可参照博客Extended twisted Edwards curve坐标系及相互转换第2.3.2节,有: 2 ( X 0 : Y 0 : Z 0 : T 0 ) = ( X : Y : Z : T ) 2(X_0:Y_0:Z_0:T_0)=(X:Y:Z:T) 2(X0:Y0:Z0:T0)=(X:Y:Z:T) X = ( 2 X 0 Y 0 ) ( Z 0 2 − d T 0 2 ) = e h X=(2X_0Y_0)(Z_0^2-dT_0^2)=eh X=(2X0Y0)(Z02−dT02)=eh Y = ( Y 0 2 − a X 0 2 ) ( Z 0 2 + d T 0 2 ) = g f Y=(Y_0^2-aX_0^2)(Z_0^2+dT_0^2)=gf Y=(Y02−aX02)(Z02+dT02)=gf T = ( Y 0 2 − a X 0 2 ) ( 2 X 0 Y 0 ) = e g T=(Y_0^2-aX_0^2)(2X_0Y_0)=eg T=(Y02−aX02)(2X0Y0)=eg Z = ( Z 0 2 − d T 0 2 ) ( Z 0 2 + d T 0 2 ) = f h Z=(Z_0^2-dT_0^2)(Z_0^2+dT_0^2)=fh Z=(Z02−dT02)(Z02+dT02)=fh 其中: e = 2 X 0 Y 0 , g = Y 0 2 − a X 0 2 , f = Z 0 2 + d T 0 2 , h = Z 0 2 − d T 0 2 e=2X_0Y_0,g=Y_0^2-aX_0^2,f=Z_0^2+dT_0^2,h=Z_0^2-dT_0^2 e=2X0Y0,g=Y02−aX02,f=Z02+dT02,h=Z02−dT02
对应的Extended坐标系表示为: ε a , d : = { ( X : Y : Z : T ) ∈ P 3 ( F ) : X Y = Z T a n d a ∗ X 2 + Y 2 = Z 2 + d ∗ T 2 } \varepsilon_{a,d}:=\{(X:Y:Z:T)\in P^3(F):XY=ZT\ and\ a*X^2+Y^2=Z^2+d*T^2\} εa,d:={(X:Y:Z:T)∈P3(F):XY=ZT and a∗X2+Y2=Z2+d∗T2}
batch_invert的原理见博客curve25519-dalek中Scalar的Montgomery inversion及batch_invert算法第四节内容。
extended坐标系下的压缩原理见博客ristretto255 point压缩和解压缩算法(2)——extended坐标系下中第2节。
