Switch curve25519 implementation to use the Ed25519 twisted Edwards curve.

0d6b5d68 · Niels Möller · a3f8c34c · 0d6b5d68 · 0d6b5d68 · 0d6b5d68
Commit 0d6b5d68 authored Aug 29, 2014 by Niels Möller
--- a/ChangeLog
+++ b/ChangeLog
+2014-08-29  Niels Möller  <nisse@lysator.liu.se>
+
+	Switch the curve25519 implementation to use the isomorphism to the
+	twisted Edwards curve which is used for Ed25519 signatures.
+	* eccdata.c (ecc_curve_init): Tweaked the transformation constant
+	for the isomorphism between curve25519 and the twisted Edwards
+	curve.
+	* ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve.
+	* ecc-add-eh.c (ecc_add_eh): Likewise.
+	* ecc-dup-eh.c (ecc_dup_eh): Likewise.
+
 2014-08-28  Niels Möller  <nisse@lysator.liu.se>

 	* ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h,

--- a/ecc-add-eh.c
+++ b/ecc-add-eh.c
@@ -94,17 +94,17 @@ ecc_add_eh (const struct ecc_curve *ecc,
  ecc_modp_mul (ecc, x3, C, D);
  ecc_modp_mul (ecc, E, x3, ecc->b);

-  ecc_modp_sub (ecc, C, D, C);
+  ecc_modp_add (ecc, C, D, C); /* ! */
  ecc_modp_sqr (ecc, B, z1);
  ecc_modp_sub (ecc, F, B, E);
  ecc_modp_add (ecc, G, B, E);  

  /* x3 */
-  ecc_modp_mul (ecc, B, F, T);
+  ecc_modp_mul (ecc, B, G, T); /* ! */
  ecc_modp_mul (ecc, x3, B, z1);

  /* y3 */
-  ecc_modp_mul (ecc, B, G, C);
+  ecc_modp_mul (ecc, B, F, C); /* ! */
  ecc_modp_mul (ecc, y3, B, z1);

  /* z3 */

--- a/ecc-add-ehh.c
+++ b/ecc-add-ehh.c
@@ -76,6 +76,10 @@ ecc_add_ehh (const struct ecc_curve *ecc,
     x3 = A*F*T		3 mul		A, C, G
     y3 = A*G*(D-C)	2 mul		F, G
     z3 = F*G		mul
+
+     But when working with the twist curve, we need to the factor
+     x1*x2. We need to switch sign in y3 expressions, and swap F and
+     G.
  */
 #define C scratch
 #define D (scratch + ecc->size)
@@ -95,7 +99,7 @@ ecc_add_ehh (const struct ecc_curve *ecc,
  ecc_modp_sub (ecc, T, T, D);
  ecc_modp_mul (ecc, x3, C, D);
  ecc_modp_mul (ecc, E, x3, ecc->b);
-  ecc_modp_sub (ecc, C, D, C);
+  ecc_modp_add (ecc, C, D, C);	/* ! */
  
  ecc_modp_mul (ecc, A, z1, z2);
  ecc_modp_sqr (ecc, B, A);
@@ -104,11 +108,11 @@ ecc_add_ehh (const struct ecc_curve *ecc,
  ecc_modp_add (ecc, G, B, E);

  /* x3 */
-  ecc_modp_mul (ecc, B, F, T);
+  ecc_modp_mul (ecc, B, G, T); /* ! */
  ecc_modp_mul (ecc, x3, B, A);

  /* y3 */
-  ecc_modp_mul (ecc, B, G, C);
+  ecc_modp_mul (ecc, B, F, C); /* ! */
  ecc_modp_mul (ecc, y3, B, A);

  /* z3 */

--- a/ecc-dup-eh.c
+++ b/ecc-dup-eh.c
@@ -62,6 +62,18 @@ ecc_dup_eh (const struct ecc_curve *ecc,
     x' = (b-e)*j	mul		c, d, e, j
     y' = e*(c-d)	mul		e, j
     z' = e*j		mul
+
+     But for the twisted curve, we need some sign changes.
+
+     b = (x+y)^2	sqr		b
+     c = x^2		sqr		b, c
+     d = y^2		sqr		b, c, d
+   ! e = -c+d				b, c, d, e
+     h = z^2		sqr		b, c, d, e, h
+   ! j = -e+2*h				b, c, d, e, j
+   ! x' = (b-c-d)*j	mul		c, d, e, j
+   ! y' = e*(c+d)	mul		e, j
+     z' = e*j		mul
  */
 #define b scratch 
 #define c (scratch  + ecc->size)
@@ -80,17 +92,18 @@ ecc_dup_eh (const struct ecc_curve *ecc,
  /* h, can use r as scratch, even for in-place operation. */
  ecc_modp_sqr (ecc, r, p + 2*ecc->size);
  /* e, */
-  ecc_modp_add (ecc, e, c, d);
-  /* b - e */
-  ecc_modp_sub (ecc, b, b, e);
+  ecc_modp_sub (ecc, e, d, c);
+  /* b - c - d */
+  ecc_modp_sub (ecc, b, b, c);
+  ecc_modp_sub (ecc, b, b, d);
  /* j */
  ecc_modp_add (ecc, r, r, r);
-  ecc_modp_sub (ecc, j, e, r);
+  ecc_modp_sub (ecc, j, r, e);

  /* x' */
  ecc_modp_mul (ecc, r, b, j);
  /* y' */
-  ecc_modp_sub (ecc, c, c, d);
+  ecc_modp_add (ecc, c, c, d); /* Redundant */
  ecc_modp_mul (ecc, r + ecc->size, e, c);
  /* z' */
  ecc_modp_mul (ecc, b, e, j);

--- a/eccdata.c
+++ b/eccdata.c
@@ -575,10 +575,15 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size)
 			  */
 			  "2dfc9311d490018c7338bf8688861767"
 			  "ff8ff5b2bebe27548a14b235eca6874a",
-			  /* sqrt(486664) mod p, from PARI/GP
-			     sqrt(Mod(486664, p)) */
-			  "141b0b6806563d503de05885280b5910"
-			  "9ca5ee38d7b56c9c165db7106377bbd8");
+			  /* A square root of -486664 mod p, PARI/GP
+			     -sqrt(Mod(-486664, p)) in PARI/GP.
+
+			     Sign is important to map to the right
+			     generator on the twisted edwards curve
+			     used for EdDSA. */
+			  "70d9120b9f5ff9442d84f723fc03b081"
+			  "3a5e2c2eb482e57d3391fb5500ba81e7"
+			  );
      ecc->ref = ecc_alloc (3);
      ecc_set_str (&ecc->ref[0], /* 2 g */
 		   "20d342d51873f1b7d9750c687d157114"