Commit 0d6b5d68 authored by Niels Möller's avatar Niels Möller

Switch curve25519 implementation to use the Ed25519 twisted Edwards curve.

parent a3f8c34c
2014-08-29 Niels Möller <nisse@lysator.liu.se>
Switch the curve25519 implementation to use the isomorphism to the
twisted Edwards curve which is used for Ed25519 signatures.
* eccdata.c (ecc_curve_init): Tweaked the transformation constant
for the isomorphism between curve25519 and the twisted Edwards
curve.
* ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve.
* ecc-add-eh.c (ecc_add_eh): Likewise.
* ecc-dup-eh.c (ecc_dup_eh): Likewise.
2014-08-28 Niels Möller <nisse@lysator.liu.se>
* ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h,
......
......@@ -94,17 +94,17 @@ ecc_add_eh (const struct ecc_curve *ecc,
ecc_modp_mul (ecc, x3, C, D);
ecc_modp_mul (ecc, E, x3, ecc->b);
ecc_modp_sub (ecc, C, D, C);
ecc_modp_add (ecc, C, D, C); /* ! */
ecc_modp_sqr (ecc, B, z1);
ecc_modp_sub (ecc, F, B, E);
ecc_modp_add (ecc, G, B, E);
/* x3 */
ecc_modp_mul (ecc, B, F, T);
ecc_modp_mul (ecc, B, G, T); /* ! */
ecc_modp_mul (ecc, x3, B, z1);
/* y3 */
ecc_modp_mul (ecc, B, G, C);
ecc_modp_mul (ecc, B, F, C); /* ! */
ecc_modp_mul (ecc, y3, B, z1);
/* z3 */
......
......@@ -76,6 +76,10 @@ ecc_add_ehh (const struct ecc_curve *ecc,
x3 = A*F*T 3 mul A, C, G
y3 = A*G*(D-C) 2 mul F, G
z3 = F*G mul
But when working with the twist curve, we need to the factor
x1*x2. We need to switch sign in y3 expressions, and swap F and
G.
*/
#define C scratch
#define D (scratch + ecc->size)
......@@ -95,7 +99,7 @@ ecc_add_ehh (const struct ecc_curve *ecc,
ecc_modp_sub (ecc, T, T, D);
ecc_modp_mul (ecc, x3, C, D);
ecc_modp_mul (ecc, E, x3, ecc->b);
ecc_modp_sub (ecc, C, D, C);
ecc_modp_add (ecc, C, D, C); /* ! */
ecc_modp_mul (ecc, A, z1, z2);
ecc_modp_sqr (ecc, B, A);
......@@ -104,11 +108,11 @@ ecc_add_ehh (const struct ecc_curve *ecc,
ecc_modp_add (ecc, G, B, E);
/* x3 */
ecc_modp_mul (ecc, B, F, T);
ecc_modp_mul (ecc, B, G, T); /* ! */
ecc_modp_mul (ecc, x3, B, A);
/* y3 */
ecc_modp_mul (ecc, B, G, C);
ecc_modp_mul (ecc, B, F, C); /* ! */
ecc_modp_mul (ecc, y3, B, A);
/* z3 */
......
......@@ -62,6 +62,18 @@ ecc_dup_eh (const struct ecc_curve *ecc,
x' = (b-e)*j mul c, d, e, j
y' = e*(c-d) mul e, j
z' = e*j mul
But for the twisted curve, we need some sign changes.
b = (x+y)^2 sqr b
c = x^2 sqr b, c
d = y^2 sqr b, c, d
! e = -c+d b, c, d, e
h = z^2 sqr b, c, d, e, h
! j = -e+2*h b, c, d, e, j
! x' = (b-c-d)*j mul c, d, e, j
! y' = e*(c+d) mul e, j
z' = e*j mul
*/
#define b scratch
#define c (scratch + ecc->size)
......@@ -80,17 +92,18 @@ ecc_dup_eh (const struct ecc_curve *ecc,
/* h, can use r as scratch, even for in-place operation. */
ecc_modp_sqr (ecc, r, p + 2*ecc->size);
/* e, */
ecc_modp_add (ecc, e, c, d);
/* b - e */
ecc_modp_sub (ecc, b, b, e);
ecc_modp_sub (ecc, e, d, c);
/* b - c - d */
ecc_modp_sub (ecc, b, b, c);
ecc_modp_sub (ecc, b, b, d);
/* j */
ecc_modp_add (ecc, r, r, r);
ecc_modp_sub (ecc, j, e, r);
ecc_modp_sub (ecc, j, r, e);
/* x' */
ecc_modp_mul (ecc, r, b, j);
/* y' */
ecc_modp_sub (ecc, c, c, d);
ecc_modp_add (ecc, c, c, d); /* Redundant */
ecc_modp_mul (ecc, r + ecc->size, e, c);
/* z' */
ecc_modp_mul (ecc, b, e, j);
......
......@@ -575,10 +575,15 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size)
*/
"2dfc9311d490018c7338bf8688861767"
"ff8ff5b2bebe27548a14b235eca6874a",
/* sqrt(486664) mod p, from PARI/GP
sqrt(Mod(486664, p)) */
"141b0b6806563d503de05885280b5910"
"9ca5ee38d7b56c9c165db7106377bbd8");
/* A square root of -486664 mod p, PARI/GP
-sqrt(Mod(-486664, p)) in PARI/GP.
Sign is important to map to the right
generator on the twisted edwards curve
used for EdDSA. */
"70d9120b9f5ff9442d84f723fc03b081"
"3a5e2c2eb482e57d3391fb5500ba81e7"
);
ecc->ref = ecc_alloc (3);
ecc_set_str (&ecc->ref[0], /* 2 g */
"20d342d51873f1b7d9750c687d157114"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment