CONNECTING LEGENDRE WITH KUMMER AND EDWARDS

. Scalar multiplication on suitable Legendre form elliptic curves can be speeded up in two ways. One can perform the bulk of the computation either on the associated Kummer line or on an appropriate twisted Edwards form elliptic curve. This paper provides details of moving to and from between Legendre form elliptic curves and associated Kummer line and moving to and from between Legendre form elliptic curves and related twisted Edwards form elliptic curves. Further, concrete twisted Edwards form elliptic curves are identiﬁed which correspond to known Kummer lines at the 128-bit security level which provide very fast scalar multiplication on modern architectures supporting SIMD operations.


Introduction
Scalar multiplication over an elliptic curve is a basic operation for implementation of basic public key functionalities including Diffie-Hellman key exchange and digital signature schemes. Consequently, secure and efficient algorithms for scalar multiplication are of paramount importance in practical deployment of such schemes. Depending on the target functionality, it is required to consider various cases of scalar multiplication, namely fixed base scalar multiplication, variable base scalar multiplication and multi-scalar multiplication. Diffie-Hellman key exchange has two phases, the first phase consists of computation of the public key and can utilise a fixed base scalar multiplication whereas the second phase consists of shared secret computation and requires a variable base scalar multiplication. On the other hand, signature generation requires a fixed base scalar multiplication while signature verification requires multi-scalar multiplication.
Our contributions: Gaudry and Lubicz [12] had proposed the use of Kummer line for scalar multiplication. This idea has been developed in [17] where all the relevant details were worked out. The work [17] also proposed several concrete Kummer lines targeted at the 128-bit security level and provided implementations of these on modern Intel platforms supporting single instruction multiple data (SIMD) operations. For such platforms, the obtained timing results indicate that for genus one curve over large characteristic fields, Kummer lines provide the fastest scalar multiplication algorithm. In particular, the obtained timings are better than the best known implementation of the widely deployed Curve25519. This result is relevant mainly for variable base scalar multiplication. For fixed base scalar multiplication, it is possible to improve the timings by working over suitable twisted Edwards curves. The present work makes the following contributions. Connecting Legendre to Kummer: A Kummer line is not a group. In fact, a Kummer line is associated with a Legendre form elliptic curve. A scalar multiplication on the Kummer line does not require the y-coordinate of the Legendre curve point. For shared secret computation in Diffie-Hellman computation, it is sufficient to consider only variable base scalar multiplication on the Kummer line. More generally, one may be interested in performing a full scalar multiplication on the Legendre form curve. This requires a method for recovering the y-coordinate of the result from the Kummer line computation. The first contribution of the present paper is to provide a detailed explicit formula for doing this. The earlier work [17] had briefly sketched the method, but, the details provided in the present work were not given in [17]. Connecting Legendre to Edwards: As mentioned above, fixed base scalar multiplication can benefit from the use of suitable twisted Edwards form curve. The fastest known scalar multiplication formula is for special types of twisted Edwards form curves [14]. Our second and main contribution is to provide three conversion methods from Legendre form curves to appropriate twisted Edwards form curves. Two of the conversion methods are birational equivalences while the third one is a 2isogeny. Each method is built by composing several individual mappings. All of the individual mappings have appeared earlier in the literature. Our contribution is to put together these mappings in an appropriate manner and to supply details which have not been provided in earlier works. We go beyond the task of just providing the mappings and propose concrete twisted Edwards form curves corresponding to the concrete Kummer lines introduced in [17].
The net effect of the present work is to obtain a set of concrete Legendre form curves and associated Kummer lines and twisted Edwards form curves. Scalar multiplication on the Legendre form curves can be done by moving to either the associated Kummer line or to the associated twisted Edwards form curve. The complete details for moving to and from between the Legendre form curves and the associated Kummer lines and for moving to and from between the Legendre form curves and the corresponding twisted Edwards form curves are provided. Depending on the requirement, one may choose to perform scalar multiplication on the Legendre form curve via the Kummer line or via the twisted Edwards form curve. For certain applications, it may also be sufficient to work only on the Kummer line or only on the twisted Edwards form curve.
We briefly mention how Diffie-Hellman key agreement can benefit from the maps and the conversions provided in this work. The key generation phase can utilise fixed base scalar multiplication. So, this phase is performed on the twisted Edwards form curve. The resulting point is mapped from twisted Edwards form curve to the corresponding Kummer line via the Legendre form curve and the x-coordinate of the point on the Kummer line is sent. The shared secret computation using only the x-coordinates requires variable base scalar multiplication and is carried out on the Kummer line. The shared secret is a point on the Kummer line and it is not required to move back from the Kummer line to the Legendre form curve. In the context of genus 2, this procedure has been mentioned in Section 7.1 of [13].
Work on the paper has involved the writing of code in Magma and SAGE. The relevant scripts are available from [16].
Previous and related works: Elliptic curve cryptography (ECC) was introduced independently by Koblitz [18] and Miller [19]. Over the years, ECC has become the method of choice for compact and efficient implementation of various public key operations. Montgomery [20] introduced the so-called Montgomery form of elliptic curves which provided a method for very fast x-coordinate only scalar multiplication. The famous Curve25519 proposed by Bernstein [2] is based on the Montgomery form elliptic curve. Bernstein and Lange [4] proposed the use of Edwards form curve [9] to cryptography. A later work [5] introduced the twisted Edwards form curve. The fastest known scalar multiplication algorithm for certain types of twisted Edwards form curves was proposed by Hisil et al [14]. Gaudry [11] proposed the use of Kummer surfaces for speeding up scalar multiplication and a later work by Gaudry and Lubicz [12] suggested the use of Kummer lines. As mentioned earlier, this idea was fully developed in [17] where concrete Kummer lines were suggested and implementation and timing results were reported.

Kummer line and elliptic curves
A brief background on Kummer lines and the relevant forms of elliptic curves are provided in this section.
2.1. Kummer line. Let C be the field of complex numbers. Kummer lines are defined using theta functions over C. On the other hand, for cryptographic purposes, we will work over a prime field of large characteristic. The derivations that are used have a good reduction [12] which makes it possible to use the Lefschetz principle [1,10] to carry over the identities which hold over the complex to those over a large characteristic field.
Let ϑ 1 , ϑ 2 , Θ 1 and Θ 2 be functions from C to C satisfying the following identities.
For the concrete definition of the theta functions in genus one and the proofs of the above identities, we refer to [17]. For the general theory covering higher genus we refer to [21,15] and to [11,12] for proposing cryptographic applications of theta functions.
Putting w 1 = w 2 = w in (1) and (2), we obtain Putting w = 0 in (3), we obtain Table 1. Double and differential addition in the square-only setting.
With respect to the above defined doubling and differential addition, the point [a 2 : b 2 ] acts as the identity element while the point [b 2 : a 2 ] has order two. Given P = [x 2 1 : z 2 1 ] on K a 2 ,b 2 and a positive integer n, Algorithm scalarMult in Table 2 returns (R, S), where R = nP = [x 2 n : z 2 n ] and S = (n + 1)P = [x 2 n+1 : z 2 n+1 ]. Since both doubling and differential addition work with only squared quantities, this is referred to as the square only setting.
Let p be a prime not equal to 2 and F p be the finite field of p elements. As mentioned earlier, using the Lefschetz principle, we consider Kummer lines over F p . Also, F p will be the underlying field for all the elliptic curves defined in the rest of the work.

Remarks.
1. Consider the Kummer line K a 2 ,b 2 over C.  2 3 ]. Note that it is not necessarily true that there is a w ∈ C such that P 1 = [x 2 1 : . So, P 3 is not really the double of P 1 and instead it is more accurate to write [x 3 : On the other hand, since only the squares are involved, we write P 3 = 2P 1 to implicitly denote [x 3 : z 3 ] = 2[x 1 : z 1 ]. Similar considerations hold for the sum of two points. 2. Since only the squares of components of the points of K a 2 ,b 2 appear in the formulas for doubling and pseudo-addition, one may write these formulas in terms of x 1 , z 1 , x 2 , z 2 , x 3 , z 3 , a, b, A and B assuming that these quantities themselves are squares. This will make the formulas look simpler. On the other hand, we find this to be a bit confusing since then the relation to the actual doubling and pseudo-addition on K a 2 ,b 2 gets blurred. So, we have chosen to retain the formulas with the "squared" notation. Ultimately, this does not affect the implementation efficiency. 3. Considered over F p , the parameters a 2 and b 2 in the definition of the Kummer line K a 2 ,b 2 are in F p . It is not necessary, however, that a and b are also in F p . Similarly, for a point P = [x 2 : z 2 ], the quantities x 2 and z 2 are in F p though x and z may not be in F p .

2.2.
Legendre form elliptic curve. The Legendre form elliptic curve E L,µ in affine coordinates (x, y) is given by an equation with µ ∈ F p \ {0}. For Z = 0, the point (X : Y : Z) in projective coordinates represents the affine point (X/Z, Y /Z). In projective coordinates, the curve has the form E L,µ : Y 2 Z = X(X − Z)(X − µZ). To avoid introducing additional notation, we will use E L,µ to denote both the affine and the projective forms of the curve. The intended form will be clear from the context. The curve E L,µ has three points of order two, namely, (0 : 0 : 1), (1 : 0 : 1) and (µ : 0 : 1). Let T = (µ : 0 : 1).
Let K a 2 ,b 2 be a Kummer line such that Let σ : E L,µ → E L,µ be the automorphism which maps a point of E L,µ to its inverse, i.e., for (X : } → E L,µ /σ has been given in [12].
The map ψ by itself does not preserve the consistency of doubling and differential addition between E L,µ and K a 2 ,b 2 . Instead, the map ψ needs to be extended to obtain a map ψ : ψ −1 (P) = ψ −1 (P + T).
The map ψ preserves the consistency of doubling and addition between E L,µ and K a 2 ,b 2 . We refer to [17] for details. Further, it can be argued [12,17] that the discrete logarithm problem in E L,µ and K a 2 ,b 2 are equally hard.
2.3. Concrete choices of Kummer lines. For cryptographic purposes, we work over a large characteristic field. As mentioned earlier, since all the identities have good reductions, using the Lefschetz principle, the identities also hold over such finite fields. Further, since the characteristic p of the field will be large and we will choose small values of a 2 and b 2 , a 4 − b 4 will not be zero modulo p so that µ is also defined over F p .
We consider the following concrete Kummer lines. The work [17] proposed KL 1a , KL 2 and KL 3 . We additionally consider KL 1b . The efficiency of scalar multiplication on KL 1b is the same as that of KL 1a . On the other hand, for conversion to twisted Edwards form, KL 1b provides a few more options which are not obtained from either KL 1a , KL 2 or KL 3 .
By E 1a , E 1b , E 2 and E 3 we will denote the group of F p -rational points of the Legendre form elliptic curves corresponding to KL 1a , KL 1b , KL 2 and KL 3 respectively.
All of the proposals provide security at about the 128-bit level. The relevant properties of these proposals are shown in Table 3. Comparison to other well known proposals are given in [17]. In Table 3, and T are the orders of the largest prime subgroups of the curves and their quadratic twists; h and h t are the co-factors of the curves and their quadratic twists; and D is the complex multiplication field discriminant [3]. Table 3. Some properties of the group of F p -rational points of the Legendre form elliptic curves E 1a , E 1b , E 2 and E 3 .
The extended affine coordinates [14] (u, v, t) is obtained by introducing an auxilliary coordinate t = uv. The extended twisted Edwards coordinates [14] is a projective coordinate system (U : V : T : W ) with W = 0, which corresponds to the extended affine coordinates (U/W, V /W, T /W ). The identity element is represented as (0 : 1 : 0 : 1) and the inverse of (U, V, T, W ) is (−U : V : −T : W ).
If a = −1, i.e., the curve E E,−1,d has currently the fastest addition algorithm in the extented twisted Edwards coordinates. So, it is of interest to be able to move from E E,a,d to E E,−1,d . Based on the discussion in Section 2 of [5], we have the following two options.
Suppose the Legendre symbols a p and −1 p are equal. Then a can be written is an isomorphism over F p from E E,a,d : is a birational equivalence over F p from E E,a,d : aû 2 +v 2 = 1 + dû 2v2 to E E,d,a : du 2 + v 2 = 1 + au 2 v 2 having the exceptional pointv = 0. One can then apply the map in (14) to On the other hand, if d = −1, then v 2 = 1 corresponds to the two points (0, 1) (the identity) and (0, −1) (having order 2). In our applications, d = −1. So, given the value of v and the sign of u, it is possible to uniquely determine u. Following [6], this allows compressing the point (u, v) to (sgn(u), v) which is useful for applications to Edwards curve based signature verification.
2.5. Montgomery form elliptic curve. The Montgomery form elliptic curve E M,A,B in affine coordinates (r, s) is given by an equation We will encounter Montgomery form elliptic curves while transiting from Legendre form curves to Edwards form curves. There will be no occasion to use projective coordinates of the Montgomery form and hence we do not introduce it here.
The connection between Montgomery and twisted Edwards form that we will use is given by Theorem 3.2 of [5]. The Montgomery curve E M,A,B : Bs 2 = r 3 + Ar 2 + r is birationally equivalent to the twisted Edwards curve E E,a,d : au 2 +v 2 = 1+du 2 v 2 with a = (A + 2)/B and d = (A − 2)/B and is given by the map (r, s) → (u, v) = (r/s, (r − 1)/(r + 1)). (17) The exceptional points are given by s = 0 and r = −1.

2.6.
Weierstrass form elliptic curve. The Weierstrass form elliptic curve E W,a,b in affine coordinates (x, y) is given by an equation where 4a 3 + 27 2 = 0. Proposition 1 in [22] shows that E W,a,b can be converted into a Montgomery form if and only if the following two conditions hold.
Suppose that (19) holds. Then the map is an isomorphism from E W,a,b : M, S, A denote multiplication, squaring and addition respectively over F p ; C denotes multiplication by a small constant over F p .

3.
Moving between E µ and K a 2 ,b 2 Suppose P = [x 2 : z 2 ] is a point of K a 2 ,b 2 which is not of order two and let ψ(P) = P = (X : · : Z) be the corresponding point of E L,µ . We wish to obtain formulas for X and Z in terms of x 2 and z 2 . Note that the y-coordinate of P is not uniquely obtained from P. Conversely, suppose we are given P = (X : · : Z) ∈ E L,µ (F p ) which is not of order two and we wish to obtain the coordinates x 2 and z 2 of the corresponding point ψ −1 (P) = P = [x 2 : z 2 ]. These tasks are done as follows.
Explicit formulas to compute the expressions given by (21) and (22) are shown in Table 4. We note that the expressions given by (21) and (22) and the formulas appearing in Table 4 do not appear in [17]. Since a 2 and b 2 are small constants, the pre-computed constants α 0 and α 1 are also not too large. The conversion from Kummer line to Legendre form elliptic curve requires three multiplications by small constants while the conversion from Legendre form elliptic curve to Kummer line requires two such multiplications. Table 4. Conversions from Kummer line to Legendre form elliptic curves and vice versa. Here α 0 = a 2 and α 1 = b 2 are precomputed quantities.
Using ψ, it is possible to map the KL base points provided in Table 3 to base points on the corresponding Legendre form curves. These are shown in affine coordinates in Table 5. For the Legendre form curves, the y-coordinate is the positive for the values of a 2 , b 2 , x 2 and z 2 shown in Table 5. These values are as follows.
3.1. Scalar multiplication on E µ via K a 2 ,b 2 . The main purpose of using Kummer lines is to be able to perform fast scalar multiplication. Suppose P = (X P : Y P : Z P ) is a point on E L,µ and n is a positive integer. The requirement is to obtain Q = nP. Using the associated Kummer line K a 2 ,b 2 , this is achieved in the following manner.
Set P = ψ −1 (P) and compute (Q, R) = scalarMult(P, n). Then Q = nP and R = (n + 1)P. Set Q = ψ(Q) and R = ψ(R). By the consistency of scalar multiplication between K a 2 ,b 2 and E L,µ , it follows that Q = nP and R = (n + 1)P. The problem with the above approach is that Q = ψ(Q) does not recover Y Q . On the other hand, since Q − R = −P, the value of Y Q can be recovered from X P , Y P , Z P , X Q , Z Q , X R and Z R . The method for doing this has been mentioned in [17] in the context of affine coordinates. Here we solve a more general problem in projective coordinates. The method for recovering the y-coordinate in the context of scalar multiplication over Montgomery form elliptic curves has been described in [23].
and P = (X P : Y P : Z P ), we provide formulas for determining X Q , Y Q and Z Q . We assume that P is not the identity nor a point of order two, so that Z P = 0 and Y P = 0. Let For simplicity of the ensuing calculation, we shift to affine coordinates. P in affine coordinates is (x P , y P ) where x P = X P /Z P and y P = Y P /Z P . Let x Q = γ Q /δ Q and x R = γ R /δ R and so Q and R in affine coordinates are (x Q , y Q ) (with y Q unknown) and (x R , ·) respectively.
Since Q = nP and R = (n + 1)P, Q = R and so Q = R implying that x Q = x R . Further, Q = nP and R = (n + 1)P and so Q − R = −P. Let y = mx + c be the line passing through Q and −R. This line also passes through P and so we have m = (y Q − y P )/(x Q − x P ). Plugging the equation y = mx + c into the affine form of the curve y 2 = x 3 − (µ + 1)x 2 + µx and simplifying we have x Q and x R are the three roots of this equation, we have x P + x Q + x R = µ + 1 + m 2 . Substituting the expression for m and using y 2 Substituting Converting back to projective coordinates, using µ = a 4 /(a 4 − b 4 ) and defining pre-computed constants The computations of X Q , Y Q and Z Q are shown in Algorithm 1. The total cost is 4C + 26M + 4S + 10A.
where Q = nP, Q = nP, R = (n + 1)P and P = ψ −1 (P). Here A multiplication by µ is counted as a general multiplication over F p .

Moving from Legendre to twisted Edwards form elliptic curves
The general idea is to move from the Legendre form to the Montgomery form and then use (17) to move to the twisted Edwards form. Further, we wish to move to E E,−1,d for some d. For this, we use either (14) directly or (15) followed by (14) whenever these are feasible to be applied. For moving from the Legendre to the Montgomery form we identify three approaches.
1. If the curve has a point of order 4, then the method given in [4] can be simplified to move from the Legendre form to the Montgomery form. This provides a birational equivalence between the two forms. 2. It is possible to move from the Legendre form to the Weierstrass form. Then using (20) it is possible to move to the Montgomery form, if feasible. This also provides a birational equivalence between the two forms. 3. Based on the method provided in [5], it is possible to obtain a 2-isogeny for moving from the Legendre form to the Montgomery form.
For the first two methods, a birational equivalence is obtained between the Legendre form curve and the twisted Edwards curve. Since birational equivalence preserves the difficulty of discrete log computation, one can simply work over the obtained twisted Edwards curve without referring to the Legendre curve in the background.
On the other hand, in the case of the third method, an isogeny is obtained. In this case, it is required to start from the Legendre form curve, move to the twisted Edwards form curve using the isogeny, perform the scalar multiplication and then move back to the Legendre form curve using the dual isogeny. This idea was introduced in [7] and we provide more details later. Since G has three elements of order 2 and the order of H is at least 8, H must have an element h whose order is 2 j for j ≥ 2. The element h 2 j−2 is an element of order 4.
From Table 3, the co-factors of E 1a , E 1b , E 2 and E 3 are 8, 8, 12 and 12 respectively. Using Proposition 1, E 1a and E 1b have points of order 4 while E 2 and E 3 do not. The next proposition shows how to find a point of order 4 in E 1a or E 1b .
Proof. The three points of order 2 on E L,µ are (0, 0), (1, 0) and (µ, 0). Since (x 1 , y 1 ) is a point of order 4, 2(x 1 , y 1 ) is a point of order 2 and so is equal to (x 2 , 0) for some x 2 ∈ {0, 1, µ}. Let m be the slope of the tangent to the curve passing through the point (x 1 , y 1 ). This tangent also passes through the point (x 2 , 0). This gives two ways of obtaining m.
Proposition 2 shows a method to find a point of order 4 over F p . For each value of x 2 = 0, 1, µ try to solve (24) for x 1 and y 1 over F p . If a solution is found, then we have an F p rational point of order 4 and if no solution is found, then there is no F p rational point of order 4. Note that for Legendre form curves, this provides a method different from Proposition 1 of determining whether there is an F p rational point of order 4. The possible solutions for (x 1 , y 1 ) arising from solving (24) are given in Table 6. These 12 solutions along with the 3 points of order 2 and the identity provide the 16 elements of the 4-torsion subgroup of E L,µ in the algebraic closure of F p . Not all of the solutions in Table 6 are in F p .
For E 1a , there are no F p rational points of order 4 corresponding to x 2 = 0 and is an F p rational point of order 4 such that 2(x 1 , y 1 ) = (µ, 0). The actual values of x 1 and y 1 are as follows. For E 1b , there are no F p rational points of order 4 corresponding to x 2 = 0. For x 2 = 1, the point (1 + 1 − µ, −1 + µ − 1 − µ) is an F p rational point of order 4 such that 2(x 1 , y 1 ) = (1, 0). The actual values of x 1 and y 1 are as follows. The work [4] proposed the use of Edwards form elliptic curve in cryptography. Their work showed birational equivalence between (long) Weierstrass form curves satisfying certain properties and Edwards form curves. From the proof of Theorem 2.1 in [4] it is possible to pick out a birational equivalence between curves of the form y 2 = x 3 + a 2 x 2 + a 4 x (satisfying certain properties) and Montgomery form curves. Since Legendre form curves can be written in the form y 2 = x 3 +a 2 x 2 +a 4 x, one obtains a birational equivalence between certain Legendre form curves and Montgomery form curves. The problem, however, is that the statement of Theorem 2.1 and its proof in [4] requires that there should be an element of order 4 and Table 6. Values of x 1 , y 1 and x 2 which are solutions to (24).
a unique element of order 2 for the birational equivalence to be possible. Since Legendre form curves have 3 elements of order 2 and not necessarily a point of order 4, the result does not directly apply to Legendre form curves. A closer examination of the proof, on the other hand, reveals that the condition of having a unique element of order 2 is not really required; the condition of having an element of order 4 is sufficient. This was already observed in [8], but, the details of the resulting proof were not provided. Below we provide these details as well as certain details which are not present in the proof of Theorem 2.1 provided in [4].
The following result is part of the proof of Theorem 2.1 in [4].

Proof.
The last equation follows from the definition of A 2 and A 4 and from the fact that (x 2 , 0) is on E. Using [24, Chapter III, Example 4.5] we have that the map given by (28) is an isomorphism. So, it preserves the orders of points. Since (x 1 , y 1 ) is mapped to (x 1 − x 2 , y 1 ) and (x 2 , 0) is mapped to (0, 0), it follows that on E, (x 1 − x 2 , y 1 ) is a point of order 4 and 2(x 1 − x 2 , y 1 ) = (0, 0). is a birational equivalence from E to Bs 2 = r 3 + Ar 2 + r where B = 1/(1 − θ) and Proof. The proof is essentially similar to the proof of Theorem 2.1 of [4] with a small difference which we point out later. Since (x 1 , y 1 ) has order 4, y 1 = 0 and so x 1 = 0. The point (x 1 , y 1 ) is on E and so Since 2(x 1 , y 1 ) = (0, 0), the tangent to E at the point (x 1 , y 1 ) passes through the point (0, 0). Following the proof of Proposition 2, the slope of the tangent can be expressed in two different ways. This yields From (29), x = rx 1 and y = sy 1 /2. Using y 2 = x 3 + A 2 x 2 + A 4 x; the expressions for A 2 , A 4 and θ; and y 2 1 = 4x 3 1 /(1 − θ) we compute as follows.
This shows the result.

Remarks.
1. Note that x 1 /(1 − θ) = y 2 1 /(4x 2 1 ) which is a square. This was overlooked in the proof of Theorem 2.1 in [4]. The proof continued by considering two Montgomery form curves E and E having the coefficients of s 2 to be B = x 1 /(1 − θ) and B = θx 1 /(1 − θ) respectively. It was then argued that if θ is a non-square, then either B or B is a square and the proof proceeded to analyse both the cases. Over a finite field, the condition that θ is a nonsquare is implied by E having a unique point of order 2. Noting that B is a square simplifies the proof. This avoids considering E . Also, it avoids the requirement of θ being a non-square and hence the requirement of E having a unique point of order 2. 2. We note that Theorem 3.3 of [5] shows that every elliptic curve having a point of order 4 is birationally equivalent to an Edwards curve and Theorem 3.4 of [5] shows that if p ≡ 3 mod 4, then every Montgomery curve is birationally equivalent to an Edwards curve. These results are not directly useful for us since we wish to move to a twisted Edwards curve of the form E E,−1,d while these result show how to move to an Edwards curve of the form E E,1,d . By putting together the different maps, we obtain the following result. Theorem 4.3. Let E L,µ : y 2 = x(x − 1)(x − µ) have a point (x 1 , y 1 ) of order 4 with 2(x 1 , y 1 ) = (x 2 , 0). Let θ = 1 − 4(x 1 − x 2 ) 3 /y 2 1 and suppose that both −1 and θ are non-squares in F p . Let 4θ = −b 2 for some b ∈ F p . Then E L,µ is birationally equivalent to E E,−1,d : −u 2 + v 2 = 1 + du 2 v 2 where d = −1/θ and the birational equivalence is given by with exceptional points given by y(x − x 1 ) = 0, corresponding to points of order 2 (for y = 0) or to a point of order 4 (for x = x 1 ). Further, the birational equivalence from E E,−1,d : −u 2 + v 2 = 1 + du 2 v 2 to E L,µ is given by with exceptional points given by u(v − 1) = 0, corresponding to the identity (0, 1) or to the point of order 2 (0, −1).
The converse birational equivalence is similarly obtained.

4.2.
Method 2: Via short weierstrass. This method moves from the Legendre form to the short Weierstrass form and then to the Montgomery form. The first step of the reduction is given by the following result.
is a birational equivalence from E L,µ to E W,a,b : Proof. The following computation shows the result.
Suppose that a p = −1 p . The map (17) given by (r, s) → (u, v) = (r/s, (r − 1)/(r + 1)) is a birational equivalence from E M,A,B to E E,a,d : a u 2 + v 2 = 1 + du 2 v 2 where a = (A + 2)/B = a and d = (A − 2)/B = d. Using (14), the map (u, v) → (u, v) = (bu, v) is a birational equivalence from E E,a,d : a u 2 + v 2 = 1 + du 2 v 2 to E E,−1,d . Composing all the above maps gives the map defined in the first point of the theorem statement.
Suppose p ≡ 3 mod 4 and µ is a non-square in F p . In this case, −1 is a non-square in F p . Using (17), we obtain a birational equivalence from E M,A,B to E E,4,4µ : 4û 2 +v 2 = 1 + 4µû 2v2 . Using (15), there is a birational equivalence from E E,4,4µ to E E,4µ,4 : 4µu 2 + v 2 = 1 + 4u 2 v 2 . Since both −1 and µ are non-squares, using (14), there is a birational equivalence from E E,4µ,4 to E E,−1,d : −u 2 + v 2 = 1 + du 2 v 2 where d = −1/µ. The intermediate maps for moving from E L,µ to E −1,d are as follows: Composing these intermediate maps shows that the 2-isogeny from E L,µ to E,−1,d is given by (40) and composing the maps in the opposite directions shows that the dual 2-isogeny is given by (41).
Suppose p ≡ 1 mod 4. In this case, −1 is a square in F p . Using (17), we obtain a birational equivalence from E M,A,B to E E,4,4µ : 4u 2 + v 2 = 1 + 4µu 2 v 2 . Since 4 and −1 are both square, using (14), there is a birational equivalence from E E,4,4µ to The intermediate maps for moving from E L,µ to E −1,d are as follows: Composing these intermediate maps shows that the 2-isogeny from E L,µ to E,−1,d is given by (42) and composing the maps in the opposite directions shows that the dual 2-isogeny is given by (43). Corollary 1. Suppose E L,µ is given by projective coordinates (X : Y : Z) and E E,−1,d is given by extended twisted Edwards coordinates (U : V : T : W ).
1. For the map (47), the kernel is obtained by setting the right hand side to (0 : 1 : 0 : 1). This leads to the equations Y Z( A reasoning similar to the above shows that the kernel of (49) is the same as the kernel of (47) and the kernel of (50) is the same as the kernel of (48).

Concrete twisted Edwards curves
Theorems 4.3, 4.4 and 4.5 provide three ways of obtaining twisted Edwards curves from Legendre curves. In this section, we apply these methods to the Legendre curves arising from the Kummer lines mentioned in Section 2.3. In each case, the Edwards curve is of the form So, only the parameter d needs to be determined.
1. Consider the applicability of Theorem 4.3. This requires a point (x 1 , y 1 ) of order 4 such that 2(x 1 , y 1 ) = (x 2 , y 2 ) where the possible values of x 1 , y 1 and x 2 are given in Table 6. For the solutions of x 1 , y 1 and x 2 , it is required to determine whether the θ defined in Theorem 4.3 is a non-square. It turns out that for E 1a none of the solutions for x 1 , y 1 and x 2 lead to a non-square θ. So, In the case of both Ed 1a,1 and Ed 1a,2 , the exceptional points of (36) are given by y = 0 (corresponding to points of order two) and x = ω + α − 1/c. For Ed 1a,1 , the value of ω + α − 1/c turns out to be − √ µ, while for Ed 1a,2 the value of ω + α − 1/c turns out to be √ µ. From Table 6, these correspond to points of order 4. Further, the value of y corresponding to x = ± √ µ is not in F p . So, these order 4 points are not F p rational. The base point on Ed 1a,1 corresponding to the point (x, y) on E 1a given in Table 5 is obtained by applying the map in (36) to (x, y). Denoting this point by (u 1a,1 , v 1a,1 ), we have The base point on Ed 1a,2 corresponding to the point (x, y) on E 1a given in Table 5 is obtained by applying the map in (36) to (x, y). Denoting this point by (u 1a,2 , v 1a,2 ), we have 3. In this case, p ≡ 3 mod 4 and µ is a square. So, Theorem 4.5 does not apply.
Case 1b. E E,−1,d arising from E 1b = E L,µ arising from KL2519(186, 175). In this case p = 2 251 − 9 and −1 is a non-square modulo p. 1. Consider the applicability of Theorem 4.3. This requires a point (x 1 , y 1 ) of order 4 such that 2(x 1 , y 1 ) = (x 2 , y 2 ) where the possible values of x 1 , y 1 and x 2 are given in Table 6. For the solutions of x 1 , y 1 and x 2 , it is required to determine whether the θ defined in Theorem 4.3 is a non-square. It turns out that for E 1a none of the solutions for x 1 , y 1 and x 2 lead to a non-square θ. In the case of both Ed 1b,1 and Ed 1b,2 , the exceptional points of (36) are given by y = 0 (corresponding to points of order two) and x = ω + α − 1/c. For Ed 1b,1 , the value of ω + α − 1/c turns out to be µ − µ 2 − µ, while for Ed 1b,2 the value of ω + α − 1/c turns out to be µ + µ 2 − µ. From Table 6, these correspond to points of order 4. Further, the value of y corresponding to x = µ ± µ 2 − µ is not in F p . So, these order 4 points are not F p rational.
The base point on Ed 1b,1 corresponding to the point (x, y) on E 1b given in Table 5 is obtained by applying the map in (36) to (x, y). Denoting this point by (u 1b,1 , v 1a,1 ), we have The base point on Ed 1b,2 corresponding to the point (x, y) on E 1b given in Table 5 where d = −µ = a 4 /(b 4 − a 4 ) = −6724/795. The base point on Ed 2 corresponding to the point (x, y) on E 2 given in Table 5 is obtained by applying the map in (40) to (x, y). Denoting this point by (u 2 , v 2 ), we have where d = −µ = a 4 /(b 4 − a 4 ) = −67600/48279.
The base point on Ed 3 corresponding to the point (x, y) on E 3 given in Table 5 is obtained by applying the map in (40) to (x, y). Denoting this point by (u 3 , v 3 ), we have A summary of the twisted Edwards form curve that are obtained from the Legendre form curves is provided in Table 7.

Scalar multiplication on Legendre/twisted Edwards form curves
For the twisted Edwards curves which are obtained from Legendre curves using a birational equivalence, the hardness of the discrete logarithm problem is preserved. For these twisted Edwards curves, it is sufficient to work only on these curves without reference to the underlying Legendre curves. So, the scalar multiplication algorithms for twisted Edwards curve using extended twisted Edwards coordinates can be applied. From Table 7, the relevant curves are Ed 1a,1 , Ed 1b,1 , Ed 1b,2 , Ed 1b,3 , Ed 2,1 , Ed 3,1 . For the twisted Edwards curves which are obtained from Legendre curves using a 2-isogeny, it is required to work over the Legendre curves. Following [7] scalar multiplication on the corresponding Legendre curves can be performed in the following manner. Let Φ (resp. Φ) be the 2-isogeny (resp. the dual 2-isogeny) from the Legendre form curve to the twisted Edwards form curve (resp. from the twisted Edwards form curve to the Legendre form curve). Let q be the largest prime dividing the order of the group of F p rational points of the Legendre form curve. Let P be a point on the Legendre form curve of order q and n be a scalar. Since q is a prime, 2 has a multiplicative inverse modulo q. Following [7], the scalar multiplication nP can be done in the following manner: P = Φ(P); n = n/2 mod q; Q = nP; Q = Φ(Q); return Q.
The above requires an application of Φ and Φ each and a scalar multiplication in the twisted Edwards form curve. The times required for computing Φ and Φ are negligible in comparison to the scalar multiplication. Instead of directly computing the scalar multiplication on the Legendre form curve, this procedure benefits from the fast scalar multiplication possible on the twisted Edwards form curve.
A unified addition algorithm using extended twisted Edwards coordinates for twisted Edwards curves of the form −u 2 + v 2 = 1 + du 2 v 2 has been given in [14]. Suppose, it is required to add (U 1 : V 1 : T 1 : W 1 ), (U 2 : V 2 : T 2 : W 2 ) and the result is (U 3 : V 3 : T 3 : W 3 ). The algorithm for performing this operation is shown in Table 8. This requires a total of 8M + 1C + 8A where the C is the multiplication by 2d. For the cases, where d is a general element of F p , essentially 9M + 8A is required. On the other hand, suppose that d = d 1 /d 2 where d 1 and d 2 are small integers. The values of d arising in the cases of Ed 1b,4 , Ed 2,2 and Ed 3,2 can be written in this form. In this case, the above computation for obtaining (U 3 : V 3 : T 3 : W 3 ) can be rewritten as shown in Table 9. This requires 8M + 4C + 8A. In this case, the multiplications counted by C are indeed multiplications by small constants. In other words, instead of 9M + 8A, the cost becomes 8M + 4C + 8A. This is advantageous only if the time required for four multiplications by small constants is lesser than a general field multiplication. The idea that writing d = d 1 /d 2 with d 1 and d 2 small can lead to efficiency improvement has been earlier mentioned in [6]. Table 8. General d. Table 9.
For fixed base scalar multiplication, the efficiency can be further improved as suggested in [6]. Suppose (U 1 : V 1 : T 1 : W 1 ) is the fixed base where W 1 = 1 and T 1 = U 1 V 1 . If the fixed base point is represented as (U 1 − V 1 , U 1 + V 1 , 2dT 1 ) then in the computation in Figure 8, the following simplifications become possible. The multiplication (2d)T 1 · T 2 becomes (2dT 1 ) · T 2 ; the multiplication 2W 1 · W 2 becomes 2W 2 ; and the computations U 1 − V 1 and U 1 + V 1 are not required. So, the overall cost becomes 7M + 6A. It had already been pointed out in [14] that using W 1 = 1 leads to a cost of 7M + 1C + 8A. Using W 1 = 1 in conjunction with the idea in [6] of using (U 1 − V 1 , U 1 + V 1 , 2dT 1 ) representation of the fixed base point leads to the cost of 7M + 6A.

Conclusion
This work considered methods to move between Legendre form elliptic curves and associated Kummer lines as well as methods to move between Legendre form elliptic curves and corresponding twisted Edwards form elliptic curves. Complete details of the methods are presented. Further, new concrete twisted Edwards form elliptic curves are proposed. These correspond to previously proposed concrete Kummer lines at the 128-bit security level which admit very fast scalar multiplication on modern architectures supporting SIMD operations.