Complete Addition Law for Montgomery Curves

Abstract

Montgomery curves allow efficient and side-channel resistant computation of ECDH using the Montgomery ladder. But the addition law of a Montgomery curve derived from the chord-tangent method is less efficient than other curve models such as a short Weierstrass curve and an Edwards curve. So, the usage of a Montgomery curve is strictly limited to ECDH only, such as \(\mathsf {X25519}\) and \(\mathsf {X448}\) functions in IETF RFC 7748. For other operations including fixed-base and multiple scalar multiplications, their birationally-equivalent (twisted) Edwards curves are recommended for use since the conversions between Montgomery curves and their Edwards equivalents are simple. This conversion enables the use of the efficient complete addition law of the Edwards curve that works for all pairs of input points with no exceptional cases. As a result, the combination allows secure and exception-free implementations, but at the expense of additional storage for the two curve parameters and for the conversion between them. However, smart devices in IoT environments that mainly operate ECDH (for example, RawPublicKey mode of IETF RFC 7250) do not need to implement such a conversion if a complete addition law does exist for the Montgomery curves.