphism with $z_i\mapsto P_i$. If $e(P_1)=e(P_2)=e(P_3)=0$, then

$$(P_1{\oplus }_0{P}_2){\oplus }_0{P}_3=P_1{\oplus }_0(P_2{\oplus }_0{P}_3).$$

Proof

By polynomial division in the ring $R_3[\frac{1}{{\Delta }_x{\Delta }_y}]$

$$\begin{array}{c}\hfill ((x_1,y_1){\oplus }_0(x_2,y_2)){\oplus }_0(x_3,y_3)\equiv (x_1,y_1){\oplus }_0((x_2,y_2){\oplus }_0(x_3,y_3))mod\{e_1,e_2,e_3\}.\end{array}$$

   $\square$

Group Law for Affine Curves

Lemma 5

(affine closure). Let $\varphi :R_2\to k$ be a homomorphism into a field k. If $\varphi (\delta )=e(P_1)=e(P_2)=0$, then either $\overline{d}$ or $\overline{c}\overline{d}$ is a nonzero square in k.

The lemma is sometimes called completeness, in conflict with the usual definition of complete varieties in algebraic geometry. To avoid possible confusion, we avoid this terminology. We use the lemma in contrapositive form to give conditions on $\overline{d}$ and $\overline{c}\overline{d}$ that imply $\varphi (\delta )\ne 0$.

Proof

Let $r=(1-cd{y}_1^2{y}_2^2)(1-d{y}_1^2{x}_2^2)$. We have

$$\begin{array}{c}\hfill r=d^2{y}_1^2{y}_2^2{x}_2^2{e}_1+(1-d{y}_1^2)\delta -d{y}_1^2{e}_2.\end{array}$$ 5

This forces $\varphi (r)=0$, which by the form of r implies that $\overline{c}\overline{d}$ or $\overline{d}$ is a nonzero square.    $\square$

We are ready to state and prove one of the main results of this article. This group law is expressed generally enough to include the group law on the circle and ellipse as a special case $\overline{d}=0$.

Theorem 1

(group law). Let k be a field, let $\overline{c}\in k$ be a square, and let $\overline{d}\notin k^{\times 2}$. Then

$$C=\{P\in k^2\mid e(P)=0\}$$

is an abelian group with binary operation ${\oplus }_0$.

Proof

This follows directly from the earlier results. For example, to check associativity of $P_1{\oplus }_0{P}_2{\oplus }_0{P}_3$, where $P_i\in C$, we define a homomorphism $\varphi :R_3\to k$ sending $z_i\mapsto P_i$ and $(c,d)\mapsto (\overline{c},\overline{d})$. By a repeated use of the affine closure lemma, $\varphi ({\Delta }_y{\Delta }_x)$ is nonzero and invertible in the field k. The universal property of localization extends $\varphi$ to a homomorphism $\varphi :R_3[\frac{1}{{\Delta }_y{\Delta }_x}]\to k$. By the associativity lemma applied to $\varphi$, we obtain the associativity for these three (arbitrary) elements of C. The other group axioms follow similarly from the lemmas on closure, inverse, and affine closure.    $\square$

The Mathematica calculations in this section are fast. For example, the associativity certificate takes about 0.12 s to compute on a 2.13 GHz processor.

Formalization in Isabelle/HOL

In this section, we describe the proof implementation in Isabelle/HOL. We have formalized the two main theorems (Theorem 1 and Theorem 2). Formalization uses two different locales: one for the affine and one for the projective case. (The projective case will be discussed in Sect. 5.)

Let k be the underlying curve field. k is introduced as the type class field with the assumption that $2\ne 0$ (characteristic different from 2). This is not included in the simplification set, but used when needed during the proof. The formalized theorem is slightly less general than then informal statement, because of this restriction.

Affine Edwards Curves

The formal proof fixes the curve parameters $c,d\in k$ (dropping the bar accents from notation). The group addition ${\oplus }_0$ (of Eq. 2) can be written as in Fig. 1. In Isabelle’s division ring theory, the result of division by zero is defined as zero. This has no impact on validity of final results, but gives cleaner simplifications in some proofs.

Fig. 1.

Definition of ${\oplus }_0$ in Isabelle/HOL

Most of the proofs in this section are straight-forward. The only difficulty was to combine the Mathematica certificates of computation, into a single process in Isabelle.

In Fig. 2, we show an excerpt of the proof of associativity. We use the following abbreviations:

$$e_i=x_i^2+c\ast y_i^2-1-d\ast x_i^2\ast y_i^2$$

where $e_i=0$, since the involved points lie on the curve and

$$\text{gxpoly}={((p_1{\oplus }_0{p}_2){\oplus }_0{p}_3-p_1{\oplus }_0(p_2\oplus p_3))}_1\ast {\Delta }_x$$

which stands for a normalized version of the associativity law after clearing denominators. We say that points are summable, if the rational functions defining their sum have nonzero denominators. Since the points $p_i$ are assumed to be summable, ${\Delta }_x\ne 0$. As a consequence, the property stated in Fig. 2 immediately implies that associativity holds in the first component of the addition.

Fig. 2.

An excerpt of the proof of associativity

Briefly, the proof unfolds the relevant definitions and then normalizes to clear denominators. The remaining terms of ${\Delta }_x$ are then distributed over addends. The unfolding and normalization of addends is repeated in the lemmas simp1gx and simp2gx. Finally, the resulting polynomial identity is proved using the algebra method. Note that no computation was required from an external tool.

The rewrite tactic, which can modify a goal with various rewrite rules in various locations (specified with a pattern), is used to normalized terms [NT14]. Rewriting in the denominators is sufficient for our needs.

For proving the resulting polynomial expression, the algebra proof method is used [CW07, Cha08, Wen19]. Given $e_i(x),p_{\mathit{ij}}(x),a_i(x)\in R[x_1,\dots ,x_n]$, where R is a commutative ring and $x=(x_1,\dots ,x_n)$, the method verifies formulas

$$\forall x.\underset{i=1}{\overset{L}{\bigwedge }}{e}_i(x)=0\to \exists y.\underset{i=1}{\overset{M}{\bigwedge }}\left(a_i(x)=\sum _{j=1}^N{p}_{\mathit{ij}}(x)y_j\right)$$

The method is complete for such formulas that hold over all commutative rings with unit [Har07].

Group Law for Projective Edwards Curves

By proving the group laws for a large class of elliptic curves, Theorem 1 is sufficiently general for many applications to cryptography. Nevertheless, to achieve full generality, we push forward.

This section shows how to remove the restriction $\overline{d}\notin k^{\times 2}$ that appears in the group law in the previous section. By removing this restriction, we obtain a new proof of the group law for all elliptic curves in characteristics different from 2. Unfortunately, in this section, some case-by-case arguments are needed, but no hard cases are hidden from the reader. The level of exposition here is less elementary than in the previous section. Again, we include proofs, because our approach is designed with formalization in mind and has not been previously published.

The basic idea of our construction is that the projective curve E is obtained by gluing two affine curves $E_{\text{aff}}$ together. The associative property for E is a consequence of the associative property on affine pieces $E_{\text{aff}}$, which can be expressed as polynomial identities.

Definitions

In this section, we assume that $c\ne 0$ and that c and d are both squares. Let $t^2=d/c$. By a change of variable $y\mapsto y/\sqrt{c}$, the Edwards curve takes the form

$$\begin{array}{c}\hfill e(x,y)=x^2+y^2-1-t^2{x}^2{y}^2.\end{array}$$ 6

We assume $t^2\ne 1$. Note if $t^2=1$, then the curve degenerates to a product of intersecting lines, which cannot be a group. We also assume that $t\ne 0$, which only excludes the circle, which has already been fully treated. Shifting notation for this new setting, let

$$R_0=\mathbb{Z}[t,\frac{1}{t^2-1},\frac{1}{t}],R_n=R_0[x_1,y_1,\dots ,x_n,y_n].$$

As before, we write $e_i=e(z_i)$, $z_i=(x_i,y_i)$, and $e(P_i)=\varphi (e_i)$ when a homomorphism $\varphi$ is given.

Define rotation by $\rho (x,y)=(-y,x)$ and inversion $\tau$ by

$$\tau (x,y)=(1/(tx),1/(ty)).$$

Let G be the abelian group of order eight generated by $\rho$ and $\tau$.

Extended Addition

We extend the binary operation ${\oplus }_0$ using the automorphism $\tau$. We also write ${\delta }_0$ for $\delta$, ${\nu }_0$ for $\nu$ and so forth.

Set

$$\begin{array}{c}\hfill z_1{\oplus }_1{z}_2:=\tau ((\tau z_1){\oplus }_0{z}_2)=\left(\frac{x_1{y}_1-x_2{y}_2}{x_2{y}_1-x_1{y}_2},\frac{x_1{y}_1+x_2{y}_2}{x_1{x}_2+y_1{y}_2}\right)=(\frac{{\nu }_{1x}}{{\delta }_{1x}},\frac{{\nu }_{1y}}{{\delta }_{1y}})\end{array}$$ 7

in $R_2{[\frac{1}{{\delta }_1}]}^2$ where ${\delta }_1={\delta }_{1x}{\delta }_{1y}$.

We have the following easy identities of rational functions that are proved by simplification of rational functions:

$$\begin{array}{cc}\hfill \mathit{inversion\; invariance}:\tau (z_1){\oplus }_i{z}_2& =z_1{\oplus }_i\tau z_2;\hfill \end{array}$$ 8

$$\begin{array}{c}\hfill \mathit{rotation\; invariance}:\begin{array}{cc}\hfill \rho (z_1){\oplus }_i{z}_2& =\rho (z_1{\oplus }_i{z}_2);\hfill \\ \hfill {\delta }_i(z_1,\rho z_2)& =\pm {\delta }_i(z_1,z_2);\hfill \end{array}\end{array}$$ 9

$$\begin{array}{c}\hfill \mathit{inverses\; for}\sigma =\tau ,\rho :\begin{array}{cc}\hfill \iota \sigma (z_1)& ={\sigma }^{-1}\iota (z_1);\hfill \\ \hfill \iota (z_1{\oplus }_i{z}_2)& =(\iota z_1){\oplus }_i(\iota z_2).\hfill \end{array}\end{array}$$ 10

$$\begin{array}{c}\hfill \mathit{coherence}:\begin{array}{cc}\hfill z_1{\oplus }_0{z}_2\equiv z_1{\oplus }_1{z}_2& mod\{e_1,e_2\};\hfill \\ \hfill e(z_1{\oplus }_1{z}_2)\equiv 0& mod\{e_1,e_2\}.\hfill \end{array}\end{array}$$ 11

The first identity of (11) inverts ${\delta }_0{\delta }_1$, and the second inverts ${\delta }_1$. Proofs of (11) use polynomial division.

Projective Curve and Dichotomy

Let k be a field of characteristic different from two. We let $E_{\text{aff}}$ be the set of zeros of Eq. (6) in $k^2$. Let $E^{\circ }\subset E_{\text{aff}}$ be the subset of $E_{\text{aff}}$ with nonzero coordinates $x,y\ne 0$.

We construct the projective Edwards curve E by taking two copies of $E_{\text{aff}}$, glued along $E^{\circ }$ by isomorphism $\tau$. We write $[P,i]\in E$, with $i\in \mathbb{Z}/2\mathbb{Z}={\mathbb{F}}_2$, for the image of $P\in E_{\text{aff}}$ in E using the ith copy of $E_{\text{aff}}$. The gluing condition gives for $P\in E^{\circ }$:

$$\begin{array}{c}\hfill [P,i]=[\tau P,i+1].\end{array}$$ 12

The group G acts on the set E, specified on generators $\rho ,\tau$ by $\rho [P,i]=[\rho (P),i]$ and $\tau [P,i]=[P,i+1]$.

We define addition on E by

$$\begin{array}{c}\hfill [P,i]\oplus [Q,j]=[P{\oplus }_{\ell }Q,i+j],\text{if}{\delta }_{\ell }(P,Q)\ne 0,\ell \in {\mathbb{F}}_2\end{array}$$ 13

We will show that the addition is well-defined, is defined for all pairs of points in E, and that it gives a group law with identity element [(1, 0), 0]. The inverse is $[P,i]\mapsto [\iota P,i]$, which is well-defined by the inverse rules (10).

Lemma 6

G acts without fixed point on $E^{\circ }$. That is, $gP=P$ implies that $g=1_G\in G$.

Proof

Write $P=(x,y)$. If $g={\rho }^k\ne 1_G$, then $gP=P$ implies that $2x=2y=0$ and $x=y=0$ (if the characteristic is not two), which is not a point on the curve. If $g=\tau {\rho }^k$, then the fixed-point condition $gP=P$ leads to $2txy=0$ or $t{x}^2=t{y}^2=\pm 1$. Then $e(x,y)=2(\pm 1-t)/t\ne 0$, and again P is not a point on the curve.    $\square$

The domain of ${\oplus }_i$ is

$$E_{\text{aff},i}:=\{(P,Q)\in E_{\text{aff}}^2\mid {\delta }_i(P,Q)\ne 0\}.$$

Whenever we write $P{\oplus }_{i}Q$, it is always accompanied by the implicit assertion of summability; that is, $(P,Q)\in E_{\text{aff},i}$.

There is a group isomorphism $⟨\rho ⟩\to E_{\text{aff}}\backslash E^{\circ }$ given by

$$g\mapsto g(1,0)\in \{\pm (1,0),\pm (0,1)\}=E_{\text{aff}}\backslash E^{\circ }.$$

Lemma 7

(dichotomy). Let $P,Q\in E_{\text{aff}}$. Then either $P\in E^{\circ }$ and $Q=g\iota P$ for some $g\in \tau ⟨\rho ⟩$, or $(P,Q)\in E_{\text{aff},i}$ for some i. Moreover, assume that $P{\oplus }_{i}Q=(1,0)$ for some i, then $Q=\iota P$.

Proof

We start with the first claim. We analyze the denominators in the formulas for ${\oplus }_i$. We have $(P,Q)\in E_{\text{aff},0}$ for all P or $Q\in E_{\text{aff}}\backslash E^{\circ }$. That case completed, we may assume that $P,Q\in E^{\circ }$. Assuming

$${\delta }_0(P,Q)={\delta }_{0x}(P,Q){\delta }_{0y}(P,Q)=0,\text{and}{\delta }_1(P,Q)={\delta }_{1x}(P,Q){\delta }_{1y}(P,Q)=0,$$

we show that $Q=g\iota P$ for some $g\in \tau ⟨\rho ⟩$. Replacing Q by $\rho Q$ if needed, which exchanges ${\delta }_{0x}\leftrightarrow {\delta }_{0y}$, we may assume that ${\delta }_{0x}(P,Q)=0$. Set $\tau Q=Q_0=(a_0,b_0)$ and $P=(a_1,b_1)$.

We claim that

$$\begin{array}{c}\hfill (a_0,b_0)\in \{\pm (b_1,a_1)\}\subset ⟨\rho ⟩\iota P.\end{array}$$ 14

We describe the main polynomial identity that must be verified. Write ${\delta }^{\prime },{\delta }_{+},{\delta }_{-}$ for $x_0{y}_0{\delta }_{0x}$, $t{x}_0{y}_0{\delta }_{1x}$, and $t{x}_0{y}_0{\delta }_{1y}$ respectively, each evaluated at $(P,\tau (Q_0))=(x_1,y_1,1/(t{x}_0),1/(t{y}_0))$. The nonzero factors $x_0{y}_0$ and $t{x}_0{y}_0$ have been included to clear denominators, leaving us with polynomials.

We have two cases ±, according to ${\delta }_{\pm }=0$. In each case, let

We have

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill (x_0^2-y_1^2,y_0^2-x_1^2,x_0{y}_0-x_1{y}_1)& \equiv (0,0,0)mod{S}_{+}\hfill \\ \hfill (2x_0{y}_0(x_0^2-y_1^2),2(1-t^2)x_0{y}_0(y_0^2-x_1^2),x_0{y}_0-x_1{y}_1)& \equiv (0,0,0)mod{S}_{-}.\hfill \end{array}\end{array}$$ 15

In fact, ${\delta }^{\prime }=x_0{y}_0-x_1{y}_1$, so that the ideal membership for this polynomial is immediate. The factors 2, $1-t^2$, and $x_0{y}_0$ are nonzero and can be removed from the left-hand side. These equations then immediately yield $(a_0,b_0)=\pm (b_1,a_1)$. This gives the needed identity: $\tau Q=Q_0=(a_0,b_0)=g\iota P$, for some $g\in ⟨\rho ⟩$. Then $Q=\tau g\iota P$.

The second statement of the lemma has a similar proof. Polynomial division gives for $i\in {\mathbb{F}}_2$:

In fact, both $x_1-x_2$ and $y_1+y_2$ (which specify the condition $Q=\iota P$) are already members of the Gröbner basis. The fresh variables $q_x,q_y$ force the denominators ${\delta }_{\mathit{ix}}$ and ${\delta }_{\mathit{iy}}$ to be invertible. Here the equations ${\nu }_{\mathit{iy}}={\nu }_{\mathit{ix}}-{\delta }_{\mathit{ix}}=0$ specify the sum $(1,0)=({\nu }_{\mathit{ix}}/{\delta }_{\mathit{ix}},{\nu }_{\mathit{iy}}/{\delta }_{\mathit{iy}})$ of Q and P.    $\square$

Lemma 8

(covering). The rule (13) defining $\oplus$ assigns at least one value for every pair of points in E.

Proof

If $Q=\tau {\rho }^k\iota P$, then $\tau Q$ does not have the form $\tau {\rho }^k\iota P$ because the action of G is fixed-point free. By dichotomy,

$$\begin{array}{c}\hfill [P,i]\oplus [Q,j]=[P{\oplus }_{\ell }\tau Q,i+j+1]\end{array}$$ 16

works for some $\ell$. Otherwise, by dichotomy $P{\oplus }_{\ell }Q$ is defined for some $\ell$.    $\square$

Lemma 9

(well-defined). Addition $\oplus$ given by (13) on E is well-defined.

Proof

The right-hand side of (13) is well-defined by coherence (11), provided we show well-definedness across gluings (12). We use dichotomy. If $Q=\tau {\rho }^k\iota P$, then by an easy simplification of polynomials,

$${\delta }_0(z,\tau {\rho }^k\iota z)={\delta }_1(z,\tau {\rho }^k\iota z)=0.$$

so that only one rule (16) for $\oplus$ applies (up to coherence (11) and inversion (8)), making it necessarily well-defined. Otherwise, coherence (11), inversion (8), and (7)) give when $[Q,j]=[\tau Q,j+1]$:

$$[P{\oplus }_k\tau Q,i+j+1]=[\tau (P{\oplus }_k\tau Q),i+j]=[P{\oplus }_{k+1}Q,i+j]=[P{\oplus }_{\ell }Q,i+j].$$

   $\square$

Group Law

Theorem 2

E is an abelian group.

Proof

We have already shown the existence of an identity and inverse.

We prove associativity. Both sides of the associativity identity are clearly invariant under shifts $[P,i]\mapsto [P,i+j]$ of the indices. Thus, it is enough to show

$$[P,0]\oplus ([Q,0]\oplus [R,0])=([P,0]\oplus [Q,0])\oplus [R,0].$$

By polynomial division, we have the following associativity identities

$$\begin{array}{c}\hfill (z_1{\oplus }_k{z}_2){\oplus }_{\ell }{z}_3\equiv z_1{\oplus }_i(z_2{\oplus }_j{z}_3)mod\{e_1,e_2,e_3\}\end{array}$$ 17

in the appropriate localizations, for $i,j,k,\ell \in {\mathbb{F}}_2$.

Note that $(g[P_1,i])\oplus [P_2,j]=g([P_1,i]\oplus [P_2,j])$ for $g\in G$, as can easily be checked on generators $g=\tau ,\rho$ of G, using dichotomy, (13), and (9). We use this to cancel group elements g from both sides of equations without further comment.

We claim that

$$\begin{array}{c}\hfill ([P,0]\oplus [Q,0])\oplus [\iota Q,0]=[P,0].\end{array}$$ 18

The special case $Q=\tau {\rho }^k\iota (P)$ is easy. We reduce the claim to the case where $P{\oplus }_{\ell }Q\ne \tau {\rho }^{k}Q$, by applying $\tau$ to both sides of (18) and replacing P with $\tau P$ if necessary. Then by dichotomy, the left-hand side simplifies by affine associativity 17 to give the claim.

Finally, we have general associativity by repeated use of dichotomy, which reduces in each case to (17) or (18).    $\square$

Formalization in Isabelle/HOL of Projective Edwards Curves

Following the change of variables performed in Sect. 5.1, it is assumed that $c=1$ and $d=t^2$ where $t\ne -1,0,1$. The resulting formalization is more challenging. In the following, some key insights are emphasized.

Gröbner Basis. The proof of Lemma 7 (dichotomy) requires solving particular instances of the ideal membership problem. Formalization caught and corrected some ideal membership errors in [Hal16], which resulted from an incorrect interpretation of computer algebra calculations. For instance, a goal

$$\exists r_1{r}_2{r}_3{r}_4.y_0^2-x_1^2=r_{1}e(x_0,y_0)+r_{2}e(x_1,y_1)+r_3{\delta }^{\prime }+r_4{\delta }_{-}$$

(derived from [Hal16]) had to be corrected to

$$\exists r_1{r}_2{r}_3{r}_4.2x_0{y}_0(y_0^2-x_1^2)=r_{1}e(x_0,y_0)+r_{2}e(x_1,y_1)+r_3{\delta }^{\prime }+r_4{\delta }_{-}$$

to prove (15). In another subcase, it was necessary to strengthen the hypothesis ${\delta }_{+}=0$ to ${\delta }_{-}\ne 0$. Eventually, after some reworking, algebra solved the required ideal membership problems.

Definition of the Group Addition. We defined the addition in three stages. This is convenient for some lemmas like covering (Lemma 8). First, we define the addition on projective points (Fig. 3). Then, we add two classes of points by applying the basic addition to any pair of points coming from each class. Finally, we apply the gluing relation and obtain as a result a set of classes with a unique element, which is then defined as the resulting class (Fig. 4).

Fig. 3.

Definition of $\oplus$ on points

Fig. 4.

Definition of $\oplus$ on classes

The definitions use Isabelle’s ability to encode partial functions. However, it is possible to obtain an equivalent definition more suitable for execution. In particular, it is easy to compute the gluing relation (see lemmas e_proj_elim_1, e_proj_elim_2 and e_proj_aff in the formalization scripts).

Finally, since projective addition works with classes, we had to show that its definition does not depend on the representative used.

Proof of Associativity. During formalization, we found several relations between $\delta$ expressions (see Table 1). While they were proven in order to show associativity, the upper group can rather be used to establish the independence of class representative and the lower group is crucial to establish the associativity law.

Table 1.

List of $\delta$ relations

In particular, the lower part of the table is fundamental to the formal proof of Eq. (18). In more detail, the formal proof development showed that it was necessary to perform a dichotomy (Lemma 7) three times. The first dichotomy is performed on P, Q. The non-summable case was easy. Therefore, we set $R=P\oplus Q$. On each of the resulting branches, a dichotomy on R, $\iota Q$ is performed. This time the summable cases were easy, but the non-summable case required a third dichotomy on $R,\tau \iota Q$. The non-summable case was solved using the no-fixed-point theorem but for the summable subcases the following expression is obtained:

$$([P,0]\oplus [Q,0])\oplus [\tau \iota Q,0]=[(P\oplus Q)\oplus \tau \iota Q,0]$$

Here we cannot invoke associativity because Q, $\tau \iota Q$ are non-summable (lemma not_add_self). Instead, we use the equations from the lower part of the table and the hypothesis of the second dichotomy to get a contradiction.

Conclusion

We have shown that Isabelle can encompass the process of defining, computing and certifying intensive algebraic calculations. The encoding in a proof-assistant allows a better comprehension of the methods used and helps to clarify its structure.