Nettle
nettle
Commits
2a1ac1dc
Commit
2a1ac1dc
authored
Aug 28, 2014
by
Niels Möller
misc/eccformulas.tex
View file @
2a1ac1dc
...
...
@@ 110,17 +110,25 @@ This works also for doubling, but a more efficient variant is
The EdDSA paper (
\url
{
http://ed25519.cr.yp.to/ed2551920110926.pdf
}
)
suggests using the twisted Edwards curve,
\begin{equation*}
x
^
2 + y
^
2 = 1 + d x
^
2 y
^
2
\pmod
{
p
}
x
^
2 + y
^
2 = 1 + d
'
x
^
2 y
^
2
\pmod
{
p
}
\end{equation*}
(For this we use the same
$
d'
=

d
=
(
121665
/
121666
)
\bmod
p
$
).
Assuming 1 has a square root modulo
$
p
$
, a point
$
(
x, y
)
$
lies on
this curve if and only if
$
(
\sqrt
{

1
}
x, p
)
$
lies of the nontwisted
Edwards curve. The point additin formulas for the twisted Edwards
Edwards curve. The point additi
o
n formulas for the twisted Edwards
curve are
\begin{align*}
t
&
= d x
_
1 x
_
2 y
_
1 y
_
2
\\
t
&
= d
'
x
_
1 x
_
2 y
_
1 y
_
2
\\
x
_
3
&
= (1 + t)
^{
1
}
(x
_
1 y
_
2 + y
_
1 x
_
2)
\\
y
_
3
&
= (1  t)
^{
1
}
(y
_
1 y
_
2 + x
_
1 x
_
2)
\end{align*}
or in terms of
$
d
$
rather than
$
d'
$
, signs are switched as
\begin{align*}
t
&
= d x
_
1 x
_
2 y
_
1 y
_
2
\\
x
_
3
&
= (1  t)
^{
1
}
(x
_
1 y
_
2 + y
_
1 x
_
2)
\\
y
_
3
&
= (1 + t)
^{
1
}
(y
_
1 y
_
2 + x
_
1 x
_
2)
\end{align*}
For the other formulas, it should be fine to just switch the sign of
terms involving
$
x
_
1
x
_
2
$
or
$
x
_
1
^
2
$
. The paper suggests further
optimizations: For precomputed points, use the representation
$
(
x

y,
...
...
@@ 128,6 +136,26 @@ x+y, dxy)$. And for temporary points, maintain an additional redundant
coordinate
$
T
$
, with
$
Z T
=
X Y
$
(see
\url
{
http://eprint.iacr.org/2008/522.pdf
}
).
According to djb, the formulas in Section 3.1 are the once to use,
because they are complete. See
\url
{
http://www.hyperelliptic.org/EFD/g1p/autotwistedextended1.html#additionadd2008hwcd
}
,
\begin{align*}
A
&
= x
_
1 x
_
2
\\
B
&
= y
_
1 y
_
2
\\
C
&
= t
_
1 d' t
_
2
\\
D
&
= z
_
1 z
_
2
\\
E
&
= (x
_
1+y
_
1) (x
_
2+y
_
2)AB
\\
F
&
= DC
\\
G
&
= D+C
\\
H
&
= Ba A
\\
x
_
3
&
= E*F
\\
y
_
3
&
= G*H
\\
t
_
3
&
= E*H
\\
z
_
3
&
= F*G
\end{align*}
In our notation
$
a
=

1
$
, and the
$
d'
$
above is
$

d
$
.
\section
{
Curve25519
}
Curve25519 is defined as the Montgomery curve
...
...
