Commit 73dddcc4 authored by Niels Möller's avatar Niels Möller

Document issues when curve25519 sqrt fails.

parent 0118df62
......@@ -135,7 +135,7 @@ mapping $P = (x,y)$ to $P' = (u, v)$, as follows.
The inverse transformation is
x &= (1+v) / (1-v) \\
y &= \sqrt{b+2} x / u
y &= \sqrt{b+2} \, x / u
If the Edwards coordinates are represented using homogeneous
coordinates, $u = U/W$ and $v = V/W$, then
......@@ -144,6 +144,37 @@ coordinates, $u = U/W$ and $v = V/W$, then
y &= \sqrt{b} \frac{(W+V) W}{(W-V) U}
so we need to invert the value $(W-V) U$.
The curve25519 function is defined with an input point represented by
the $x$-coordinate only, and is specified as allowing any value. The
corresponding $y$ coordinate is given by
y = \sqrt{x^3 + b x^2 + x} \pmod p
whenever this square root exists. But what if it doesn't? Then we work
with the curve over the extended field $F_{p^2}$. Let $n$ by any
non-square, then $(x^3 + b x^2 + x) n$ is a square, and we get the
$y = y' / \sqrt{n}$ with
y' = \sqrt{(x^3 + b x^2 + x) n}
It happens that for all multiples of such a point, this same factor is
tacked on to all the $y$-coordinates, while all the $x$-coordinates
remain in the base field $F_p$. It's the ``twist'' curve $y'^2 / n =
x^3 + bx^2 + x$. On the corresponding Edwards curve, we
get $u = \sqrt{n} u'$ with
u' = \sqrt{b+2} \, x / y'
and the addition formula
t &= d n u'_1 u'_2 v_1 v_2 \\
u'_3 &= (1+t)^{-1}(u'_1v_2 + v_1 u'_2) \\
v_3 &= (1-t)^{-1}(v_1 v_2 - n u'_1 u'_2)
It seems a bit tricky to handle both types of point in a single
function without speed penalty, due to the conditional factor of $n$
in the formula for $v_3$.
%%% Local Variables:
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment