Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Dmitry Baryshkov
nettle
Commits
2a1ac1dc
Commit
2a1ac1dc
authored
Aug 28, 2014
by
Niels Möller
Browse files
Sign corrections and formulas for EdDSA.
parent
4e20f762
Changes
1
Show whitespace changes
Inline
Side-by-side
misc/ecc-formulas.tex
View file @
2a1ac1dc
...
...
@@ -110,17 +110,25 @@ This works also for doubling, but a more efficient variant is
The EdDSA paper (
\url
{
http://ed25519.cr.yp.to/ed25519-20110926.pdf
}
)
suggests using the twisted Edwards curve,
\begin{equation*}
-x
^
2 + y
^
2 = 1 + d x
^
2 y
^
2
\pmod
{
p
}
-x
^
2 + y
^
2 = 1 + d
'
x
^
2 y
^
2
\pmod
{
p
}
\end{equation*}
(For this we use the same
$
d'
=
-
d
=
(
121665
/
121666
)
\bmod
p
$
).
Assuming -1 has a square root modulo
$
p
$
, a point
$
(
x, y
)
$
lies on
this curve if and only if
$
(
\sqrt
{
-
1
}
x, p
)
$
lies of the non-twisted
Edwards curve. The point additin formulas for the twisted Edwards
Edwards curve. The point additi
o
n formulas for the twisted Edwards
curve are
\begin{align*}
t
&
= d x
_
1 x
_
2 y
_
1 y
_
2
\\
t
&
= d
'
x
_
1 x
_
2 y
_
1 y
_
2
\\
x
_
3
&
= (1 + t)
^{
-1
}
(x
_
1 y
_
2 + y
_
1 x
_
2)
\\
y
_
3
&
= (1 - t)
^{
-1
}
(y
_
1 y
_
2 + x
_
1 x
_
2)
\end{align*}
or in terms of
$
d
$
rather than
$
d'
$
, signs are switched as
\begin{align*}
t
&
= d x
_
1 x
_
2 y
_
1 y
_
2
\\
x
_
3
&
= (1 - t)
^{
-1
}
(x
_
1 y
_
2 + y
_
1 x
_
2)
\\
y
_
3
&
= (1 + t)
^{
-1
}
(y
_
1 y
_
2 + x
_
1 x
_
2)
\end{align*}
For the other formulas, it should be fine to just switch the sign of
terms involving
$
x
_
1
x
_
2
$
or
$
x
_
1
^
2
$
. The paper suggests further
optimizations: For precomputed points, use the representation
$
(
x
-
y,
...
...
@@ -128,6 +136,26 @@ x+y, dxy)$. And for temporary points, maintain an additional redundant
coordinate
$
T
$
, with
$
Z T
=
X Y
$
(see
\url
{
http://eprint.iacr.org/2008/522.pdf
}
).
According to djb, the formulas in Section 3.1 are the once to use,
because they are complete. See
\url
{
http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd
}
,
\begin{align*}
A
&
= x
_
1 x
_
2
\\
B
&
= y
_
1 y
_
2
\\
C
&
= t
_
1 d' t
_
2
\\
D
&
= z
_
1 z
_
2
\\
E
&
= (x
_
1+y
_
1) (x
_
2+y
_
2)-A-B
\\
F
&
= D-C
\\
G
&
= D+C
\\
H
&
= B-a A
\\
x
_
3
&
= E*F
\\
y
_
3
&
= G*H
\\
t
_
3
&
= E*H
\\
z
_
3
&
= F*G
\end{align*}
In our notation
$
a
=
-
1
$
, and the
$
d'
$
above is
$
-
d
$
.
\section
{
Curve25519
}
Curve25519 is defined as the Montgomery curve
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
