Re: [Cfrg] draft-irtf-cfrg-eddsa - Implementation failure for 448

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 20 July 2016 15:59 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 220E212D7CF; Wed, 20 Jul 2016 08:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5VV7m-OeMbV; Wed, 20 Jul 2016 08:59:49 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 59C5E12D751; Wed, 20 Jul 2016 08:59:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id D30A5117B; Wed, 20 Jul 2016 18:59:47 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id Zj7WL4kHGkZi; Wed, 20 Jul 2016 18:59:47 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 61AD02310; Wed, 20 Jul 2016 18:59:47 +0300 (EEST)
Date: Wed, 20 Jul 2016 18:59:43 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20160720155943.GA22763@LK-Perkele-V2.elisa-laajakaista.fi>
References: <00de01d1e280$e31c0290$a95407b0$@augustcellars.com> <20160720124904.GA22541@LK-Perkele-V2.elisa-laajakaista.fi> <006401d1e294$63418310$29c48930$@augustcellars.com> <CACsn0c=BZamd8h6hczY32pvgKodsEmhT+F0N=4RbCgY1YnT3qw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACsn0c=BZamd8h6hczY32pvgKodsEmhT+F0N=4RbCgY1YnT3qw@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KBKgRgCE9Rw22D57QRSLG_62ZgM>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: Jim Schaad <ietf@augustcellars.com>, "cfrg@ietf.org" <cfrg@ietf.org>, draft-irtf-cfrg-eddsa@ietf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa - Implementation failure for 448
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2016 15:59:52 -0000

On Wed, Jul 20, 2016 at 07:48:59AM -0700, Watson Ladd wrote:
 
> On Wed, Jul 20, 2016 at 7:38 AM, Jim Schaad <ietf@augustcellars.com> wrote:
> > OK - Another one for you.
> >
> > H = (X1+X2)*(Y1+Y2)
> > X3 = A*G*(H-C-D)
> >
> > Vs code
> >
> >         tmp.x=zcp*F*((self.x+self.y)*(y.x+y.y)-xcp-ycp)
> >
> > note that in once case the two X are being added and in the other x and y are being added.

Got that too.

> Why aren't we using the formulas from EFD?
> https://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
> 
> We know these are right due to a Magma script checking them.

The formulas supposedly come from EFD. No darn clue why that one
formula pulled one of the terms as H (and did so incorrectly).


The twisted doubling formula in EFD contains a, despite having assumed
a=-1 for some darn reason. There the a=-1 was carried forward in the
draft (note that E, F, G and H flip sign, but end results only contain
two-products of those, so sign flips cancel out).




-Ilari.