]>
Alternative Elliptic Curve Representations
Struik Security Consultancy
rstruik.ext@gmail.com
lwig
Draft
This document specifies how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrass form and illustrates how this can be used to
carry out elliptic curve computations using existing implementations of, e.g., ECDSA and ECDH using NIST prime curves.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC 2119.
It is well-known that elliptic curves can be represented using different curve models. Recently, IETF standardized elliptic curves that are claimed to have better performance
and improved robustness against "real world" attacks than curves represented in the traditional "short" Weierstrass model. This document specifies an alternative representation of
points of Curve25519, a so-called Montgomery curve, and of points of Edwards25519, a so-called twisted Edwards curve, which are both specified in ,
as points of a specific so-called "short" Weierstrass curve, called Wei25519. We also define how to efficiently switch between these different representations.
Use of Wei25519 allows easy definition of new signature schemes and key agreement schemes already specified for traditional NIST prime curves, thereby allowing easy
integration with existing specifications, such as NIST SP 800-56a, FIPS Pub 186-4, and
ANSI X9.62-2005, and fostering code reuse on platforms that already implement some of these schemes using elliptic curve arithmetic for curves
in "short" Weierstrass form (see ).
For the specification of Wei25519 and its relationship to Curve25519 and Edwards25519, see .
For further details and background information on elliptic curves, we refer to the other appendices.
The use of Wei25519 allows reuse of existing generic code that implements short-Weierstrass curves, such as the NIST curve P-256, to also implement the CFRG curves Curve25519 and
Edwards25519. We also cater to reusing of existing code where some domain parameters may have been hardcoded, thereby widening the scope of applicability. To this end, we specify the
short-Weierstrass curves Wei25519.2 and Wei25519.-3, with hardcoded domain parameter a=2 and a=-3 (mod p), respectively; see . (Here, p is the characteristic of the field over which these curves are defined.)
The curves Curve25519, Edwards25519, and Wei25519, as specified in , are all isomorphic, with the transformations of .
These transformations map the specified base point of each of these curves to the specified base point of each of the other curves. Consequently, a public-private key pair (k,R:=k*G) for any one of these curves corresponds, via these isomorphic mappings, to the public-private key pair (k, R':=k*G') for each of these other curves (where G and G' are the corresponding
base points of these curves). This observation extends to the case where one also considers curve Wei25519.2 (which has hardcoded domain parameter a=2), as specified in
, since it is isomorphic to Wei25519, with the transformation of , and, thereby, also isomorphic to
Curve25519 and Edwards25519.
The curve Wei25519.-3 (which has hardcoded domain parameter a=-3 (mod p)) is not isomorphic to the curve Wei25519, but is related in a slightly weaker sense: the curve Wei25519 is isogenous to the curve Wei25519.-3, where the mapping of is an isogeny of degree l=47 that maps the specified base point G of Wei25519 to the specified base point G' of Wei25519.-3 and where the so-called dual isogeny (which maps Wei25519.-3 to Wei25519) has the same degree l=47, but does not map G' to G, but to a fixed multiple hereof, where this multiple is l=47. Consequently, a public-private key pair (k,R:=k*G) for Wei25519 corresponds to the public-private key pair (k, R':= k*G') for Wei25519.-3 (via the l-isogeny), whereas the public-private key pair (k, R':=k*G') corresponds to the public-private key pair (l*k, l*R=l*k*G) of Wei25519 (via the dual isogeny).
(Note the extra scalar l=47 here.)
Alternative curve representations can, therefore, be used in any cryptographic scheme that involves computations on public-private key pairs, where implementations may carry out
computations on the corresponding object for the isomorphic or isogenous curve and convert the results back to the original curve (where, in case this involves an l-isogeny, one has
to take into account the factor l). This includes use with elliptic-curve based signature schemes and key agreement and key transport schemes.
For some examples of curve computations on each of the curves specified in and , see .
RFC 7748 specifies the use of X25519, a co-factor Diffie-Hellman key agreement scheme, with instantiation by the Montgomery curve Curve25519.
This key agreement scheme was already specified in Section 6.1.2.2 of NIST SP 800-56a for elliptic curves
in short Weierstrass form. Hence, one can implement X25519 using existing NIST routines by (1) representing a point of the Montgomery curve Curve25519 as a point of
the Weierstrass curve Wei25519; (2) instantiating the co-factor Diffie-Hellman key agreement scheme of the NIST specification with the resulting point and Wei25519 domain
parameters; (3) representing the key resulting from this scheme (which is a point of the curve Wei25519 in Weierstrass form) as a point of the Montgomery curve Curve25519.
The representation change can be implemented via a simple wrapper and involves a single modular addition (see ). Using this method has the
additional advantage that one can reuse the public-private key pair routines, domain parameter validation, and other checks that are already part of the NIST specifications.
A NIST-compliant version of co-factor Diffie-Hellman key agreement (denoted by ECDH25519) results if one keeps inputs (key contributions) and outputs (shared key) in the
short-Weierstrass format (and, hence, does not perform Step (3) above).
NOTE: At this point, it is unclear whether this implies that a FIPS-accredited module implementing co-factor Diffie-Hellman for, e.g., P-256 would also extend this accreditation
to X25519.
RFC 8032 specifies Ed25519, a "full" Schnorr signature scheme, with instantiation by the twisted Edwards curve Edwards25519. One can implement
the computation of the ephemeral key pair for Ed25519 using an existing Montgomery curve implementation by (1) generating a public-private key pair (k, R':=k*G') for Curve25519;
(2) representing this public-private key as the pair (k, R:=k*G) for Ed25519. As before, the representation change can be implemented via a simple wrapper. Note that the
Montgomery ladder specified in Section 5 of RFC7748 does not provide sufficient information to reconstruct R':=(u, v) (since it does not compute
the v-coordinate of R'). However, this deficiency can be remedied by using a slightly modified version of the Montgomery ladder that includes reconstruction of the v-coordinate
of R':=k*G' at the end of hereof (which uses the v-coordinate of the base point of Curve25519 as well). For details, see .
FIPS Pub 186-4 specifies the signature scheme ECDSA and can be instantiated not just with the NIST prime curves, but also with other
Weierstrass curves (that satisfy additional cryptographic criteria). In particular, one can instantiate this scheme with the Weierstrass curve Wei25519 and the hash function
SHA-256, where an implementation may generate an ephemeral public-private key pair for Wei25519 by (1) internally carrying out these computations on the Montgomery curve
Curve25519, the twisted Edwards curve Edwards25519, or even the Weierstrass curve Wei25519.-3 (with hardcoded a=-3 domain parameter); (2) representing the result as a key pair
for the curve Wei25519. Note that, in either case, one can implement these schemes with the same representation conventions as used with existing NIST specifications, including
bit/byte-ordering, compression functions, and the-like. This allows generic implementations of ECDSA with the hash function SHA-256 and with the NIST curve P-256 or with the
curve Wei25519 specified in this specification to reuse the same implementation (instantiated with, respectively, the NIST P-256 elliptic curve domain parameters or with the
domain parameters of curve Wei25519 specified in ).
Any existing specification of cryptographic schemes using elliptic curves in Weierstrass form and that allows introduction of a new elliptic curve (here: Wei25519) is
amenable to similar constructs, thus spawning "offspring" protocols, simply by instantiating these using the new curve in "short" Weierstrass form, thereby allowing code
and/or specifications reuse and, for implementations that so desire, carrying out curve computations "under the hood" on Montgomery curve and twisted Edwards curve cousins
hereof (where these exist). This would simply require definition of a new object identifier for any such envisioned "offspring" protocol. This could significantly simplify
standardization of schemes and help keeping the resource and maintenance cost of implementations supporting algorithm agility at bay.
The examples above illustrate how specifying the Weierstrass curve Wei25519 (or any curve in short-Weierstrass format, for that matter) may facilitate reuse of existing code
and may simplify standards development. However, the following caveats apply:
Wire format. The transformations between alternative curve representations can be implemented at negligible relative incremental cost if the curve points are
represented as affine points. If a point is represented in compressed format, conversion usually requires a costly point decompression step. This is the case in
, where the inputs to the co-factor Diffie-Hellman scheme X25519, as well as its output, are represented in u-coordinate-only format.
This is also the case in , where the EdDSA signature includes the ephemeral signing key represented in compressed format
(see for details);
Representation conventions. While elliptic curve computations are carried-out in a field GF(q) and, thereby, involve large integer arithmetic, these integers are
represented as bit- and byte-strings. Here, uses least-significant-byte (LSB)/least-significant-bit (lsb) conventions, whereas
uses LSB/most-significant-bit (msb) conventions, and where most other cryptographic specifications, including NIST SP800-56a
, FIPS Pub 186-4 , and ANSI X9.62-2005 use MSB/msb conventions.
Since each pair of conventions is different (see for details and for examples), this does necessitate
bit/byte representation conversions;
Domain parameters. All traditional NIST curves are Weierstrass curves with domain parameter a=-3, while all Brainpool curves are isomorphic to a
Weierstrass curve of this form. Thus, one can expect there to be existing Weierstrass implementations with a hardcoded a=-3 domain parameter ("Jacobian-friendly"). For those
implementations, including the curve Wei25519 as a potential vehicle for offering support for the CFRG curves Curve25519 and Edwards25519 is not possible, since not of the
required form. Instead, one has to implement Wei25519.-3 and include code that implements the isogeny and dual isogeny from and to Wei25519. This isogeny has degree l=47 and
requires roughly 9kB of storage for isogeny and dual-isogeny computations (see the tables in ). Note that storage would have reduced to a
single 64-byte table if only the curve would have been generated so as to be isomorphic to a Weierstrass curve with hardcoded a=-3 parameter (this corresponds to l=1).
NOTE 1: An example of a Montgomery curve defined over the same field as Curve25519 that is isomorphic to a Weierstrass curve with hardcoded a=-3
parameter is the Montgomery curve M_{A,B} with B=1 and A=-1410290 (or, if one wants the base point to still have u-coordinate u=9, with B=1 and A=-3960846). In either case,
the resulting curve has the same cryptographic properties as Curve25519 and the same performance (which relies on A being a 3-byte integer, as is the case with the domain
parameter A=486662 of Curve25519, and using the same special prime p=2^255-19), while at the same time being "Jacobian-friendly" by design.
NOTE 2: While an implementation of Curve25519 via an isogenous Weierstrass curve with domain parameter a=-3 requires a relatively large table (of size roughly 9kB), for the
quadratic twist of Curve25519 (i.e., the Montgomery curve M_{A,B'} with A=486662 and B'=2) this implementation approach only requires a table of size less than
0.5kB (over 20x smaller), solely due to the fact that it is l-isogenous to a Weierstrass curve with a=-3 parameter with relatively small parameter l=2 (compared to l=47, as is
the case with Curve25519 itself).

The efficiency of elliptic curve arithmetic is primarily determined by the efficiency of its group operations (see ). Numerous optimized formulae exist, such as the use of so-called Montgomery ladders with Montgomery curves or with Weierstrass curves , the use of hardcoded a=-3 domain parameter for Weierstrass curves , and the use of hardcoded a=-1 domain parameters for twisted Edwards curves . These all target reduction of the number of finite field operations (primarily, finite field multiplications and squarings). Other optimizations target more efficient modular reductions underlying these finite field operations, by specifying curves defined over a field GF(q), where the field size q has a special form or a specific bit-size (typically, close to a multiple of a machine word). Depending on the implementation strategy, the bit-size of q may also facilitate reduced so-called "carry-effects" of integer arithmetic.
Most curves use a combination of these design philosophies. All NIST curves and Brainpool curves are Weierstrass curves with a=-3 domain parameter, thus facilitating more efficient elliptic curve group operations (via so-called Jacobian coordinates). The NIST curves and the Montgomery curve Curve25519 are defined over prime fields, where the prime number has a special form, whereas the Brainpool curves - by design - use a generic prime number. None of the NIST curves, nor the Brainpool curves, can be expressed as Montgomery or twisted Edwards curves, whereas - conversely - Montgomery curves and twisted curves can be expressed as Weierstrass curves.
While use of Wei25519 allows reuse of existing generic code that implements short Weierstrass curves, such as the NIST curve P-256, to also implement the CFRG curves Curve25519 or Edwards25519, this obviously does not result in an implementation of these CFRG curves that exploits the specific structure of the underlying field or other specific domain parameters (since generic). Reuse of generic code, therefore, may result in a less computationally efficient curve implementation than would have been possible if the implementation had specifically targeted Curve25519 or Edwards25519 alone (with the overall cost differential estimated to be somewhere in the interval [1.00-1.25]). If existing generic code offers hardware support, however, the overall speed may still be larger, since less efficient formulae for curve arithmetic using Wei25519 curves compared to a direct implementation of Curve25519 or Edwards25519 arithmetic may be more than compensated for by faster implementations of the finite field arithmetic itself.
Overall, one should consider not just code reuse and computational efficiency, but also development and maintenance cost, and, e.g, the cost of providing effective implementation attack countermeasures (see also ).
[Note to the RFC Editor] Please remove this entire section before publication, as well as the reference to .
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.
According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit.
Nikolas Rosener evaluated the performance of switching between different curve models in his Master's thesis . For an implementation of Wei25519, see . For support of this curve in tinydtls, see .
According to , an implementation of Wei25519 on the Kinets LTC ECC HW platform improves the performance by over a factor ten compared to a stand-alone implementation of Curve25519 without hardware support.
The signature scheme ECDSA25519 (see ) is supported in .
The different representations of elliptic curve points discussed in this document are all obtained using a publicly known transformation, which is either an isomorphism or
a low-degree isogeny. It is well-known that an isomorphism maps elliptic curve points to equivalent mathematical objects and that the complexity of cryptographic problems
(such as the discrete logarithm problem) of curves related via a low-degree isogeny are tightly related. Thus, the use of these techniques does not negatively impact
cryptographic security of elliptic curve operations.
As to implementation security, reusing existing high-quality code or generic implementations that have been carefully designed to withstand implementation attacks for one
curve model may allow a more economical way of development and maintenance than providing this same functionality for each curve model separately (if multiple curve models
need to be supported) and, otherwise, may allow a more gradual migration path, where one may initially use existing and accredited chipsets that cater to the pre-dominant curve
model used in practice for over 15 years.
Elliptic curves are generally used as objects in a broader cryptographic scheme that may include processing steps that depend on the representation conventions used (such
as with, e.g., key derivation following key establishment). These schemes should (obviously) unambiguously specify fixed representations of each input and output (e.g.,
representing each elliptic curve point always in short-Weierstrass form and in uncompressed tight MSB/msb format).
To prevent cross-protocol attacks, private keys SHOULD only be used with one cryptographic scheme. Private keys MUST NOT be reused between Ed25519 (as specified in
) and ECDSA25519 (as specified in ).
To prevent intra-protocol cross-instantiation attacks, ephemeral private keys MUST NOT be reused between instantiations of ECDSA25519.
The transformations between different curve models described in this document are publicly known and, therefore, do not affect privacy provisions.
The randomized representation described in allows random curve points to be represented as random pairs of field elements, thereby assisting
in obfuscating the presence of these curve points in some applications.
An object identifier is requested for curve Wei25519 and its use with ECDSA and co-factor ECDH, using the representation conventions of this document.
There is *currently* no further IANA action required for this document. New object identifiers would be required in case one wishes to specify one or more of the "offspring"
protocols exemplified in .
This section registers the following value in the IANA "COSE Elliptic Curves" registry .
Wei25519;
TBD (Requested value: -1);
EC2 or OKP (where OKP uses the squeezed MSB/msb representation of this specification);
short-Weierstrass curve Wei25519;
of this specification;
Yes.

(Note that The "kty" value for Wei25519 may be "OKP" or "EC2".)
This section registers the following value in the IANA "COSE Algorithms" registry .
ECDSA25519;
TBD (Requested value: -1);
ECDSA w/ SHA-256 and curve Wei25519;
of this specification;
Yes.

This section registers the following value in the IANA "COSE Algorithms" registry .
ECDH25519;
TBD (Requested value: -2);
NIST-compliant co-factor Diffie-Hellman w/ curve Wei25519 and key derivation function HKDF SHA256;
of this specification (for key derivation, see Section 11.1 of );
Yes.

This section registers the following value in the IANA "JSON Web Key Elliptic Curve" registry .
Wei25519;
short-Weierstrass curve Wei25519;
optional;
IANA;
of this specification.

This section registers the following value in the IANA "JSON Web Signature and Encryption Algorithms" registry .
ECDSA25519;
ECDSA w/ SHA-256 and curve Wei25519;
alg;
optional;
IANA;
of this specification;
of this specification.

This section registers the following value in the IANA "JSON Web Signature and Encryption Algorithms" registry .
ECDH25519;
NIST-compliant co-factor Diffie-Hellman w/ curve Wei25519 and key derivation function HKDF SHA256;
alg;
IANA;
of this specification (for key derivation, see Section 5 of );
of this specification (for key derivation, see Section 5 of ).

Thanks to Nikolas Rosener for discussions surrounding implementation details of the techniques described in this document and to Phillip Hallam-Baker for
triggering inclusion of verbiage on the use of Montgomery ladders with recovery of the y-coordinate. Thanks to Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews.
Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4
FIPS 186-4
Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)
ANSI X9.62-2005
Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Log Cryptography, Revision 3
NIST SP 800-56a
Recommendation for Key-Derivation Methods in Key-Establishment Schemes, Revision 1
NIST SP 800-56c
SEC 1: Elliptic Curve Cryptography, Version 2.0
SEC1
SEC 2: Elliptic Curve Cryptography, Version 2.0
SEC2
COSE Algorithms
IANA
COSE Elliptic Curves
IANA
JSON Web Signature and Encryption Algorithms
IANA
JSON Web Key Elliptic Curve
IANA
Elliptic Curves in Cryptography
I.F. Blake, G. Seroussi, N.P. Smart
Guide to Elliptic Curve Cryptography
D. Hankerson, A.J. Menezes, S.A. Vanstone
Twisted Edwards Curves Revisited
H. Hisil, K.K.H. Wong, G. Carter, E. Dawson
Evaluating the Performance of Transformations Between Curve Representations in Elliptic Curve Cryptography for Constrained Device Security
N. Rosener
Fast Point Multiplication on Elliptic Curves through Isogenies
E. Brier, M. Joye
Speeding the Pollard and Elliptic Curve Methods of Factorization
P.L. Montgomery
A Fast Parallel Elliptic Curve Multiplication Resistant Against Side Channel Attacks
T. Izu, Ts. Takagi,
Twisted Edwards Curves
D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters
Elligator Squared -- Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings
M. Tibouchi
Efficient Indifferentiable Hashing into Ordinary Elliptic Curves
E. Brier, J-S. Coron, Th. Icart, D. Madore, H. Randriam, M. Tibouchi
Let GF(q) denote the finite field with q elements, where q is an odd prime power and where q is not divisible by three.
Let W_{a,b} be the Weierstrass curve with defining equation Y^2 = X^3 + a*X + b, where a and b are elements of GF(q) and where 4*a^3 + 27*b^2 is nonzero.
The points of W_{a,b} are the ordered pairs (X, Y) whose coordinates are elements of GF(q) and that satisfy the defining equation (the so-called affine points),
together with the special point O (the so-called "point at infinity"). This set forms a group under addition, via the so-called "secant-and-tangent" rule, where
the point at infinity serves as the identity element. See for details of the group operation.
Let GF(q) denote the finite field with q elements, where q is an odd prime power. Let M_{A,B} be the Montgomery curve with defining equation
B*v^2 = u^3 + A*u^2 + u, where A and B are elements of GF(q) and where A is unequal to (+/-)2 and where B is nonzero. The points of M_{A,B} are the ordered pairs (u, v)
whose coordinates are elements of GF(q) and that satisfy the defining equation (the so-called affine points), together with the special point O
(the so-called "point at infinity"). This set forms a group under addition, via the so-called "secant-and-tangent" rule, where the point at infinity
serves as the identity element. See for details of the group operation.
Let GF(q) denote the finite field with q elements, where q is an odd prime power. Let E_{a,d} be the twisted Edwards curve with defining equation
a*x^2 + y^2 = 1+ d*x^2*y^2, where a and d are distinct nonzero elements of GF(q). The points of E_{a,d} are the ordered pairs (x, y) whose
coordinates are elements of GF(q) and that satisfy the defining equation (the so-called affine points). It can be shown that this set forms a
group under addition if a is a square in GF(q), whereas d is not, where the point O:=(0, 1) serves as the identity element. (Note that the identity
element satisfies the defining equation.) See for details of the group operation.
An Edwards curve is a twisted Edwards curve with a=1.
Each curve defined in forms a commutative group under addition (denoted by '+'). In we specify the group
laws, which depend on the curve model in question. For completeness, we here include some common elliptic curve nomenclature and basic properties (primarily so as to keep this
document self-contained). These notions are mainly used in and and not essential for our
exposition. This section can be skipped at first reading.
Any point P of a curve E is a generator of the cyclic subgroup (P):={k*P | k = 0, 1, 2,...} of the curve. (Here, k*P denotes the sum of k copies of P, where 0*P is
the identity element O of the curve.) If (P) has cardinality l, then l is called the order of P.
The order of curve E is the cardinality of the set of its points, commonly denoted by |E|. A curve is cyclic if it is generated by some point of this curve. All curves of prime
order are cyclic, while all curves of order h*n, where n is a large prime number and where h is a small number (the so-called co-factor), have a large cyclic subgroup of
prime order n. In this case, a generator of order n is called a base point, commonly denoted by G. A point of order dividing h is said to be in the small subgroup. For curves of
prime order, this small subgroup is the singleton set, consisting of only the identity element O. If a point is not in the small subgroup, it has order at least n.
If R is a point of the curve that is also contained in (P), there is a unique integer k in the interval [0, l-1] so that R=k*P, where l is the order of P.
This number is called the discrete logarithm of R to the base P. The discrete logarithm problem is the problem of finding the discrete logarithm of R to the base P
for any two points P and R of the curve, if such a number exists.
If P is a fixed base point G of the curve, the pair (k, R:=k*G) is commonly called a public-private key pair, the integer k the private key, and the point R
the corresponding public key. The private key k can be represented as an integer in the interval [0,n-1], where G has order n.
In this document, a quadratic twist of a curve E defined over a field GF(q) is a curve E' related to E, with cardinality |E'|, where |E|+|E'|=2*(q+1). If E is a curve in one
of the curve models specified in this document, a quadratic twist of this curve can be expressed using the same curve model, although (naturally) with its own curve parameters.
Two curves E and E' defined over a field GF(q) are said to be isogenous if these have the same order and are said to be isomorphic if these have the same group structure. Note
that isomorphic curves have necessarily the same order and are, thus, a special type of isogenous curves. Further details are out of scope.
Weierstrass curves can have prime order, whereas Montgomery curves and twisted Edwards curves always have an order that is a multiple of four (and, thereby, a small subgroup
of cardinality four).
An ordered pair (x, y) whose coordinates are elements of GF(q) can be associated with any ordered triple of the form [x*z: y*z: z], where z is a nonzero element of GF(q), and
can be uniquely recovered from such a representation. The latter representation is commonly called a representation in projective coordinates. Sometimes, yet other representations
are useful (e.g., representation in Jacobian coordinates). Further details are out of scope.
The group laws in are mostly expressed in terms of affine points, but can also be expressed in terms of the representation of these points
in projective coordinates, thereby allowing clearing of denominators. The group laws may also involve non-affine points (such as the point at infinity O of a Weierstrass curve
or of a Montgomery curve). Those can also be represented in projective coordinates. Further details are out of scope.
The field GF(q), where q is an odd prime power, is defined as follows.
If p is a prime number, the field GF(p) consists of the integers in the interval [0,p-1] and two binary operations on this set: addition and multiplication modulo p.
If q=p^m and m>0, the field GF(q) is defined in terms of an irreducible polynomial f(z) in z of degree m with coefficients in GF(p) (i.e., f(z) cannot be written as the
product of two polynomials in z of lower degree with coefficients in GF(p)): in this case, GF(q) consists of the polynomials in z of degree smaller than m with coefficients
in GF(p) and two binary operations on this set: polynomial addition and polynomial multiplication modulo the irreducible polynomial f(z). By definition, each element x of
GF(q) is a polynomial in z of degree smaller than m and can, therefore, be uniquely represented as a vector (x_{m-1}, x_{m-2}, ..., x_1, x_0) of length m with coefficients
in GF(p), where x_i is the coefficient of z^i of polynomial x. Note that this representation depends on the irreducible polynomial f(z) of the field GF(p^m) in question
(which is often fixed in practice). Note that GF(q) contains the prime field GF(p) as a subset. If m=1, we always pick f(z):=z, so that the definitions of GF(p) and GF(p^1)
above coincide. If m>1, then GF(q) is called a (nontrivial) extension field over GF(p). The number p is called the characteristic of GF(q).
A field element y is called a square in GF(q) if it can be expressed as y:=x^2 for some x in GF(q); it is called a non-square in GF(q) otherwise. If y is a square in GF(q),
we denote by sqrt(y) one of its square roots (the other one being -sqrt(y)). For methods for computing square roots and inverses in GF(q) - if these exist - see
and , respectively. For methods for mapping a nonzero field element that is not a square in GF(q) to a point of a curve, see
.
NOTE: The curves in and are all defined over a prime field GF(p), thereby reducing all operations
to simple modular integer arithmetic. Strictly speaking we could, therefore, have refrained from introducing extension fields. Nevertheless, we included the more general
exposition, so as to accommodate potential introduction of new curves that are defined over a (nontrivial) extension field at some point in the future. This includes
curves proposed for post-quantum isogeny-based schemes, which are defined over a quadratic extension field (i.e., where q:=p^2), and elliptic curves used with pairing-based
cryptography. The exposition in either case is almost the same and now automatically yields, e.g., data conversion routines for any finite field object (see
). Readers not interested in this, could simply view all fields as prime fields.
For each point P of the Weierstrass curve W_{a,b}, the point at infinity O serves as identity element, i.e., P + O = O + P = P.
For each affine point P:=(X, Y) of the Weierstrass curve W_{a,b}, the point -P is the point (X, -Y) and one has P + (-P) = O.
Let P1:=(X1, Y1) and P2:=(X2, Y2) be distinct affine points of the Weierstrass curve W_{a,b} and let Q:=P1 + P2, where Q is not the identity element.
Then Q:=(x, y), where
X + X1 + X2 = lambda^2 and Y + Y1 = lambda*(X1 - X), where
lambda:= (Y2 - Y1)/(X2 - X1).

Let P:=(X1, Y1) be an affine point of the Weierstrass curve W_{a,b} and let Q:=2*P, where Q is not the identity element. Then Q:=(X, Y), where
X + 2*X1 = lambda^2 and Y + Y1 = lambda*(X1 - X), where
lambda:=(3*X1^2 + a)/(2*Y1).

From the group laws above it follows that if P=(X, Y), P1=k*P=(X1, Y1), and P2=(k+1)*P=(X2, Y2) are distinct affine points of the Weierstrass curve W_{a,b} and if Y is
nonzero, then the Y-coordinate of P1 can be expressed in terms of the X-coordinates of P, P1, and P2, and the Y-coordinate of P, as
Y1=((X*X1+a)*(X+X1)+2*b-X2*(X-X1)^2)/(2*Y).

This property allows recovery of the Y-coordinate of a point P1=k*P that is computed via the so-called Montgomery ladder, where P is an affine point with nonzero
Y-coordinate (i.e., it does not have order two). Further details are out of scope.
For each point P of the Montgomery curve M_{A,B}, the point at infinity O serves as identity element, i.e., P + O = O + P = P.
For each affine point P:=(u, v) of the Montgomery curve M_{A,B}, the point -P is the point (u, -v) and one has P + (-P) = O.
Let P1:=(u1, v1) and P2:=(u2, v2) be distinct affine points of the Montgomery curve M_{A,B} and let Q:=P1 + P2, where Q is not the identity element.
Then Q:=(u, v), where
u + u1 + u2 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where
lambda:=(v2 - v1)/(u2 - u1).

Let P:=(u1, v1) be an affine point of the Montgomery curve M_{A,B} and let Q:=2*P, where Q is not the identity element. Then Q:=(u, v), where
u + 2*u1 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where
lambda:=(3*u1^2 + 2*A*u1+1)/(2*B*v1).

From the group laws above it follows that if P=(u, v), P1=k*P=(u1, v1), and P2=(k+1)*P=(u2, v2) are distinct affine points of the Montgomery curve M_{A,B} and if v is nonzero,
then the v-coordinate of P1 can be expressed in terms of the u-coordinates of P, P1, and P2, and the v-coordinate of P, as
v1=((u*u1+1)*(u+u1+2*A)-2*A-u2*(u-u1)^2)/(2*B*v).

This property allows recovery of the v-coordinate of a point P1=k*P that is computed via the so-called Montgomery ladder, where P is an affine point with nonzero v-coordinate
(i.e., it does not have order one or two). Further details are out of scope.
Note: The group laws below hold for twisted Edwards curves E_{a,d} where a is a square in GF(q), whereas d is not. In this case, the addition
formulae below are defined for each pair of points, without exceptions. Generalizations of this group law to other twisted Edwards curves are out of scope.
For each point P of the twisted Edwards curve E_{a,d}, the point O:=(0,1) serves as identity element, i.e., P + O = O + P = P.
For each point P:=(x, y) of the twisted Edwards curve E_{a,d}, the point -P is the point (-x, y) and one has P + (-P) = O.
Let P1:=(x1, y1) and P2:=(x2, y2) be points of the twisted Edwards curve E_{a,d} and let Q:=P1 + P2. Then Q:=(x, y), where
x = (x1*y2 + x2*y1)/(1 + d*x1*x2*y1*y2) and
y = (y1*y2 - a*x1*x2)/(1 - d*x1*x2*y1*y2).

Let P:=(x1, y1) be a point of the twisted Edwards curve E_{a,d} and let Q:=2*P. Then Q:=(x, y), where
x = (2*x1*y1)/(1 + d*x1^2*y1^2) and
y = (y1^2 - a*x1^2)/(1 - d*x1^2*y1^2).

Note that one can use the formulae for point addition for point doubling, taking inverses, and adding the identity element as well (i.e., the point
addition formulae are uniform and complete (subject to our Note above)).
From the group laws above (subject to our Note above) it follows that if P=(x, y), P1=k*P=(x1, y1), and P2=(k+1)*P=(x2, y2) are affine points of the twisted Edwards curve
E_{a,d} and if x is nonzero, then the x-coordinate of P1 can be expressed in terms of the y-coordinates of P, P1, and P2, and the x-coordinate of P, as
x1=(y*y1-y2)/(x*(a-d*y*y1*y2)).

This property allows recovery of the x-coordinate of a point P1=k*P that is computed via the so-called Montgomery ladder, where P is an affine point with nonzero x-coordinate
(i.e., it does not have order one or two). Further details are out of scope.
The non-binary curves specified in are expressed in different curve models, viz. as curves in short-Weierstrass form,
as Montgomery curves, or as twisted Edwards curves. These curve models are related, as follows.
One can map points of the Montgomery curve M_{A,B} to points of the twisted Edwards curve E_{a,d}, where a:=(A+2)/B and d:=(A-2)/B and, conversely,
map points of the twisted Edwards curve E_{a,d} to points of the Montgomery curve M_{A,B}, where A:=2(a+d)/(a-d) and where B:=4/(a-d). For twisted Edwards curves
we consider (i.e., those where a is a square in GF(q), whereas d is not), this defines a one-to-one correspondence, which - in fact - is an isomorphism between
M_{A,B} and E_{a,d}, thereby showing that, e.g., the discrete logarithm problem in either curve model is equally hard.
For the Montgomery curves and twisted Edwards curves we consider, the mapping from M_{A,B} to E_{a,d} is defined by mapping the point at infinity O and the
point (0, 0) of order two of M_{A,B} to, respectively, the point (0, 1) and the point (0, -1) of order two of E_{a,d}, while mapping each other point (u, v) of
M_{A,B} to the point (x,y):=(u/v,(u-1)/(u+1)) of E_{a,d}. The inverse mapping from E_{a,d} to M_{A,B} is defined by mapping the point (0, 1) and the point (0, -1)
of order two of E_{a,d} to, respectively, the point at infinity O and the point (0, 0) of order two of M_{A,B}, while each other point (x, y) of E_{a,d} is mapped
to the point (u,v):=((1+y)/(1-y),(1+y)/((1-y)*x)) of M_{A,B}.
Implementations may take advantage of this mapping to carry out elliptic curve group operations originally defined for a twisted Edwards curve on the
corresponding Montgomery curve, or vice-versa, and translating the result back to the original curve, thereby potentially allowing code reuse.
One can map points of the Montgomery curve M_{A,B} to points of the Weierstrass curve W_{a,b}, where a:=(3-A^2)/(3*B^2) and b:=(2*A^3-9*A)/(27*B^3).
This defines a one-to-one correspondence, which - in fact - is an isomorphism between M_{A,B} and W_{a,b}, thereby showing that, e.g., the discrete logarithm
problem in either curve model is equally hard.
The mapping from M_{A,B} to W_{a,b} is defined by mapping the point at infinity O of M_{A,B} to the point at infinity O of W_{a,b}, while mapping each
other point (u,v) of M_{A,B} to the point (X,Y):=((u+A/3)/B,v/B) of W_{a,b}. Note that not all Weierstrass curves can be injectively mapped to Montgomery
curves, since the latter have a point of order two and the former may not. In particular, if a Weierstrass curve has prime order,
such as is the case with the so-called "NIST curves", this inverse mapping is not defined.
If the Weierstrass curve W_{a,b} has a point (alpha,0) of order two and c:=a+3*(alpha)^2 is a square in GF(q), one can map points of this curve to points
of the Montgomery curve M_{A,B}, where A:=3*alpha/gamma and B:=1/gamma and where gamma is any square root of c. In this case, the mapping from W_{a,b} to
M_{A,B} is defined by mapping the point at infinity O of W_{a,b} to the point at infinity O of M_{A,B}, while mapping each other point (X,Y) of W_{a,b} to the
point (u,v):=((X-alpha)/gamma,Y/gamma) of M_{A,B}. As before, this defines a one-to-one correspondence, which - in fact - is an isomorphism between W_{a,b} and
M_{A,B}. It is easy to see that the mapping from W_{a,b} to M_{A,B} and that from M_{A,B} to W_{a,b} (if defined) are each other's inverse.
This mapping can be used to implement elliptic curve group operations originally defined for a twisted Edwards curve or for a Montgomery curve using group
operations on the corresponding elliptic curve in short-Weierstrass form and translating the result back to the original curve, thereby potentially allowing
code reuse.
Note that implementations for elliptic curves with short-Weierstrass form that hard-code the domain parameter a to a= -3 (which value is known to allow
more efficient implementations) cannot always be used this way, since the curve W_{a,b} resulting from an isomorphic mapping cannot always be expressed as a
Weierstrass curve with a=-3 via a coordinate transformation. For more details, see .
One can map points of the twisted Edwards curve E_{a,d} to points of the Weierstrass curve W_{a,b}, via function composition, where one uses the isomorphic
mapping between twisted Edwards curves and Montgomery curves of and the one between Montgomery and Weierstrass curves of
. Obviously, one can use function composition (now using the respective inverses - if these exist) to realize the inverse of this
mapping.
The elliptic curve Curve25519 is the Montgomery curve M_{A,B} defined over the prime field GF(p), with p:=2^{255}-19, where A:=486662 and B:=1.
This curve has order h*n, where h=8 and where n is a prime number. For this curve, A^2-4 is not a square in GF(p), whereas A+2 is.
The quadratic twist of this curve has order h1*n1, where h1=4 and where n1 is a prime number. For this curve, the base point is the point (Gu, Gv),
where Gu=9 and where Gv is an odd integer in the interval [0, p-1].
This curve has the same group structure as (is "isomorphic" to) the twisted Edwards curve E_{a,d} defined over GF(p), with as base point the
point (Gx, Gy), where parameters are as specified in . This curve is denoted as Edwards25519.
For this curve, the parameter a is a square in GF(p), whereas d is not, so the group laws of apply.
The curve is also isomorphic to the elliptic curve W_{a,b} in short-Weierstrass form defined over GF(p), with as base point the point (GX, GY),
where parameters are as specified in . This curve is denoted as Wei25519.
Each affine point (u, v) of Curve25519 corresponds to the point (X, Y):=(u + A/3, v) of Wei25519, while the point at infinity of Curve25519 corresponds to
the point at infinity of Wei25519. (Here, we used the mappings of and that B=1.) Under this mapping, the base point (Gu, Gv) of Curve25519
corresponds to the base point (GX, GY) of Wei25519. The inverse mapping maps the affine point (X, Y) of Wei25519 to (u, v):=(X - A/3, Y) of Curve25519, while mapping the
point at infinity of Wei25519 to the point at infinity of Curve25519. Note that this mapping involves a simple shift of the first coordinate and can be
implemented via integer-only arithmetic as a shift of (p+A)/3 for the isomorphic mapping and a shift of -(p+A)/3 for its inverse, where delta=(p+A)/3 is
the element of GF(p) defined by
19298681539552699237261830834781317975544997444273427339909597334652188435537
(=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaad2451).

(Note that, depending on the implementation details of the field arithmetic, one may have to shift the result by +p or -p if this integer is not in the interval [0,p-1].)
The curve Edwards25519 is isomorphic to the curve Curve25519, where the base point (Gu, Gv) of Curve25519 corresponds to the base point (Gx,Gy)
of Edwards25519 and where the point at infinity and the point (0,0) of order two of Curve25519 correspond to, respectively, the point (0, 1) and the point
(0, -1) of order two of Edwards25519 and where each other point (u, v) of Curve25519 corresponds to the point (c*u/v, (u-1)/(u+1)) of Edwards25519, where c is
the element of GF(p) defined by
sqrt(-(A+2)/B)
51042569399160536130206135233146329284152202253034631822681833788666877215207
(=0x70d9120b 9f5ff944 2d84f723 fc03b081 3a5e2c2e b482e57d 3391fb55 00ba81e7).

(Here, we used the mapping of and normalized this using the mapping of (where the element s of that
appendix is set to c above).)
The inverse mapping from Edwards25519 to Curve25519 is defined by mapping the point (0, 1) and the point (0, -1) of order two of Edwards25519 to, respectively,
the point at infinity and the point (0,0) of order two of Curve25519 and having each other point (x, y) of Edwards25519 correspond to the point
((1 + y)/(1 - y), c*(1 + y)/((1-y)*x)) of Curve25519.
The curve Edwards25519 is isomorphic to the Weierstrass curve Wei25519, where the base point (Gx, Gy) of Edwards25519 corresponds to the base point (GX,GY)
of Wei25519 and where the identity element (0,1) and the point (0,-1) of order two of Edwards25519 correspond to, respectively, the point at infinity O and the point
(A/3, 0) of order two of Wei25519 and where each other point (x, y) of Edwards25519 corresponds to the point (X, Y):=((1+y)/(1-y)+A/3, c*(1+y)/((1-y)*x)) of Wei25519,
where c was defined before. (Here, we used the mapping of .)
The inverse mapping from Wei25519 to Edwards25519 is defined by mapping the point at infinity O and the point (A/3, 0) of order two of Wei25519 to, respectively,
the identity element (0,1) and the point (0,-1) of order two of Edwards25519 and having each other point (X, Y) of Wei25519 correspond to the point
(c*(3*X-A)/(3*Y), (3*X-A-3)/(3*X-A+3)) of Edwards25519.
Note that these mappings can be easily realized if points are represented in projective coordinates, using a few field multiplications only, thus allowing switching
between alternative curve representations with negligible relative incremental cost.
The parameters of the Montgomery curve and the corresponding isomorphic curves in twisted Edwards curve and short-Weierstrass form are as indicated below.
Here, the domain parameters of the Montgomery curve Curve25519 and of the twisted Edwards curve Edwards25519 are as specified in ;
the domain parameters of Wei25519 are "new".
General parameters (for all curve models):
2^{255}-19
(=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffed)
8
7237005577332262213973186563042994240857116359379907606001950938285454250989
(=2^{252} + 0x14def9de a2f79cd6 5812631a 5cf5d3ed)
4
14474011154664524427946373126085988481603263447650325797860494125407373907997
(=2^{253} - 0x29bdf3bd 45ef39ac b024c634 b9eba7e3)

Montgomery curve-specific parameters (for Curve25519):
486662 (=0x076d06)
1 (=0x01)
9 (=0x09)
14781619447589544791020593568409986887264606134616475288964881837755586237401
(=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9)

Twisted Edwards curve-specific parameters (for Edwards25519):
-1 (-0x01)
-121665/121666 = - (A-2)/(A+2)
(=37095705934669439343138083508754565189542113879843219016388785533085940283555)
(=0x52036cee 2b6ffe73 8cc74079 7779e898 00700a4d 4141d8ab 75eb4dca 135978a3)
15112221349535400772501151409588531511454012693041857206046113283949847762202
(=0x216936d3 cd6e53fe c0a4e231 fdd6dc5c 692cc760 9525a7b2 c9562d60 8f25d51a)
4/5
(=46316835694926478169428394003475163141307993866256225615783033603165251855960)
(=0x66666666 66666666 66666666 66666666 66666666 66666666 66666666 66666658)

Weierstrass curve-specific parameters (for Wei25519):
19298681539552699237261830834781317975544997444273427339909597334573241639236
(=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaa98 4914a144)
55751746669818908907645289078257140818241103727901012315294400837956729358436
(=0x7b425ed0 97b425ed 097b425e d097b425 ed097b42 5ed097b4 260b5e9c 7710c864)
19298681539552699237261830834781317975544997444273427339909597334652188435546
(=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaad245a)
14781619447589544791020593568409986887264606134616475288964881837755586237401
(=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9)

The non-binary curves specified in are expressed in different curve models, viz. as curves in short-Weierstrass form, as Montgomery curves,
or as twisted Edwards curves. In we already described relationships between these various curve models. Further mappings exist between
elliptic curves within the same curve model. These can be exploited to force some of the domain parameters to specific values that allow for a more efficient implementation of
the addition formulae.
One can map points of the twisted Edwards curve E_{a,d} to points of the twisted Edwards curve E_{a',d'}, where a:=a'*s^2 and d:=d'*s^2 for some nonzero element s of
GF(q). This defines a one-to-one correspondence, which - in fact - is an isomorphism between E_{a,d} and E_{a',d'}.
The mapping from E_{a,d} to E_{a',d'} is defined by mapping the point (x,y) of E_{a,d} to the point (x', y'):=(s*x, y) of E_{a',d'}. The inverse mapping from
E_{a',d'} to E_{a,d} is defined by mapping the point (x', y') of E_{a',d'} to the point (x, y):=(x'/s, y') of E_{a,d}.
Implementations may take advantage of this mapping to carry out elliptic curve group operations originally defined for a twisted Edwards curve with generic
domain parameters a and d on a corresponding isomorphic twisted Edwards curve with domain parameters a' and d' that have a more special form, which are known to allow for
more efficient implementations of addition laws. In particular, it is known that such efficiency improvements exist if a':=-1 (see ).
One can map points of the Montgomery curve M_{A,B} to points of the Montgomery curve M_{A',B'}, where A:=A' and B:=B'*s^2 for some nonzero element s of GF(q). This
defines a one-to-one correspondence, which - in fact - is an isomorphism between M_{A,B} and M_{A',B'}.
The mapping from M_{A,B} to M_{A',B'} is defined by mapping the point at infinity O of M_{A,B} to the point at infinity O of M_{A',B'}, while mapping each
other point (u,v) of M_{A,B} to the point (u', v'):=(u, s*v) of M_{A',B'}. The inverse mapping from M_{A',B'} to M_{A,B} is defined by mapping the point
at infinity O of M_{A',B'} to the point at infinity O of M_{A,B}, while mapping each other point (u',v') of M_{A',B'}
to the point (u,v):=(u',v'/s) of M_{A,B}.
One can also map points of the Montgomery curve M_{A,B} to points of the Montgomery curve M_{A',B'}, where A':=-A and B':=-B. This defines a one-to-one
correspondence, which - in fact - is an isomorphism between M_{A,B} and M_{A',B'}.
In this case, the mapping from M_{A,B} to M_{A',B'} is defined by mapping the point at infinity O of M_{A,B} to the point at infinity O of M_{A',B'}, while mapping
each other point (u,v) of M_{A,B} to the point (u',v'):=(-u,v) of M_{A',B'}. The inverse mapping from M_{A',B'} to M_{A,B} is defined by mapping the point
at infinity O of M_{A',B'} to the point at infinity O of M_{A,B}, while mapping each other point (u',v') of M_{A',B'} to the point (u,v):=(-u',v') of M_{A,B}.
Implementations may take advantage of this mapping to carry out elliptic curve groups operations originally defined for a Montgomery curve with generic domain
parameters A and B on a corresponding isomorphic Montgomery curve with domain parameters A' and B' that have a more special form, which is known to allow for more efficient
implementations of addition laws. In particular, it is known that such efficiency improvements exist if B' assumes a small absolute value, such as B':=(+/-)1.
(see ).
One can map points of the Weierstrass curve W_{a,b} to points of the Weierstrass curve W_{a',b'}, where a':=a*s^4 and b':=b*s^6 for some nonzero element s of GF(q).
This defines a one-to-one correspondence, which - in fact - is an isomorphism between W_{a,b} and W_{a',b'}.
The mapping from W_{a,b} to W_{a',b'} is defined by mapping the point at infinity O of W_{a,b} to the point at infinity O of W_{a',b'}, while mapping each
other point (X,Y) of W_{a,b} to the point (X',Y'):=(X*s^2, Y*s^3) of W_{a',b'}. The inverse mapping from W_{a',b'} to W_{a,b} is defined by mapping the point
at infinity O of W_{a',b'} to the point at infinity O of W_{a,b}, while mapping each other point (X', Y') of W_{a',b'}
to the point (X,Y):=(X'/s^2,Y'/s^3) of W_{a,b}.
Implementations may take advantage of this mapping to carry out elliptic curve group operations originally defined for a Weierstrass curve with generic
domain parameters a and b on a corresponding isomorphic Weierstrass curve with domain parameter a' and b' that have a more special form, which is known to allow for more
efficient implementations of addition laws, and translating the result back to the original curve. In particular, it is known that such efficiency improvements exist if
a'=-3 (mod p), where p is the characteristic of GF(q), and one uses so-called Jacobian coordinates with a particular projective version of the addition laws of
. While not all Weierstrass curves can be put into this form, all traditional NIST curves have domain parameter a=-3, while all Brainpool
curves are isomorphic to a Weierstrass curve of this form.
Note that implementations for elliptic curves with short-Weierstrass form that hard-code the domain parameter a to a= -3 cannot always be used this way,
since the curve W_{a,b} cannot always be expressed in terms of a Weierstrass curve with a'=-3 via a coordinate transformation: this only holds if a'/a is a
fourth power in GF(q) (see Section 3.1.5 of ). However, even in this case, one can still express the curve W_{a,b} as a Weierstrass curve
with a small domain parameter value a', thereby still allowing a more efficient implementation than with a general domain parameter value a.
One can still map points of the Weierstrass curve W_{a,b} to points of the Weierstrass curve W_{a',b'}, where a':=-3 (mod p) and where p is the characteristic of GF(q),
even if a'/a is not a fourth power in GF(q). In that case, this mappping cannot be an isomorphism (see ). Instead, the mapping is a
so-called isogeny (or homomorphism). Since most elliptic curve operations process points of prime order or use so-called "co-factor multiplication", in practice the
resulting mapping has similar properties as an isomorphism. In particular, one can still take advantage of this mapping to carry out elliptic curve group operations
originally defined for a Weierstrass curve with domain parameter a unequal to -3 (mod p) on a corresponding isogenous Weierstrass curve with domain parameter a'=-3 (mod p)
and translating the result back to the original curve.
In this case, the mapping from W_{a,b} to W_{a',b'} is defined by mapping the point at infinity O of W_{a,b} to the point at infinity O of W_{a',b'}, while mapping
each other point (X,Y) of W_{a,b} to the point (X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3) of W_{a',b'}. Here, u(X), v(X), and w(X) are polynomials in X that depend on the isogeny
in question. The inverse mapping from W_{a',b'} to W_{a,b} is again an isogeny and defined by mapping the point at infinity O of W_{a',b'} to the point at infinity O of
W_{a,b}, while mapping each other point (X', Y') of W_{a',b'} to the point (X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3) of W_{a,b}, where -- again -- u'(X'), v'(X'), and
w'(X') are polynomials in X' that depend on the isogeny in question. These mappings have the property that their composition is not the identity mapping (as was the case with
the isomorphic mappings discussed in ), but rather a fixed multiple hereof: if this multiple is l then the isogeny is called an isogeny of
degree l (or l-isogeny) and u, v, and w (and, similarly, u', v', and w') are polynomials of degrees l, 3*(l-1)/2, and (l-1)/2, respectively. Note that an isomorphism is
simply an isogeny of degree l=1. Details of how to determine isogenies are out of scope of this document.
Implementations may take advantage of this mapping to carry out elliptic curve group operations originally defined for a Weierstrass curve with a generic domain
parameter a on a corresponding isogenous Weierstrass curve with domain parameter a'=-3 (mod p), where one can use so-called Jacobian coordinates with a particular projective
version of the addition laws of . Since all traditional NIST curves have domain parameter a=-3, while all Brainpool curves
are isomorphic to a Weierstrass curve of this form, this allows taking advantage of existing implementations for these curves that may
have a hardcoded a=-3 (mod p) domain parameter, provided one switches back and forth to this curve form using the isogenous mapping in question.
Note that isogenous mappings can be easily realized using representations in projective coordinates and involves roughly 3*l finite field multiplications, thus
allowing switching between alternative representations at relatively low incremental cost compared to that of elliptic curve scalar multiplications (provided the isogeny
has low degree l). Note, however, that this does require storage of the polynomial coefficients of the isogeny and dual isogeny involved. This illustrates that low-degree
isogenies are to be preferred, since an l-isogeny (usually) requires storing roughly 6*l elements of GF(q). While there are many isogenies, we therefore only consider those
with the desired property with lowest possible degree.
The Weierstrass curve Wei25519 is isomorphic to the Weierstrass curve Wei25519.2 defined over GF(p), with as base point the pair (G2X,G2Y), and isogenous to the
Weierstrass curve Wei25519.-3 defined over GF(p), with as base point the pair (G3X, G3Y), where parameters are as specified in and
where the related mappings are as specified in .
Each affine point (X, Y) of Wei25519 corresponds to the point (X', Y'):=(X*s^2,Y*s^3) of Wei25519.2, where s is the element of GF(p) defined by
2034359303893561859179424737413714359839405834119394332647383197739407761440
(=0x047f6814 6d568b44 7e4552ea a5ed633d 02d62964 a2b0a120 5e7941e9 375de020),

while the point at infinity of Wei25519 corresponds to the point at infinity of Wei25519.2. (Here, we used the mapping of .)
Under this mapping, the base point (GX, GY) of Wei25519 corresponds to the base point (G2X,G2Y) of Wei25519.2. The inverse mapping maps the affine point (X', Y')
of Wei25519.2 to (X,Y):=(X'/s^2,Y'/s^3) of Wei25519, while mapping the point at infinity O of Wei25519.2 to the point at infinity O of Wei25519. Note that this mapping
(and its inverse) involves a modular multiplication of both coordinates with fixed constants s^2 and s^3 (respectively, 1/s^2 and 1/s^3), which can be precomputed.
Each affine point (X,Y) of Wei25519 corresponds to the point (X',Y'):=(X1*t^2,Y1*t^3) of Wei25519.-3, where (X1,Y1)=(u(X)/w(X)^2,Y*v(X)/w(X)^3),
where u, v, and w are the polynomials with coefficients in GF(p) as defined in and where t is the element of GF(p) defined by
35728133398289175649586938605660542688691615699169662967154525084644181596229
(=0x4efd6829 88ff8526 e189f712 5999550c e9ef729b ed1a7015 73b1bab8 8bfcd845),

while the point at infinity of Wei25519 corresponds to the point at infinity of Wei25519.-3. (Here, we used the isogenous mapping of .)
Under this isogenous mapping, the base point (GX,GY) of Wei25519 corresponds to the base point (G3X,G3Y) of Wei25519.-3.
The dual isogeny maps the affine point (X',Y') of Wei25519.-3 to the affine point (X,Y):=(u'(X1)/w'(X1)^2,Y1*v'(X1)/w'(X1)^3) of Wei25519, where (X1,Y1)=(X'/t^2,Y'/t^3)
and where u', v', and w' are the polynomials with coefficients in GF(p) as defined in , while mapping the point at infinity O
of Wei25519.-3 to the point at infinity O of Wei25519. Under this dual isogenous mapping, the base point (G3X, G3Y) of Wei25519.-3 corresponds to a multiple of the
base point (GX, GY) of Wei25519, where this multiple is l=47 (the degree of the isogeny; see the description in ).
Note that this isogenous map (and its dual) primarily involves the evaluation of three fixed polynomials involving the x-coordinate, which takes roughly 140 modular
multiplications (or less than 5-10% relative incremental cost compared to the cost of an elliptic curve scalar multiplication).
The parameters of the Weierstrass curve with a=2 that is isomorphic with Wei25519 and the parameters of the Weierstrass curve with a=-3 that is isogenous
with Wei25519 are as indicated below. Both domain parameter sets can be exploited directly to derive more efficient point addition formulae, should an implementation
facilitate this.
General parameters: same as for Wei25519 (see )
Weierstrass curve-specific parameters (for Wei25519.2, i.e., with a=2):
2 (=0x02)
12102640281269758552371076649779977768474709596484288167752775713178787220689
(=0x1ac1da05 b55bc146 33bd39e4 7f94302e f19843dc f669916f 6a5dfd01 65538cd1)
10770553138368400518417020196796161136792368198326337823149502681097436401658
(=0x17cfeac3 78aed661 318e8634 582275b6 d9ad4def 072ea193 5ee3c4e8 7a940ffa)
5443057586150840565309866898445752861680710333250257752116143977388639873869
(=0x0c08a952 c55dfad6 2c4f13f1 a8f68dca dc5c331d 297a37b6 f0d7fdcc 51e16b4d)

Weierstrass curve-specific parameters (for Wei25519.-3, i.e., with a=-3):
-3
(=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffea)
29689592517550930188872794512874050362622433571298029721775200646451501277098
(=0x41a3b6bf c668778e be2954a4 b1df36d1 485ecef1 ea614295 796e1022 40891faa)
53837179229940872434942723257480777370451127212339198133697207846219400243292
(=0x7706c37b 5a84128a 3884a5d7 1811f1b5 5da3230f fb17a8ab 0b32e48d 31a6685c)
6954807309110018441440205552927997039251486742285514177307080418460388229929
(=0x0f60480c 7a5c0e11 40340adc 79d6a2bf 0cb57ad0 49d025dc 38d80c77 985f0329)

The isogeny and dual isogeny are both isogenies with degree l=47. Both are specified by a triple of polynomials
u, v, and w (resp. u', v', and w') of degree 47, 69, and 23, respectively, with coefficients in GF(p). The coeffients
of each of these polynomials are specified in (for the isogeny) and in
(for the dual isogeny). For each polynomial in variable x, the coefficients are
tabulated as sequence of coefficients of x^0, x^1, x^2, ..., in hexadecimal format.
0x670ed14828b6f1791ceb3a9cc0edfe127dee8729c5a72ddf77bb1abaebbba1e8
0x1135ca8bd5383cb3545402c8bce2ced14b45c29b241e4751b035f27524a9f932
0x3223806ff5f669c430efd74df8389f058d180e2fcffa5cdef3eacecdd2c34771
0x31b8fecf3f17a819c228517f6cd9814466c8c8bea2efccc47a29bfc14c364266
0x2541305c958c5a326f44efad2bec284e7abee840fadb08f2d994cd382fd8ce42
0x6e6f9c5792f3ff497f860f44a9c469cec42bd711526b733e10915be5b2dbd8c6
0x3e9ad2e5f594b9ce6b06d4565891d28a1be8790000b396ef0bf59215d6cabfde
0x278448895d236403bbc161347d19c913e7df5f372732a823ed807ee1d30206be
0x42f9d171ea8dc2f4a14ea46cc0ee54967175ecfe83a975137b753cb127c35060
0x128e40efa2d3ccb51567e73bae91e7c31eac45700fa13ce5781cbe5ddc985648
0x450e5086c065430b496d88952dd2d5f2c5102bc27074d4d1e98bfa47413e0645
0x487ef93da70dfd44a4db8cb41542e33d1aa32237bdca3a59b3ce1c59585f253d
0x33d209270026b1d2db96efb36cc2fa0a49be1307f49689022eab1892b010b785
0x4732b5996a20ebc4d5c5e2375d3b6c4b700c681bd9904343a14a0555ef0ecd48
0x64dc9e8272b9f5c6ad3470db543238386f42b18cb1c592cc6caf7893141b2107
0x52bbacd1f85c61ef7eafd8da27260fa2821f7a961867ed449b283036508ac5c5
0x320447ed91210985e2c401cfe1a93db1379424cf748f92fd61ab5cc356bc89a2
0x23d23a49bbcdf8cf4c4ce8a4ff7dd87d1ad1970317686254d5b4d2ec050d019f
0x1601fca063f0bbbf15f198b3c20e474c2170294fa981f73365732d2372b40cd4
0x7bf3f93840035e9688cfff402cee204a17c0de9779fc33503537dd78021bf4c4
0x311998ce59fb7e1cd6af591ece3e84dfcb1c330cbcf28c0349e37b9581452853
0x7ae5e41acfd28a9add2216dfed34756575a19b16984c1f3847b694326dad7f99
0x704957e279244a5b107a6c57bd0ab9afe5227b7c0be2052cd3513772a40efee7
0x56b918b5a0c583cb763550f8f71481e57c13bdcef2e5cfc8091d0821266f233b
0x677073fed43ab291e496f798fbcf217bac3f014e35d0c2fa07f041ae746a04d7
0x22225388e76f9688c7d4053b50ba41d0d8b71a2f21da8353d98472243ef50170
0x66930b3dffdd3995a2502cef790d78b091c875192d8074bb5d5639f736400555
0x79eb677c5e36971e8d64d56ebc0dedb4e9b7dd2d7b01343ebbd4d358d376e490
0x48a204c2ca6d8636e9994842605bd648b91b637844e38d6c7dd707edce8256e2
0x0fb3529b0d4b9ce2d70760f33e8ce997a58999718e9277caf48623d27ae6a788
0x4352604bffd0c7d7a9ed898a2c6e7cf2512ffb89407271ba1f2c2d0ead8cc5aa
0x6667697b29785fb6f0bd5e04d828991a5fe525370216f347ec767a26e7aac936
0x09fc950b083c56dbd989badf9887255e203c879f123a7cb28901e50aea6d64dc
0x41e51b51b5caadd1c15436bbf37596a1d7288a5f495d6b5b1ae66f8b2942b31d
0x073b59fec709aa1cabd429e981c6284822a8b7b07620c831ab41fd31d5cf7430
0x67e9b88e9a1bfbc2554107d67d814986f1b09c3107a060cba21c019a2d5dc848
0x6881494a1066ca176c5e174713786040affb4268b19d2abf28ef4293429f89c1
0x5f4d30502ff1e1ccd624e6f506569454ab771869d7483e26afc09dea0c5ccd3d
0x02a814cfc5859bca51e539c159955cbe729a58978b52329575d09bc6c3bf97ad
0x1313c8aaae20d6f4397f0d8b19e52cfcdf8d8e10fba144aec1778fd10ddf4e9c
0x7008d38f434b98953a996d4cc79fcbef9502411dcdf92005f725cea7ce82ad47
0x5a74d1296aaaa245ffb848f434531fa3ba9e5cb9098a7091d36c2777d4cf5a13
0x4bd3b700606397083f8038177bdaa1ac6edbba0447537582723cae0fd29341a9
0x573453fb2b093016f3368356c786519d54ed05f5372c01723b4da520597ec217
0x77f5c605bdb3a30d7d9c8840fce38650910d4418eed707a212c8927f41c2c812
0x16d6b9f7ff57ca32350057de1204cc6d69d4ef1b255dfef8080118e2fef6ace3
0x34e8595832a4021f8b5744014c6b4f7da7df0d0329e8b6b4d44c8fadad6513b7
0x01

0x0f9f5eb7134e6f8dafa30c45afa58d7bfc6d4e3ccbb5de87b562fd77403972b2
0x36c2dcd9e88f0d2d517a15fc453a098bbbb5a05eb6e8da906fae418a4e1a13f7
0x0b40078302c24fa394a834880d5bf46732ca1b4894172fb7f775821276f558b3
0x53dd8e2234573f7f3f7df11e90a7bdd7b75d807f9712f521d4fb18af59aa5f26
0x6d4d7bb08de9061988a8cf6ff3beb10e933d4d2fbb8872d256a38c74c8c2ceda
0x71bfe5831b30e28cd0fbe1e9916ab2291c6beacc5af08e2c9165c632e61dd2f5
0x7c524f4d17ff2ee88463da012fc12a5b67d7fb5bd0ab59f4bbf162d76be1c89c
0x758183d5e07878d3364e3fd4c863a5dc1fe723f48c4ab4273fc034f5454d59a4
0x1eb41ef2479444ecdccbc200f64bde53f434a02b6c3f485d32f14da6aa7700e1
0x1490f3851f016cc3cf8a1e3c16a53317253d232ed425297531b560d70770315c
0x09bc43131964e46d905c3489c9d465c3abbd26eab9371c10e429b36d4b86469c
0x5f27c173d94c7a413a288348d3fc88daa0bcf5af8f436a47262050f240e9be3b
0x1d20010ec741aaa393cd19f0133b35f067adab0d105babe75fe45c8ba2732ceb
0x01b3c669ae49b86be2f0c946a9ff6c48e44740d7d9804146915747c3c025996a
0x24c6090f79ec13e3ae454d8f0f98e0c30a8938180595f79602f2ba013b3c10db
0x4650c5b5648c6c43ac75a2042048c699e44437929268661726e7182a31b1532f
0x0957a835fb8bac3360b5008790e4c1f3389589ba74c8e8bf648b856ba7f22ba5
0x1cd1300bc534880f95c7885d8df04a82bd54ed3e904b0749e0e3f8cb3240c7c7
0x760b486e0d3c6ee0833b34b64b7ebc846055d4d1e0beeb6aedd5132399ada0ea
0x1c666846c63965ef7edf519d6ada738f2b676ae38ff1f4621533373931b3220e
0x365055118b38d4bc0df86648044affea2ef33e9a392ad336444e7d15e45585d1
0x736487bde4b555abfccd3ea7ddcda98eda0d7c879664117dee906a88bc551194
0x70de05ab9520222a37c7a84c61eedff71cb50c5f6647fc2a5d6e0ff2305cea37
0x59053f6cdf6517ab3fe4bd9c9271d1892f8cf353d8041b98409e1e341a01f8b5
0x375db54ed12fe8df9a198ea40200e812c2660b7022681d7932d89fafe7c6e88d
0x2a070c31d1c1a064daf56c79a044bd1cd6d13f1ddb0ff039b03a6469aaa9ed77
0x41482351e7f69a756a5a2c0b3fa0681c03c550341d0ca0f76c5b394db9d2de8d
0x747ac1109c9e9368d94a302cb5a1d23fcc7f0fd8a574efb7ddcaa738297c407a
0x45682f1f2aab6358247e364834e2181ad0448bb815c587675fb2fee5a2119064
0x148c5bf44870dfd307317f0a0e4a8c163940bee1d2f01455a2e658aa92c13620
0x6add1361e56ffa2d2fbbddba284b35be5845aec8069fc28af009d53290a705ce
0x6631614c617400dc00f2c55357f67a94268e7b5369b02e55d5db46c935be3af5
0x17cffb496c64bb89d91c8c082f4c288c3c87feabd6b08591fe5a92216c094637
0x648ff88155969f54c955a1834ad227b93062bb191170dd8c4d759f79ad5da250
0x73e50900b89e5f295052b97f9d0c9edb0fc7d97b7fa5e3cfeefe33dd6a9cb223
0x6afcb2f2ffe6c08508477aa4956cbd3dc864257f5059685adf2c68d4f2338f00
0x372fd49701954c1b8f00926a8cb4b157d4165b75d53fa0476716554bf101b74c
0x0334ed41325f3724ff8becbf2b3443fea6d30fa543d1ca13188aceb2bdaf5f4e
0x70e629c95a94e8e1b3974acb25e18ba42f8d5991786f0931f650c283adfe82fd
0x738a625f4c62d3d645f1274e09ab344e72d441f3c0e82989d3e21e19212f23f3
0x7093737294b29f21522f5664a9941c9b476f75d443b647bd2c777040bcd12a6a
0x0a996bad5863d821ccb8b89fa329ddbe5317a46bcb32552db396bea933765436
0x2da237e3741b75dd0264836e7ef634fc0bc36ab187ebc790591a77c257b06f53
0x1902f3daa86fa4f430b57212924fdc9e40f09e809f3991a0b3a10ab186c50ee5
0x12baffec1bf20c921afd3cdf67a7f1d87c00d5326a3e5c83841593c214dadcb1
0x6460f5a68123cb9e7bc1289cd5023c0c9ccd2d98eea24484fb3825b59dcd09aa
0x2c7d63a868ffc9f0fd034f821d84736c5bc33325ce98aba5f0d95fef6f230ec8
0x756e0063349a702db7406984c285a9b6bfba48177950d4361d8efa77408dc860
0x037f3e30032b21e0279738e0a2b689625447831a2ccf15c638672da9aa7255ae
0x1107c0dbe15d6ca9e790768317a40bcf23c80f1841f03ca79dd3e3ef4ea1ae30
0x61ff7f25721d6206041c59a788316b09e05135a2aad94d539c65daa68b302cc2
0x5dbfe346cbd0d61b9a3b5c42ec0518d3ae81cabcc32245060d7b0cd982b8d071
0x4b6595e8501e9ec3e75f46107d2fd76511764efca179f69196eb45c0aa6fade3
0x72d17a5aa7bd8a2540aa9b02d9605f2a714f44abfb4c35d518b7abc39b477870
0x658d8c134bac37729ec40d27d50b637201abbf1ab4157316358953548c49cf22
0x36ac53b9118581ace574d5a08f9647e6a916f92dda684a4dbc405e2646b0243f
0x1917a98f387d1e323e84a0f02d53307b1dd949e1a27b0de14514f89d9c0ef4b6
0x21573434fde7ce56e8777c79539479441942dba535ade8ecb77763f7eb05d797
0x0e0bf482dc40884719bea5503422b603f3a8edb582f52838caa6eaab6eeac7ef
0x3b0471eb53bd83e14fbc13928fe1691820349a963be8f7e9815848a53d03f5eb
0x1e92cb067b24a729c42d3abb7a1179c577970f0ab3e6b0ce8d66c5b8f7001262
0x74ea885c1ebed6f74964262402432ef184c42884fceb2f8dba3a9d67a1344dd7
0x433ebce2ce9b0dc314425cfc2b234614d3c34f2c9da9fff4fdddd1ce242d035b
0x33ac69e6be858dde7b83a9ff6f11de443128b39cec6e410e8d3b570e405ff896
0x0dab71e2ae94e6530a501ed8cf3df26731dd1d41cd81578341e12dca3cb71aa3
0x537f58d52d18ce5b1d5a6bd3a420e796e64173491ad43dd4d1083a7dcc7dd201
0x49c2f6afa93fdcc4e0f8128a8b06da4c75049be14edf3e103821ab604c60f8ae
0x10a333eabd6135aeaa3f5f5f7e73d102e4fd7e4bf0902fc55b00da235fa1ad08
0x0f5c86044bf6032f5102e601f2a0f73c7bce9384bedd120f3e72d78484179d9c
0x01

0x3da24d42421264f30939ff00203880f2b017eb3fecf8933ae61e18df8c8ba116
0x0457f20bc393cdc9a66848ce174e2fa41d77e6dbae05a317a1fb6e3ae78760f8
0x7f608a2285c480d5c9592c435431fae94695beef79d770bb6d029c1d10a53295
0x3832accc520a485100a0a1695792465142a5572bed1b2e50e1f8f662ac7289bb
0x2df1b0559e31b328eb34beedd5e537c3f4d7b9befb0749f75d6d0d866d26fbaa
0x25396820381d04015a9f655ddd41c74303ded05d54a7750e2f58006659adda28
0x6fa070a70ca2bc6d4d0795fb28d4990b2cc80cd72d48b603a8ac8c8268bef6a6
0x27f488578357388b20fbc7503328e1d10de602b082b3c7b8ceb33c29fea7a0d2
0x15776851a7cabcfe84c632118306915c0c15c75068a47021968c7438d46076e6
0x101565b08a9af015c172fb194b940a4df25c4fb1d85f72d153efc79131d45e8f
0x196b0ffbf92f3229fea1dac0d74591b905ccaab6b83f905ee813ee8449f8a62c
0x01f55784691719f765f04ee9051ec95d5deb42ae45405a9d87833855a6d95a94
0x628858f79cca86305739d084d365d5a9e56e51a4485d253ae3f2e4a379fa8aff
0x4a842dcd943a80d1e6e1dab3622a8c4d390da1592d1e56d1c14c4d3f72dd01a5
0x0f3bfc9cb17a1125f94766a4097d0f1018963bc11cb7bc0c7a1d94d65e282477
0x1c4bd70488c4882846500691fa7543b7ef694446d9c3e3b4707ea2c99383e53c
0x2d7017e47b24b89b0528932c4ade43f09091b91db0072e6ebdc5e777cb215e35
0x781d69243b6c86f59416f91f7decaca93eab9cdc36a184191810c56ed85e0fdc
0x5f20526f4177357da40a18da054731d442ad2a5a4727322ba8ed10d32eca24fb
0x33e4cab64ed8a00d8012104fe8f928e6173c428eff95bbbe569ea46126a4f3cd
0x050555b6f07e308d33776922b6566829d122e19b25b7bbacbb0a4b1a7dc40192
0x533fa4bf1e2a2aae2f979065fdbb5b667ede2f85543fddbba146aa3a4ef2d281
0x5a742cac1952010fc5aba200a635a7bed3ef868194f45b5a6a2647d6d6b289d2
0x01

0x0f0eddb584a20aaac8f1419efdd02a5cca77b21e4cfae78c49b5127d98bc5882
0x7115e60d44a58630417df33dd45b8a546fa00b79fea3b2bdc449694bade87c0a
0x0b3f3a6f3c445c7dc1f91121275414e88c32ff3f367ba0edad4d75b7e7b94b65
0x1eb31bb333d7048b87f2b3d4ec76d69035927b41c30274368649c87c52e1ab30
0x552c886c2044153e280832264066cce2a7da1127dc9720e2a380e9d37049ac64
0x4504f27908db2e1f5840b74ae42445298755d9493141f5417c02f04d47797dda
0x082c242cce1eb19698a4fa30b5affe64e5051c04ae8b52cb68d89ee85222e628
0x480473406add76cf1d77661b3ff506c038d9cdd5ad6e1ea41969430bb876d223
0x25f47bb506fba80c79d1763365fa9076d4c4cb6644f73ed37918074397e88588
0x10f13ed36eab593fa20817f6bb70cac292e18d300498f6642e35cbdf772f0855
0x7d28329d695fb3305620f83a58df1531e89a43c7b3151d16f3b60a8246c36ade
0x02c5ec8c42b16dc6409bdd2c7b4ffe9d65d7209e886badbd5f865dec35e4ab4a
0x7f4f33cd50255537e6cde15a4a327a5790c37e081802654b56c956434354e133
0x7d30431a121d9240c761998cf83d228237e80c3ef5c7191ec9617208e0ab8cec
0x4d2a7d6609610c1deed56425a4615b92f70a507e1079b2681d96a2b874cf0630
0x74676df60a9906901d1dc316c639ff6ae0fcdb02b5571d4b83fc2eedcd2936a8
0x22f8212219aca01410f06eb234ed53bd5b8fbe7c08652b8002bcd1ea3cdae387
0x7edb04449565d7c566b934a87fadade5515f23bda1ce25daa19fff0c6a5ccc2f
0x106ef71aa3aa34e8ecf4c07a67d03f0949d7d015ef2c1e32eb698dd3bec5a18c
0x0017913eb705db126ac3172447bcd811a62744d505ad0eea94cfcfdde5ca7428
0x2cc793e6d3b592dcf5472057a991ff1a5ab43b4680bb34c0f5faffc5307827c1
0x6dafcc0b16f98300cddb5e0a7d7ff04a0e73ca558c54461781d5a5ccb1ea0122
0x7e418891cf222c021b0ae5f5232b9c0dc8270d4925a13174a0f0ac5e7a4c8045
0x76553bd26fecb019ead31142684789fea7754c2dc9ab9197c623f45d60749058
0x693efb3f81086043656d81840902b6f3a9a4b0e8f2a5a5edf5ce1c7f50a3898e
0x46c630eac2b86d36f18a061882b756917718a359f44752a5caf41be506788921
0x01dcfa01773628753bc6f448ac11be8a3bffa0011b9284967629b827e064f614
0x08430b5b97d49b0938d1f66ecb9d2043025c6eec624f8f02042b9621b2b5cb19
0x66f66a6669272d47d3ec1efea36ee01d4a54ed50e9ec84475f668a5a9850f9be
0x539128823b5ef3e87e901ab22f06d518a9bad15f5d375b49fe1e893ab38b1345
0x2bd01c49d6fff22c213a8688924c10bf29269388a69a08d7f326695b3c213931
0x3f7bea1baeccea3980201dc40d67c26db0e3b15b5a19b6cdac6de477aa717ac1
0x6e0a72d94867807f7150fcb1233062f911b46e2ad11a3eac3c6c4c91e0f4a3fa
0x5963f3cc262253f56fc103e50217e7e5b823ae8e1617f9e11f4c9c595fbb5bf6
0x41440b6fe787777bc7b63afac9f4a38ddadcebc3d72f8fc73835247ba05f3a1d
0x66d185401c1d2d0b84fcf6758a6a985bf9695651271c08f4b69ce89175fb7b34
0x2673fb8c65bc4fe41905381093429a2601c46a309c03077ca229bac7d6ccf239
0x1ce4d895ee601918a080de353633c82b75a3f61e8247763767d146554dd2f862
0x18efa6c72fa908347547a89028a44f79f22542baa588601f2b3ed25a5e56d27c
0x53de362e2f8ff220f8921620a71e8faa1aa57f8886fcbb6808fa3a5560570543
0x0dc29a73b97f08aa8774911474e651130ed364e8d8cffd4a80dee633aacecc47
0x4e7eb8584ae4de525389d1e9300fc4480b3d9c8a5a45ecfbe33311029d8f6b99
0x6c3cba4aa9229550fa82e1cfaee4b02f2c0cb86f79e0d412b8e32b00b7959d80
0x5a9d104ae585b94af68eeb16b1349776b601f97b7ce716701645b1a75b68dcf3
0x754e014b5e87af035b3d5fe6fb49f4631e32549f6341c6693c5172a6388e273e
0x6710d8265118e22eaceba09566c86f642ab42da58c435083a353eaa12d866c39
0x6e88ac659ce146c369f8b24c3a49f8dca547827250cf7963a455851cfc4f8d22
0x0971eb5f253356cd1fde9fb21f4a4902aa5b8d804a2b57ba775dc130181ae2e8

0x043c9b67cc5b16e167b55f190db61e44d48d813a7112910f10e3fd8da85d61d3
0x72046db07e0e7882ff3f0f38b54b45ca84153be47a7fd1dd8f6402e17c47966f
0x1593d97b65a070b6b3f879fe3dc4d1ef03c0e781c997111d5c1748f956f1ffc0
0x54e5fec076b8779338432bdc5a449e36823a0a7c905fd37f232330b026a143a0
0x46328dd9bc336e0873abd453db472468393333fbf2010c6ac283933216e98038
0x25d0c64de1dfe1c6d5f5f2d98ab637d8b39bcf0d886a23dabac18c80d7eb03ce
0x3a175c46b2cd8e2b313dde2d5f3097b78114a6295f283cf58a33844b0c8d8b34
0x5cf4e6f745bdd61181a7d1b4db31dc4c30c84957f63cdf163bee5e466a7a8d38
0x639071c39b723eea51cfd870478331d60396b31f39a593ebdd9b1eb543875283
0x7ea8f895dcd85fc6cb2b58793789bd9246e62fa7a8c7116936876f4d8dff869b
0x503818acb535bcaacf8ad44a83c213a9ce83af7c937dc9b3e5b6efedc0a7428c
0x0e815373920ec3cbf3f8cae20d4389d367dc4398e01691244af90edc3e6d42b8
0x7e4b23e1e0b739087f77910cc635a92a3dc184a791400cbceae056c19c853815
0x145322201db4b5ec0a643229e07c0ab7c36e4274745689be2c19cfa8a702129d
0x0fde79514935d9b40f52e33429621a200acc092f6e5dec14b49e73f2f59c780d
0x37517ac5c04dc48145a9d6e14803b8ce9cb6a5d01c6f0ad1b04ff3353d02d815
0x58ae96b8eefe9e80f24d3b886932fe3c27aaea810fa189c702f93987c8c97854
0x6f6402c90fa379096d5f436035bebc9d29302126e9b117887abfa7d4b3c5709a
0x01dbdf2b9ec09a8defeb485cc16ea98d0d45c5b9877ff16bd04c0110d2f64961
0x53c51706af523ab5b32291de6c6b1ee7c5cbd0a5b317218f917b12ff38421452
0x1b1051c7aec7d37a349208e3950b679d14e39f979db4fcd7b50d7d27dc918650
0x1547e8d36262d5434cfb029cdd29385353124c3c35b1423c6cca1f87910b305b
0x198efe984efc817835e28f704d41e4583a1e2398f7ce14045c4575d0445c6ce7
0x492276dfe9588ee5cd9f553d990f377935d721822ecd0333ce2eb1d4324d539c
0x77bad5319bacd5ed99e1905ce2ae89294efa7ee1f74314e4095c618a4e580c9b
0x2cb3d532b8eac41c61b683f7b02feb9c2761f8b4286a54c3c4b60dd8081a312e
0x37d189ea60443e2fee9b7ba8a34ed79ff3883dcefc06592836d2a9dd2ee3656e
0x79a80f9a0e6b8ded17a3d6ccf71eb565e3704c3543b77d70bca854345e880aba
0x47718530ef8e8c75f069acb2d9925c5537908e220b28c8a2859b856f46d5f8db
0x7dc518f82b55a36b4fa084b05bf21e3efce481d278a9f5c6a49701e56dac01ec
0x340a318dad4b8d348a0838659672792a0f00b7105881e6080a340f708a9c7f94
0x55f04d9d8891636d4e9c808a1fa95ad0dae7a8492257b20448023aad3203278e
0x39dc465d58259f9f70bb430d27e2f0ab384a550e1259655443e14bdecba85530
0x757385464cff265379a1adfadfd6f6a03fa8a2278761d4889ab097eff4d1ac28
0x4d575654dbe39778857f4e688cc657416ce524d54864ebe8995ba766efa7ca2b
0x47adb6aecc1949f2dc9f01206cc23eb4a0c29585d475dd24dc463c5087809298
0x30d39e8b0c451a8fcf3d2abab4b86ffa374265abbe77c5903db4c1be8cec7672
0x28cf47b39112297f0daeaa621f8e777875adc26f35dec0ba475c2ee148562b41
0x36199723cc59867e2e309fe9941cd33722c807bb2d0a06eeb41de93f1b93f2f5
0x5cdeb1f2ee1c7d694bdd884cb1c5c22de206684e1cafb8d3adb9a33cb85e19a2
0x0f6e6b3fc54c2d25871011b1499bb0ef015c6d0da802ae7eccf1d8c3fb73856c
0x0c1422c98b672414344a9c05492b926f473f05033b9f85b8788b4bb9a080053c
0x19a8527de35d4faacb00184e0423962247319703a815eecf355f143c2c18f17f
0x7812dc3313e6cf093da4617f06062e8e8969d648dfe6b5c331bccd58eb428383
0x61e537180c84c79e1fd2d4f9d386e1c4f0442247605b8d8904d122ee7ef9f7be
0x544d8621d05540576cfc9b58a3dab19145332b88eb0b86f4c15567c37205adf9
0x11be3ef96e6e07556356b51e2479436d9966b7b083892b390caec22a117aa48e
0x205cda31289cf75ab0759c14c43cb30f7287969ea3dc0d5286a3853a4d403187
0x048d8fc6934f4f0a99f0f2cc59010389e2a0b20d6909bfcf8d7d0249f360acdc
0x42cecc6d9bdca6d382e97fcea46a79c3eda2853091a8f399a2252115bf9a1454
0x0117d41b24f2f69cb3270b359c181607931f62c56d070bbd14dc9e3f9ab1432e
0x7c51564c66f68e2ad4ce6ea0d68f920fafa375376709c606c88a0ed44207aa1e
0x48f25191fc8ac7d9f21adf6df23b76ccbca9cb02b815acdbebfa3f4eddc71b34
0x4fc21a62c4688de70e28ad3d5956633fc9833bc7be09dc7bc500b7fae1e1c9a8
0x1f23f25be0912173c3ef98e1c9990205a69d0bf2303d201d27a5499247f06789
0x3131495618a0ac4cb11a702f3f8bab66c4fa1066d0a741af3c92d5c246edd579
0x0d93fe40faa53913638e497328a1b47603cb062c7afc9e96278603f29fd11fd4
0x6b348bc59e984c91d696d1e3c3cfae44021f06f74798c787c355437fb696093d
0x65af00e73043edcb479620c8b48098b89809d577a4071c8e33e8678829138b8a
0x5e62ffb032b2ddb06591f86a46a18effd5d6ecf3f129bb2bacfd51a3739a98b6
0x62c974ef3593fc86f7d78883b8727a2f7359a282cbc0196948e7a793e60ce1a1
0x204d708e3f500aad64283f753e7d9bab976aa42a4ca1ce5e9d2264639e8b1110
0x0a90f0059da81a012e9d0a756809fab2ce61cb45965d4d1513a06227783ee4ea
0x39fa55971c9e833f61139c39e243d40869fd7e8a1417ee4e7719dd2dd242766f
0x22677c1e659caa324f0c74a013921facf62d0d78f273563145cc1ddccfcc4421
0x3468cf6df7e93f7ff1fe1dd7e180a89dec3ed4f72843b4ea8a8d780011a245b2
0x68f75a0e2210f52a90704ed5f511918d1f6bcfcd26b462cc4975252369db6e9d
0x6220c0699696e9bcab0fe3a80d437519bd2bdf3caef665e106b2dd47585ddd9f
0x553ad47b129fb347992b576479b0a89f8d71f1196f83e5eaab5f533a1dd6f6d7
0x239aef387e116ec8730fa15af053485ca707650d9f8917a75f22acf6213197df

0x6bd7f1fc5dd51b7d832848c180f019bcbdb101d4b3435230a79cc4f95c35e15e
0x17413bb3ee505184a504e14419b8d7c8517a0d268f65b0d7f5b0ba68d6166dd0
0x47f4471beed06e5e2b6d5569c20e30346bdba2921d9676603c58e55431572f90
0x2af7eaafd04f6910a5b01cdb0c27dca09487f1cd1116b38db34563e7b0b414eb
0x57f0a593459732eef11d2e2f7085bf9adf534879ba56f7afd17c4a40d3d3477b
0x4da04e912f145c8d1e5957e0a9e44cca83e74345b38583b70840bdfdbd0288ed
0x7cc9c3a51a3767d9d37c6652c349adc09bfe477d99f249a2a7bc803c1c5f39ed
0x425d7e58b8adf87eebf445b424ba308ee7880228921651995a7eab548180ad49
0x48156db5c99248234c09f43fedf509005943d3d5f5d7422621617467b06d314f
0x0d837dbbd1af32d04e2699cb026399c1928472aa1a7f0a1d3afd24bc9923456a
0x5b8806e0f924e67c1f207464a9d025758c078b43ddc0ea9afe9993641e5650be
0x29c91284e5d14939a6c9bc848908bd9df1f8346c259bbd40f3ed65182f3a2f39
0x25550b0f3bceef18a6bf4a46c45bf1b92f22a76d456bfdf19d07398c80b0f946
0x495d289b1db16229d7d4630cb65d52500256547401f121a9b09fb8e82cf01953
0x718c8c610ea7048a370eabfd9888c633ee31dd70f8bcc58361962bb08619963e
0x55d8a5ceef588ab52a07fa6047d6045550a5c52c91cc8b6b82eeb033c8ca557d
0x620b5a4974cc3395f96b2a0fa9e6454202ef2c00d82b0e6c534b3b1d20f9a572
0x4991b763929b00241a1a9a68e00e90c5df087f90b3352c0f4d8094a51429524e
0x18b6b49c5650fb82e36e25fd4eb6decfdd40b46c37425e6597c7444a1b6afb4e
0x6868305b4f40654460aad63af3cb9151ab67c775eaac5e5df90d3aea58dee141
0x16bc90219a36063a22889db810730a8b719c267d538cd28fa7c0d04f124c8580
0x3628f9cf1fbe3eb559854e3b1c06a4cd6a26906b4e2d2e70616a493bba2dc574
0x64abcc6759f1ce1ab57d41e17c2633f717064e35a7233a6682f8cf8e9538afec
0x01

Point compression allows a shorter representation of affine points of an elliptic curve by exploiting algebraic relationships between the coordinate values based on the defining
equation of the curve in question. Point decompression refers to the reverse process, where one tries and recover the affine point from its compressed representation and
information on the domain parameters of the curve. Consequently, point compression followed by point decompression is the identity map.
The description below makes use of an auxiliary function (the parity function), which we first define for prime fields GF(p) and then extend to all fields GF(q), where q is an
odd prime power. We assume each finite field to be unambiguously defined.
Let y be a nonzero element of GF(q). If q:=p is an odd prime number, y and p-y can be uniquely represented as integers in the interval [1,p-1] and have odd sum p.
Consequently, one can distinguish y from -y via the parity of this representation, i.e., via par(y):=y (mod 2). If q:=p^m, where p is an odd prime number and where m>0, both y and -y can be uniquely represented as vectors of length m, with coefficients in GF(p) (see ). In this case, the leftmost nonzero coordinate values of y and -y are in the same position and have representations in [1,p-1] with different parity. As a result, one can distinguish y from -y via the parity of the representation of this coordinate value. This extends the definition of the parity function to any odd-size field GF(q), where one defines par(0):=0.
If P:=(X, Y) is an affine point of the Weierstrass curve W_{a,b} defined over the field GF(q), then so is -P:=(X, -Y). Since the defining equation Y^2=X^2+a*X+b has at most two
solutions with fixed X-value, one can represent P by its X-coordinate and one bit of information that allows one to distinguish P from -P, i.e., one can represent P as
the ordered pair compr(P):=(X, par(Y)). If P is a point of order two, one can uniquely represent P by its X-coordinate alone, since Y=0 and has fixed parity.
Conversely, given the ordered pair (X, t), where X is an element of GF(q) and where t=0 or t=1, and the domain parameters of the curve, one can use the defining equation of the
curve to try and determine candidate values for the Y-coordinate given X, by solving the quadratic equation Y^2:=alpha, where alpha:=X^3+a*X+b. If alpha is not a square in GF(q),
this equation does not have a solution in GF(q) and the ordered pair (X, t) does not correspond to a point of this curve. Otherwise, there are two solutions, viz. Y=sqrt(alpha)
and -Y. If alpha is a nonzero element of GF(q), one can uniquely recover the Y-coordinate for which par(Y):=t and, thereby, the point P:=(X, Y). This is also the case if alpha=0
and t=0, in which case Y=0 and the point P has order two. However, if alpha=0 and t=1, the ordered pair (X, t) does not correspond to the outcome of the point compression function.
We extend the definition of the point compression function to all points of the curve W_{a,b}, by associating the (non-affine) point at infinity O with any ordered pair compr(O):=(X,0), where X is any element of GF(q) for which alpha:=X^3+a*X+b is not a square in GF(q), and recover this point accordingly. In this case, the point at infinity O can be represented by any ordered pair (X,0) of elements of GF(q) for which X^3+a*X+b is not a square in GF(q). Note that this ordered pair does not satisfy the defining equation of the curve in question. An application may fix a specific suitable value of X or choose multiple such values and use this to encode additonal information. Further details are out of scope.
If P:=(u, v) is an affine point of the Montgomery curve M_{A,B} defined over the field GF(q), then so is -P:=(u, -v). Since the defining equation B*v^2=u^3+A*u^2+u has at most
two solutions with fixed u-value, one can represent P by its u-coordinate and one bit of information that allows one to distinguish P from -P, i.e., one can represent P as the ordered pair compr(P):=(u, par(v)). If P is a point of order two, one can uniquely represent P by its u-coordinate alone, since v=0 and has fixed parity.
Conversely, given the ordered pair (u, t), where u is an element of GF(q) and where t=0 or t=1, and the domain parameters of the curve, one can use the defining equation of the
curve to try and determine candidate values for the v-coordinate given u, by solving the quadratic equation v^2:=alpha, where alpha:=(u^3+A*u^2+u)/B. If alpha is not a square in GF(q), this equation does not have a solution in GF(q) and the ordered pair (u, t) does not correspond to a point of this curve. Otherwise, there are two solutions, viz. v=sqrt(alpha) and -v. If alpha is a nonzero element of GF(q), one can uniquely recover the v-coordinate for which par(v):=t and, thereby, the affine point P:=(u, v). This is also the case if alpha=0 and t=0, in which case v=0 and the point P has order two. However, if alpha=0 and t=1, the ordered pair (u, t) does not correspond to the outcome of the point compression function.
We extend the definition of the point compression function to all points of the curve M_{A,B}, by associating the (non-affine) point at infinity O with the ordered pair compr(O):=(0,1) and recover this point accordingly. (Note that this corresponds to the case alpha=0 and t=1 above.) The point at infinity O can be represented by the ordered pair (0, 1) of elements of GF(q). Note that this ordered pair does not satisfy the defining equation of the curve in question.
If P:=(x, y) is an affine point of the twisted Edwards curve E_{a,d} defined over the field GF(q), then so is -P:=(-x, y). Since the defining equation a*x^2+y^2=1+d*x^2*y^2 has
at most two solutions with fixed y-value, one can represent P by its y-coordinate and one bit of information that allows one to distinguish P from -P, i.e., one can represent P as
the ordered pair compr(P):=(par(x), y). If P is a point of order one or two, one can uniquely represent P by its y-coordinate alone, since x=0 and has fixed parity.
Conversely, given the ordered pair (t, y), where y is an element of GF(q) and where t=0 or t=1, and the domain parameters of the curve, one can use the defining equation of the
curve to try and determine candidate values for the x-coordinate given y, by solving the quadratic equation x^2:=alpha, where alpha:=(1-y^2)/(a-d*y^2).
If alpha is not a square in GF(q), this equation does not have a solution in GF(q) and the ordered pair (t, y) does not correspond to a point of this curve. Otherwise,
there are two solutions, viz. x=sqrt(alpha) and -x. If alpha is a nonzero element of GF(q), one can uniquely recover the x-coordinate for which par(x):=t and, thereby,
the affine point P:=(x, y). This is also the case if alpha=0 and t=0, in which case x=0 and the point P has order one or two. However, if alpha=0 and t=1, the ordered pair (t, y)
does not correspond to the outcome of the point compression function.
Note that the point compression function is defined for all points of the twisted Edwards curve E_{a,d} (subject to the Note in Appendix C.3). Here, the identity element O:=(0,1) is associated with the compressed point compr(O):=(0,1). (Note that this corresponds to the case alpha=0 and t=0 above.)
We extend the definition of the compression function further, to also include a special marker element 'btm', by associating this marker element with the ordered pair compr(btm):=(1,1) and recover this marker element accordingly. (Note that this corresponds to the case alpha=0 and t=1 above.) The marker element 'btm' can be represented by the ordered pair (1,1) of elements of GF(q). Note that this ordered pair does not satisfy the defining equation of the curve in question.
The string over some alphabet S consisting of the symbols x_{l-1}, x_{l-2}, ..., x_1, x_0 (each in S), in this order, is denoted by str(x_{l-1}, x_{l-2}, ..., x_1, x_0). The length of this string (over S) is the number of symbols it contains (here: l). The empty string is the (unique) string of length l=0.
The right-concatenation of two strings X and Y (defined over the same alphabet) is the string Z consisting of the symbols of X (in the same order) followed by the symbols of Y (in the same order). The length of the resulting string Z is the sum of the lengths of X and Y. This string operation is denoted by Z:=X||Y. The string X is called a prefix of Z; the string Y a postfix. The t-prefix of a string Z of length l is its unique prefix X of length t; the t-postfix its unique postfix Y of length t (where we define these notions as well if t is outside the interval [0,l]: a t-prefix or t-postfix is the empty string if t is negative and is the entire string Z if t is larger than l). Sometimes, a t-prefix of a string Z is denoted by trunc-left(Z,t); a t-postfix by trunc-right(Z,t). A string X is called a substring of Z if it is a prefix of some postfix of Z. The string resulting from prepending the string Y with X is the string X||Y.
An octet is an integer in the interval [0,256). An octet string is a string, where the alphabet is the set of all octets. A binary string (or bit string, for short) is a string, where the alphabet is the set {0,1}. Note that the length of a string is defined in terms of the underlying alphabet, as are the operations in the previous paragraph.
There is a 1-1 correspondence between bit strings of length l and the integers in the interval [0, 2^l), where the bit string X:=str(x_{l-1}, x_{l-2}, ..., x_1, x_0) corresponds to the integer x:=x_{l-1}*2^{l-1} + x_{l-2}*2^{l-2} + ... + x_1*2 + x_0*1. (If l=0, the empty bit string corresponds to the integer zero.) Note that while the mapping from bit strings to integers is uniquely defined, the inverse mapping from integers to bit strings is not, since any non-negative integer smaller than 2^t can be represented as a bit string of length at least t (due to leading zero coefficients in base 2 representation). The latter representation is called tight if the bit string representation has minimal length.
There is a 1-1 correspondence between octet strings of length l and the integers in the interval [0, 256^l), where the octet string X:=str(X_{l-1}, X_{l-2}, ..., X_1, X_0) corresponds to the integer x:=X_{l-1}*256^{l-1} + X^{l-2}*256^{l-2} + ... + X_1*256 + X_0*1. (If l=0, the empty string corresponds to the integer zero.) Note that while the mapping from octet strings to integers is uniquely defined, the inverse mapping from integers to octet strings is not, since any non-negative integer smaller than 256^t can be represented as an octet string of length at least t (due to leading zero coefficients in base 256 representation). The latter representation is called tight if the octet string representation has minimal length. This defines the mapping OS2I from octet strings to integers and the mapping I2OS(x,l) from non-negative integers smaller than 256^l to octet strings of length l.
There is a 1-1 correspondence between octet strings of length l and and bit strings of length 8*l, where the octet string X:=str(X_{l-1}, X_{l-2}, ..., X_1, X_0) corresponds to the right-concatenation of the 8-bit strings x_{l-1}, x_{l-2}, ..., x_1, x_0, where each octet X_i corresponds to the 8-bit string x_i according to the mapping of above. Note that the mapping from octet strings to bit strings is uniquely defined and so is the inverse mapping from bit strings to octet strings, if one prepends each bit string with the smallest number of 0 bits so as to result in a bit string of length divisible by eight (i.e., one uses pre-padding). This defines the mapping OS2BS from octet strings to bit strings and the corresponding mapping BS2OS from bit strings to octet strings.
There is a 1-1 correspondence between elements of a fixed finite field GF(q), where q=p^m and m>0, and vectors of length m, with coefficients in GF(p), where each element x of GF(q) is a vector (x_{m-1}, x_{m-2}, ..., x_1, x_0) according to the conventions of . In this case, this field element can be uniquely represented by the right-concatenation of the octet strings X_{m-1}, X_{m-2}, ..., X_1, X_0, where each octet string X_i corresponds to the integer x_i in the interval [0,p-1] according to the mapping of above. Note that both the mapping from field elements to octet strings and the inverse mapping are only uniquely defined if each octet string X_i has the same fixed size (e.g., the smallest integer l so that 256^l >= p) and if all integers are reduced modulo p. If so, the latter representation is called tight if l is minimal so that 256^l >= p. This defines the mapping FE2OS(x,l) from field elements to octet strings and the mapping OS2FE(X,l) from octet strings to field elements, where the underlying field is implicit and assumed to be known from context. In this case, the octet string has length l*m.
There is a 1-1 correspondence between elements of a fixed set Z(n) of integers modulo n and integers in the interval [0,n), where each element x can be uniquely represented by the octet string corresponding to the integer x modulo n according to the mapping of above. Note that both the mapping from elements of Z(n) to octet strings and the inverse mapping are only uniquely defined if the octet string has a fixed size (e.g., the smallest integer l so that 256^l >= n) and if all integers are reduced modulo n. If so, the latter representation is called tight if l is minimal so that 256^l >= n. This defines the mapping ZnE2OS(x,l) from elements of Z(n) to octet strings and the mapping OS2ZnE(X,l) from octet strings to elements of Z(n), where the underlying modulus n is implicit and assumed to be known from context. In this case, the octet string has length l.
Note that if n is a prime number p, the conversions ZnE2OS and FE2OS are consistent, as are OS2ZnE and OS2FE. This is, however, no longer the case if n is a strict prime power.
The conversion rules for composite n values are useful, e.g., when encoding the modulus n of RSA (or elements of any other non-prime set Z(n), for that matter).
One can consider various representation functions, depending on bit-ordering and octet-ordering conventions.
The description below makes use of an auxiliary function (the reversion function), which we define both for bit strings and octet strings. For a bit string [octet string] X:=str(x_{l-1}, x_{l-2}, ..., x_1, x_0), its reverse is the bit string [octet string] X':=rev(X):=str(x_0, x_1, ..., x_{l-2}, x_{l-1}).
We now describe representations in most-significant-bit first (msb) or least-significant-bit first (lsb) order and those in most-significant-byte first (MSB) or least-significant-byte first (LSB) order.
One distinguishes the following octet-string representations of integers and field elements:
MSB, msb: represent field elements and integers as above, yielding the octet string str(X_{l-1}, X_{l-2}, ..., X_1, X_0).
MSB, lsb: reverse the bit-order of each octet, viewed as 8-bit string, yielding the octet string str((rev(X_{l-1}), rev(X_{l-2}), ..., rev(X_1), rev(X_0)).
LSB, lsb: reverse the octet string and bit-order of each octet, yielding the octet string str(rev(X_{0}), rev(X_{1}), ..., rev(X_{l-2}), rev(X_{l-1})).
LSB, msb: reverse the octet string, yielding the octet string str(X_{0}, X_{1}, ..., X_{l-2}, X_{l-1}).

Thus, the 2-octet string "07e3" represents the integer 2019 (=0x07e3) in MSB/msb order, the integer 57,543 (0xe0c7) in MSB/lsb order, the integer 51,168 (0xc7e0) in LSB/lsb order, and the integer 58,119 (=0xe307) in LSB/msb order.
Note that, with the above data conversions, there is still some ambiguity as to how to represent an integer or a field element as a bit string or octet string (due to leading zeros). However, tight representations (as defined above) are non-ambiguous. (Note, in particular, that tightness implies that elements of GF(q) are always uniquely represented.)
Note that elements of a prime field GF(p), where p is a 255-bit prime number, have a tight representation as a 32-byte string, where a fixed bit position is always set to zero.
(This is the leftmost bit position of this octet string if one follows the MSB/msb representation conventions.) This allows the parity bit of a compressed point
(see ) to be encoded in this bit position and, thereby, allows a compressed point and a field element of GF(p) to be represented by an octet string of the same length. This is called the squeezed point representation. Obviously, other representations (e.g., those of elements of Z(n)) may also have fixed bit values on certain positions, which can be used to squeeze-in additional information. Further details are out of scope.
We present some examples of computations using the curves introduced in this document. In each case, we indicate the values of P, k*P, and (k+1)*P, where P is a fixed multiple
(here: 2019) of the base point of the curve in question and where the private key k is the integer
45467544759954639344191351164156560595299236761702065033670739677691372543056
(=0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50).

Pm=(u, v), k*Pm=(u1, v1), and (k+1)*Pm=(u2, v2) with Curve25519:
53025657538808013645618620393754461319535915376830819974982289332088255623750
(=0x753b7566 df35d574 4734142c 9abf931c ea290160 aa75853c 7f972467 b7f13246).
53327798092436462013048370302019946300826511459161905709144645521233690313086
(=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e).
42039618818474335439333192910143029294450651736166602435248528442691717668056
(=0x5cf194be f0bdd6d6 be58e18a 8f16740a ec25f4b0 67f7980a 23bb6468 88bb9cd8).
7698166198291735163093751722241272913088236885813432215648576219567913357634
(=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd f5771306 479ad142).
3417511648237788235544013775257365183827376081862455752464312610182464621878
(=0x078e3e38 41c3e0d0 373e5454 ecffae33 2798b10a 55c72117 62629f97 f1394d36).
43046985853631671610553834968785204191967171967937842531656254539962663994648
(=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e fbc17f7f 7fda8518).

As suggested in , the v-coordinate of k*Pm can be indirectly computed from the u-coordinates of Pm, k*Pm, and (k+1)*Pm, and the v-coordinate of Pm, which allows computation of the entire point k*Pm (and not just its u-coordinate) if k*Pm is computed using the Montgomery ladder (as, e.g., recommends), since that algorithm computes both u1 and u2 and the v-coordinate of the point Pm may be available from context.
The representation of k and the compressed representations of Pm and k*Pm in tight LSB/msb-order are given by
0x509ce215 bd5a8dc0 c3328c77 5dc6f59c 4d4915f9 e4bf5d0d c2e583cd e6b78564
0x4632f1b7 6724977f 3c8575aa 600129ea 1c93bf9a 2c143447 74d535df 66753b75;
0xd89cbb88 6864bb23 0a98f767 b0f425ec 0a74168f 8ae158be d6d6bdf0 be94f15c,

where the leftmost bit of the rightmost octet indicates the parity of the v-coordinate of the point of Curve25519 in question (which, in this case, are both zero, since v and v1 are even). See and for further detail on (squeezed) point compression.
The scalar representation and (squeezed) point representation illustrated above are consistent with the representations specified in , except that in only an affine point's u-coordinate is represented (i.e., the v-coordinate of any point is always implicitly assumed to have an even value) and that the representation of the point at infinity is not specified. Another difference is that allows non-unique representations of some elements of GF(p), whereas our representation conventions do not (since tight).
A randomized representation (t1, t2) of the point k*Pm in tight LSB/msb order is given by
40953131790112268570753571592444539842650348318985471658437762538294289253464
(=0x5844b232 8c4586dc 62f593c5 599c2a8c e61ba893 bb052de6 77510a42 b3a68a5a)
45185609833288940742127800462815081444925990202338853392908848927625430980881
(=0x11598452 e65138dc ce948d7e d8f46a18 b640722c 8e170957 751b7729 1b26e663),

where this representation is defined in and uses the mapping of with the default square root function.
Pe=(x, y), k*Pe=(x1, y1), and (k+1)*Pe=(x2, y2) with Edwards25519:
25301662348702136092602268236183361085863932475593120475382959053365387223252
(=0x37f03bc0 1070ed12 d3218f8b ba1abb74 fd6b94eb 62033d09 83851e21 d6a460d4).
54434749145175762798550436656748568411099702168121592090608501578942019473360
(=0x7858f9e7 6774ed8e 23d614d2 36715fc7 56813b02 9aa13c18 960705c5 b3a30fd0).
42966967796585460733861724865699548279978730460766025087444502812416557284873
(=0x5efe7124 465b5bdb b364bb3e e4f106e2 18d59b36 48f4fe83 c11afc91 785d7e09).
46006463385134057167371782068441558951541960707376246310705917936352255317084
(=0x65b6bc49 985badaf bc5fdd96 fb189502 35d5effd 540b439d 60508827 80bc945c).
42629294840915692510487991904657367226900127896202625319538173473104931719808
(=0x5e3f536a 3be2364a 1fa775a3 5f8f65ae 93f4a89d 81a04a2e 87783748 00120a80).
29739282897206659585364020239089516293417836047563355347155817358737209129078
(=0x41bfd66e 64bdd801 c581a720 f48172a8 187445fa 350924a2 c92c791e 38d57876).

The representation of k and the compressed representations of Pe and k*Pe in tight LSB/lsb-order are given by
=0x0a3947a8 bd5ab103 c34c31ee ba63af39 b292a89f 27fdbab0 43a7c1b3 67eda126;
=0x0bf0c5cd a3a0e069 183c8559 40dc816a e3fa8e6c 4b286bc4 71b72ee6 e79f1a1e;
=0x3a293d01 e4110a06 b9c2d02a bff7abac 40a918df 69bbfa3d f5b5da19 923d6da7,

where the rightmost bit of the rightmost octet indicates the parity of the x-coordinate of the point of Edwards25519 in question (which, in this case, are zero and one, respectively, since x is even and x1 is odd). See and for further detail on (squeezed) point compression.
The scalar representation and (squeezed) point representation illustrated above are fully consistent with the representations specified in . Note that, contrary to , requires unique representations of all elements of GF(p).
A randomized representation (t1, t2) of the point k*Pe in tight LSB/lsb order is given by
57791301708316364194963421901719018217028877664872539593597750427519399254040
(=0x181a32c5 10e06dbc ea321882 f3519055 535e289e 8faac654 82e26f61 aded23fe)
45488140794091971842660857312537740168625506821062424588405479716220480287974
(=0x672e36c5 ae353073 cdfac343 e8297b05 1b010d0f 5b1016db dd4baf54 28068926),

where this representation is defined in and uses the mapping of with the default square root function and underlying isomorphic mapping between Edwards25519 and Curve25519 of .
Pw=(X, Y), k*Pw=(X1, Y1), and (k+1)*Pw=(X2, Y2) with Wei25519:
14428294459702615171094958724191825368445920488283965295163094662783879239338
(=0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa).
53327798092436462013048370302019946300826511459161905709144645521233690313086
(=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e).
3442255739368936964809531240580393343360656847619747755429333773387341283644
(=0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 ce660f13 3368c13c).
7698166198291735163093751722241272913088236885813432215648576219567913357634
(=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd f5771306 479ad142).
22716193187790487472805844610038683159372373526135883092373909944834653057415
(=0x3238e8e2 ec6e8b7a e1e8feff 97aa58dd d2435bb5 0071cbc2 0d0d4a42 9be67187).
43046985853631671610553834968785204191967171967937842531656254539962663994648
(=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e fbc17f7f 7fda8518).

The representation of k and the compressed representations of Pw and k*Pw in tight MSB/msb-order are given by
=0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50;
=0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa;
=0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 ce660f13 3368c13c,

where the leftmost bit of the leftmost octet indicates the parity of the Y-coordinate of the point of Wei25519 in question (which, in this case, are both zero, since Y and Y1 are even). See and for further detail on (squeezed) point compression.
The scalar representation is consistent with the representations specified in ; the (squeezed) point representation illustrated above is "new". For completeness, we include a SEC1-consistent representation of the point Pw in affine format and in compressed format below.
The SEC1-compliant affine representation of the point Pw in tight MSB/msb-order is given by
=0x04 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa
75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e,

whereas the SEC1-compliant compressed representation of the point Pw in tight MSB/msb-order is given by
=0x02 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa;

The SEC1-compliant uncompressed format aff(Pw) of an affine point Pw corresponds to the right-concatenation of its X- and Y-coordinates, each in tight MSB/msb-order, prepended by the string 0x04, where the reverse procedure is uniquely defined, since elements of GF(p) have a unique fixed-size representation. The (squeezed) compressed format repr(Pw) corresponds to the SEC1-compliant compressed format by extracting the parity bit t from the leftmost bit of the leftmost octet of repr(Pw), replacing the bit position by the value zero, and prepending the octet string with 0x02 or 0x03, depending on whether t=0 or t=1, respectively, where the reverse procedure is uniquely defined, since GF(p) is a 255-bit prime field. For further details, see .
A randomized representation (t1, t2) of the point k*Pw in tight MSB/msb order is given by
44636344598888973409344628048412210728305920624330795538884223152228795899590
(=0x62af4697 4dd469ac 96c64809 c16c8517 b6a0cee5 40ba0e2e 6dd2b36a fcc75ec6)
21389016661022861310579271070838596171221128174475621606111930888059603107561
(=0x2f49c121 8fed7912 031157ee ae066507 a972320b 6180e267 4025b006 2e67bee9),

where this representation is defined in and uses the mapping of with the default square root function.
Pw2=(X, Y), k*Pw2=(X1, Y1), and (k+1)*Pw2=(X2, Y2) with Wei25519.2:
17830493209951148331008014701079988862634531394137235438571836389227198459763
(=0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c f21c8672 d1ecaf73).
21064492012933896105338241940477778461866060481408222122979836206137075789640
(=0x2e921479 5ad47af7 784831de 572ed8e9 7e20e137 cc67378c 184ca19f f9136f48).
6547098895168646197978963236237775946468834215401735383493920379139281908968
(=0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 e242192d 3b87f4e8).
5148959049429218356253579057948003322904327153929727588881712522735262330110
(=0x0b623521 c1ff84bc 1522ff26 3376796d be77fcad 1fcabc28 98f1be85 d7576cfe).
837417885015172009428261536776821209988540865517516630613749353883494226693
(=0x01d9f633 b2ac2606 9e6e93f7 6917446c 2b27c16f 729121d7 709c0a58 00ef9b05).
42567334190622848157611574766896093933050043101247319937794684825168161540336
(=0x5e1c41e1 fb74e41b 3a19ce50 e1b2caf7 7cabcbb3 0c1c1474 a4fd13e6 6c4c08f0).

The representation of k and the compressed representations of Pw2 and k*Pw2 in tight MSB/msb-order are given by
=0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50;
=0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c f21c8672 d1ecaf73;
=0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 e242192d 3b87f4e8,

where the leftmost bit of the leftmost octet indicates the parity of the Y-coordinate of the point of Wei25519.2 in question (which, in this case, are both zero, since Y and Y1 are even). See Appendix and for further detail on (squeezed) point compression.
A randomized representation (t1, t2) of the point k*Pw2 in tight MSB/msb order is given by
41666967235492814867975859880366011240543115979327816187936189858804289581274
(=0x5c1eaaef 80f9d4af 33c119fc c99acd58 f81e7d69 999c7048 e4043a77 87a930da)
36111527116239160808309656017933739105961565127912319992118531180247832114098
(=0x4fd66668 e7174775 de44c852 92df8cfe b9832ef8 2570b3b8 fe5ec21a b2d4b3b2),

where this representation is defined in and uses the mapping of with the default square root function.
Pw3=(X, Y), k*Pw3=(X1, Y1), and (k+1)*Pw3=(X2, Y2) with Wei25519.-3:
14780197759513083469009623947734627174363231692126610860256057394455099634096
(=0x20ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 eb4c9272 03ca71b0).
45596733430378470319805536538617129933663237960146030424392249401952949482817
(=0x64ced628 e982648e 4bfcf30c 71c4d267 ba48b0ce fee20062 b43ef4c9 73f7b541).
4736297997524455639629240075182827260088761254699753215873895892660745725532
(=0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 63b8455e 2e04e65c).
30318112837157047703426636957515037640997356617656007157255559136153389790354
(=0x64ced628 e982648e 4bfcf30c 71c4d267 ba48b0ce fee20062 b43ef4c9 73f7b541).
23778942085873786433506063022059853212880296499622328201295446580293591664363
(=0x3492677e 6ae9d1c3 e08f908b 61033f3d 4e8322c9 fba6da81 2c95b067 9b1486eb).
44846366394651736248316749170687053272682847823018287439056537991969511150494
(=0x632624d4 ab94c83a 796511c0 5f5412a3 876e56d2 ed18eca3 21b95bef 7bf9939e).

The representation of k and the compressed representations of Pw3 and k*Pw3 in tight MSB/msb-order are given by
=0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50;
=0xa0ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 eb4c9272 03ca71b0;
=0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 63b8455e 2e04e65c,

where the leftmost bit of the leftmost octet indicates the parity of the Y-coordinate of the point of Wei25519.-3 in question (which, in this case, are one and zero, respectively, since Y is odd and Y1 is even). See and for further detail on (squeezed) point compression.
A randomized representation (t1, t2) of the point k*Pw3 in tight MSB/msb order is given by
57371493761359660152568068464215566709721747496481624688988981227297409008259
(=0x7ed71d5f 566d2259 99bdb404 bfb9d6cf d2e86ccb 1894d4a6 c75e3c69 e5eb0283)
26994578132458018981514201566389293572241945386392728723557891665397640090729
(=0x3bae63c8 70f60de0 c2e35f94 d24220f1 bb6efd00 37625869 f84923de ff4c5469),

where this representation is defined in and uses the mapping of with the default square root function.
Square roots are easy to compute in GF(q) if q = 3 (mod 4) (see ) or if q = 5 (mod 8) (see ). Details on how to compute square roots for other values of q are out of scope. If square roots are easy to compute in GF(q), then so are these in GF(q^2).
If y is a nonzero element of GF(q) and z:= y^{(q-3)/4}, then y is a square in GF(q) only if y*z^2=1. If y*z^2=1, z is a square root of 1/y and y*z is a
square root of y in GF(q).
If y is a nonzero element of GF(q) and z:=y^{z-5)/8}, then y is a square in GF(q) only if y^2*z^4=1.
If y*z^2=+1, z is a square root of 1/y and y*z is a square root of y in GF(q);
If y*z^2=-1, i*z is a square root of 1/y and i*y*z is a square root of y.

Here, i is an element of GF(q) for which i^2=-1 (e.g., i:=2^{(q-1)/4}). This field element can be precomputed.
If y is an integer and gcd(y,n)=1, one can efficiently compute 1/y (mod n) via the extended Euclidean Algorithm (see Section 2.2.5 of ). One can use this algorithm as well to compute the inverse of a nonzero element y of a prime field GF(p), since gcd(y,p)=1.
The inverse of a nonzero element y of GF(q) can be computed as
1/y:=y^{q-2} (since y^{q-1}=1).

Further details are out of scope. If inverses are easy to compute in GF(q), then so are these in GF(q^2).
The inverses of two nonzero elements y1 and y2 of GF(q) can be computed by first computing the inverse z of y1*y2 and by subsequently computing y2*z=:1/y1 and y1*z=:1/y2.
One can map elements of GF(q) that are not a square in GF(q) to points of a Weierstrass curve (see ), to points of a Montgomery curve (see
), or to points of a twisted Edwards curve (see ), under some mild conditions on the domain parameters. Full details on mappings that apply if these conditions are not satisfied are out of scope.
The description below assumes that the domain parameters a and b of the Weierstrass curve W_{a,b} are nonzero. For ease of exposition, we define f(z):=z^3+a*z+b. (Note that for an affine point (X,Y) of W_{a,b} one has Y^2=f(X).)
If t is an element of GF(q) that is not a square in GF(q) and that is unequal to -1, then the element X:=(-b/a)*(1+1/(t+t^2)) is the unique solution of the equation f(t*X)=t^3*f(X) and is nonzero. Consequently, either X or X':=t*X is the x-coordinate of an affine point of W{a,b}, depending on whether f(X) is a square in GF(q).
If f(X) is a square in GF(q) and Y:=sqrt(f(X)), then t is mapped to the point P(t):=(X, Y);
If f(X) is not a square in GF(q) and Y':=sqrt(f(X')), then t is mapped to the point P(t):=(X', -Y').

Formally, this mapping is not properly defined, since a nonzero square y:=x^2 in GF(q) has two solutions, viz. x and -x; it is properly defined, however, if one designates for each element in GF(q) that is a square in GF(q) precisely one square root as "the" square root of this element. Note that always picking the square root with zero parity
(see ) satisfies this condition (henceforth called the default square root function).
If -1 is not a square in GF(q), this element is mapped to the point at infinity O of W_{a,b}.
The set of points of W_{a,b} that arises this way has size roughly 3/8 of the order of the curve and each such point arises as image of one or two t values. Further details are out of scope.
NOTE 1: If -1 is not a square in GF(q), the mapping above yields the point at infinity for t=-1. One can modify this mapping to always yield an affine point, by mapping the element -1 to, e.g., the base point G of W_{a,b} and leaving the remainder of the mapping the same. Suitability of such a modification is application-specific. Details are out of scope.
NOTE 2: The description above assumes that the domain parameters a and b of the Weierstrass curve are nonzero. If this is not the case, one can often find an isogenous curve W_{a',b'} for which the domain parameters a' and b' are nonzero. If so, one can map elements of GF(q) that are not a square in GF(q) to points of W_{a,b} via function composition, where one uses the mapping above to arrive at a point of W_{a',b'} and where one subsequently uses the dual isogeny from W_{a',b'} to W_{a,b} to arrive at a point of W_{a,b}. As an example, one can show that if a is zero and -4*b is a cube in GF(q) (such as is the case with, e.g., the "BitCoin" curve secp256k1 ), this curve is 3-isogenous to a curve with this property and the strategy above applies (for an example with secp256k1, see ). Further details are out of scope.
The description below assumes that the domain parameter A of the Montgomery curve M_{A,B} is nonzero. For ease of exposition, we define f(z):=z^3+A*z^2+z. (Note that for an affine point (u,v) of M_{A,B} one has B*v^2=f(u).)
If t is an element of GF(q) that is not a square in GF(q) and that is unequal to -1, then the element u:=-(1+1/t)/A is the unique nonzero solution of the equation f(t*u)=t^3*f(u). Consequently, either u or u':=t*u is the u-coordinate of an affine point of M{A,B}, depending on whether f(u)/B is a square in GF(q).
If f(u)/B is a square in GF(q) and v:=sqrt(f(u)/B), then t is mapped to the point P(t):=(u, v);
If f(u)/B is a not a square in GF(q) and v':=sqrt(f(u')/B), then t is mapped to the point P(t):=(u', -v').

As before, formally, this mapping is not properly defined, since a nonzero square y:=x^2 in GF(q) has two solutions, viz. x and -x; it is properly defined, however, if one designates for each element in GF(q) that is a square in GF(q) precisely one square root as "the" square root of this element. Note that always picking the square root with zero parity (see ) satisfies this condition (henceforth called the default square root function).
If -1 is not a square in GF(q), this element is mapped to the point at infinity O of M_{A,B}.
The set of points of M_{A,B} that arises this way has size roughly 1/2 of the order of the curve and each such point arises as image of precisely one t value. Further details are out of scope.
NOTE 1: If -1 is not a square in GF(q), the mapping above yields the point at infinity for t=-1. One can modify this mapping to always yield an affine point, by mapping the element -1 to, e.g., the base point G of M_{A,B} and leaving the remainder of the mapping the same. Suitability of such a modification is application-specific. Details are out of scope.
NOTE 2: The description above assumes that the domain parameter A of the Montgomery curve is nonzero. If this is not the case, the curve is a Weierstrass curve for which the domain parameter b is zero and Note 2 of applies. If q = 3 (mod 4), an even simpler approach is possible, where one modifies the construction above and simply takes u:=t and u':=-t (which works, since -1 is not a square in GF(q) and f(-t)=-f(t)). In this case, this construction can be extended to all elements t of GF(q) and, if so, yields a 1-1 mapping between GF(q) and all affine curve points.
One can map elements of GF(q) that are not a square in GF(q) to points of the twisted Edwards curve E_{a,d} via function composition, where one uses the mapping of
to arrive at a point of the Weierstrass curve W_{a,b} and where one subsequently uses the isomorphic mapping between twisted Edwards curves and Weierstrass curves of to arrive at a point of E_{a,d}. Another mapping is obtained by function composition, where one instead uses the mapping of
to arrive at a point of the Montgomery curve M_{A,B} and where one subsequently uses the isomorphic mapping between twisted Edwards curves and Montgomery curves of to arrive at a point of E_{a,d}. Obviously, one can use function composition (now using the respective pre-images - if these exist) to realize the pre-images of either mapping.
The mappings of , , and allow one to represent a curve point Q as a specific element of GF(q), provided this point arises as a point in the range of the mapping at hand. For Montgomery curves and twisted Edwards curves, this covers roughly half of the curve points; for Weierstrass curves, roughly 3/8 of the curve points. One can extend the mappings above, by mapping a pair (t1, t2) of inputs to the point Q:=P2(t1, t2):=P(t1) + P(t2). In this case, each curve point has roughly q/4 representations as an ordered pair (t1, t2) on average. In fact, one can show that if the input pairs are generated uniformly at random, then the corresponding curve points follow a distribution that is also (statistically indistinguishable from) a uniform distribution, and vice-versa. Here, each pair (t1, t2) deterministically yields a curve point, whereas for each curve point Q, a randomized algorithm yields an ordered pair (t1, t2) of pre-images of Q, where the expected number of randomized pre-images one has to try is small (four if one uses the mapping of ; two if one uses the mapping of ). For further details, see Algorithm 1 of .
The elliptic curve secp256k1 is the Weierstrass curve W_{a,b} defined over the prime field GF(p), with p:=2^256-2^32-2^9-2^8-2^7-2^6-2^4-1, where a:=0 and b:=7.
This curve has order h*n, where h=1 and where n is a prime number. For this curve, domain parameter a is zero, whereas b is not. The quadratic twist of this curve has
order h1*n1, where h1 is a 37-bit integer and where n1 is a prime number. For this curve, the base point is the point (GX, GY).
The curve secp256k1 is 3-isogenous to the Weierstrass curve secp256k1.m defined over GF(p), which has nonzero domain parameters a and b and has as base point
the pair (GmX,GmY), where parameters are as specified in and where the related mappings are as specified in
.
Each affine point (X,Y) of secp256k1 corresponds to the point (X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3) of secp256k1.m, where u, v, and w are the polynomials with
coefficients in GF(p) as defined in , while the point at infinity of secp256k1 corresponds to the point at infinity of secp256k1.m.
Under this isogenous mapping, the base point (GX,GY) of secp256k1 corresponds to the base point (GmX,GmY) of secp256k1.m. The dual isogeny maps the affine point (X',Y')
of secp256k1.m to the affine point (X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3) of secp256k1, where u', v', and w' are the polynomials with coefficients in GF(p) as
defined in , while mapping the point at infinity O of secp256k1.m to the point at infinity O of secp256k1.
Under this dual isogenous mapping, the base point (GmX, GmY) of secp256k1.m corresponds to a multiple of the base point (GX, GY) of secp256k1, where this multiple is l=3
(the degree of the isogeny; see the description in ).
Note that this isogenous map (and its dual) primarily involves the evaluation of three fixed polynomials involving the x-coordinate, which takes roughly 10 modular
multiplications (or less than 1% relative incremental cost compared to the cost of an elliptic curve scalar multiplication).
The parameters of the curve sec256k1 and the corresponding 3-isogenous curve sec256k1.m are as indicated below. Here, the domain parameters of the curve secp256k1
are as specified in ; the domain parameters of secp256k1.m are "new".
General parameters (for all curves):
2^256-2^32-2^9-2^8-2^7-2^6-2^4-1
(=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe fffffc2f)
1
115792089237316195423570985008687907852837564279074904382605163141518161494337
(=0xffffffff ffffffff ffffffff fffffffe baaedce6 af48a03b bfd25e8c d0364141)
23479460174521 (=0x1a 9bfcab89)
1013176677300131846900870239606035638738100997248092069256697437031
(=0x099ee564 ea5d84f5 08913936 a761b0d5 d792a426 a7779817 ae2f5b67)

Weierstrass curve-specific parameters (for secp256k1):
0 (=0x00)
7 (=0x07)
55066263022277343669578718895168534326250603453777594175500187360389116729240
(=0x79be667e f9dcbbac 55a06295 ce870b07 029bfcdb 2dce28d9 59f2815b 16f81798)
32670510020758816978083085130507043184471273380659243275938904335757337482424
(=0x483ada77 26a3c465 5da4fbfc 0e1108a8 fd17b448 a6855419 9c47d08f fb10d4b8)

Weierstrass curve-specific parameters (for secp256k1.m):
93991599167772749909245591943117186381494883464374162770646538702960816911535
(=0xcfcd5c21 75e2ef7d ccdce737 770b7381 5a2f13c5 09035ca2 54a14ac9 f08974af)
1771 (=0x06eb)
26591621185618668069038227574782692264471832498547635565821216767730887659845
(=0x3aca5300 959fa1d0 baf78dcf f77a616f 395e586d 67aced0a 88798129 0c279145)
67622516283223102233819216063319565850973524550533340939716651159860372686848
(=0x9580fce5 3a170f4f b744579f f3d62086 12cd6a23 3e2de237 f976c6a7 8611c800)

The isogeny and dual isogeny are both isogenies with degree l=3. Both are specified by a triple of polynomials u, v, and w (resp. u', v', and w') of degree 3, 3,
and 1, respectively, with coefficients in GF(p). The coeffients of each of these polynomials are specified in (for the isogeny)
and in (for the dual isogeny). For each polynomial in variable x, the coefficients are tabulated as sequence of coefficients
of x^0, x^1, x^2, ..., in hexadecimal format.
0x54
0xa4d89db3ed06c81e6143ec2eca9f761d8d17260dc229e1da1f73f714506872a9
0xcc58ffccbd9febb4a66222c7d1311d988d88c0624bcd68ec4c758a8e67dfd99b
0x01

0x1c
0x94c7bc69befd17f2fae2e3ebf24df1f355d181fa1a8056103ba9baad4b40f029
0xb2857fb31c6fe18ef993342bb9c9ac64d44d209371b41d6272b04fd61bcfc851
0x01

0xe62c7fe65ecff5da53311163e8988ecc46c4603125e6b476263ac546b3efeae5
0x01

0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7
0x44cd5cd7ce55a801725891578fbe7356bd936355fd0e2f538797cecff7a37244
0x668d0011162006c3c889f4680f9a4b77d0d26a89e6bb87b13bd8d1cfdd600a41
0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c

0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c
0x519ba9c1f48f68054def6a410f0fa6e8b71c6c3b4a8958324681f6508c01fada
0xb34680088b100361e444fa3407cd25bbe8693544f35dc3d89dec68e76eb00338
0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84

0x4d7a804ce3901e71066ccbd44636539b2bb2df6c8e4be29d8d4fb028e43033de
0x01