Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Nettle
nettle
Commits
73dddcc4
Commit
73dddcc4
authored
Aug 23, 2014
by
Niels Möller
Browse files
Document issues when curve25519 sqrt fails.
parent
0118df62
Changes
1
Hide whitespace changes
Inline
Sidebyside
Showing
1 changed file
with
32 additions
and
1 deletion
+32
1
misc/eccformulas.tex
misc/eccformulas.tex
+32
1
No files found.
misc/eccformulas.tex
View file @
73dddcc4
...
...
@@ 135,7 +135,7 @@ mapping $P = (x,y)$ to $P' = (u, v)$, as follows.
The inverse transformation is
\begin{align*}
x
&
= (1+v) / (1v)
\\
y
&
=
\sqrt
{
b+2
}
x / u
y
&
=
\sqrt
{
b+2
}
\,
x / u
\end{align*}
If the Edwards coordinates are represented using homogeneous
coordinates,
$
u
=
U
/
W
$
and
$
v
=
V
/
W
$
, then
...
...
@@ 144,6 +144,37 @@ coordinates, $u = U/W$ and $v = V/W$, then
y
&
=
\sqrt
{
b
}
\frac
{
(W+V) W
}{
(WV) U
}
\end{align*}
so we need to invert the value
$
(
W

V
)
U
$
.
The curve25519 function is defined with an input point represented by
the
$
x
$
coordinate only, and is specified as allowing any value. The
corresponding
$
y
$
coordinate is given by
\begin{equation*}
y =
\sqrt
{
x
^
3 + b x
^
2 + x
}
\pmod
p
\end{equation*}
whenever this square root exists. But what if it doesn't? Then we work
with the curve over the extended field
$
F
_{
p
^
2
}$
. Let
$
n
$
by any
nonsquare, then
$
(
x
^
3
+
b x
^
2
+
x
)
n
$
is a square, and we get the
$
y
=
y'
/
\sqrt
{
n
}$
with
\begin{equation*}
y' =
\sqrt
{
(x
^
3 + b x
^
2 + x) n
}
\end{equation*}
It happens that for all multiples of such a point, this same factor is
tacked on to all the
$
y
$
coordinates, while all the
$
x
$
coordinates
remain in the base field
$
F
_
p
$
. It's the ``twist'' curve
$
y'
^
2
/
n
=
x
^
3
+
bx
^
2
+
x
$
. On the corresponding Edwards curve, we
get
$
u
=
\sqrt
{
n
}
u'
$
with
\begin{equation*}
u' =
\sqrt
{
b+2
}
\,
x / y'
\end{equation*}
and the addition formula
\begin{align*}
t
&
= d n u'
_
1 u'
_
2 v
_
1 v
_
2
\\
u'
_
3
&
= (1+t)
^{
1
}
(u'
_
1v
_
2 + v
_
1 u'
_
2)
\\
v
_
3
&
= (1t)
^{
1
}
(v
_
1 v
_
2  n u'
_
1 u'
_
2)
\end{align*}
It seems a bit tricky to handle both types of point in a single
function without speed penalty, due to the conditional factor of
$
n
$
in the formula for
$
v
_
3
$
.
\end{document}
%%% Local Variables:
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment