[Cfrg] draft-irtf-cfrg-eddsa - more implementation questions

Jim Schaad <ietf@augustcellars.com> Mon, 11 July 2016 13:54 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3D81512D18B for <cfrg@ietfa.amsl.com>; Mon, 11 Jul 2016 06:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.08
X-Spam-Status: No, score=-2.08 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOCALPART_IN_SUBJECT=1.107, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5CL3lZ2G0DS8 for <cfrg@ietfa.amsl.com>; Mon, 11 Jul 2016 06:54:20 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FBAA12D149 for <cfrg@ietf.org>; Mon, 11 Jul 2016 06:54:20 -0700 (PDT)
Received: from hebrews ( by mail2.augustcellars.com ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 11 Jul 2016 07:00:17 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: <draft-irtf-cfrg-eddsa@tools.ietf.org>
Date: Mon, 11 Jul 2016 06:53:54 -0700
Message-ID: <008901d1db7b$ab86bed0$02943c70$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdHaPQPk7SURo7klQZ6/ZZEBLWM5vw==
Content-Language: en-us
X-Originating-IP: []
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MQRcIRS0QcteZgNC-LMijh4JaGw>
Resent-From: <alias-bounces@ietf.org>
Resent-To: @ietf.org
Cc: cfrg@ietf.org
Subject: [Cfrg] draft-irtf-cfrg-eddsa - more implementation questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 13:54:22 -0000

In step #3 of the verify function, I assume that I can reduce k mod p
without any problems.   Can I reduce it mod L or not?  It would be useful to
have the hint in the text since it is all over the Sign algorithm.

I have been using the python program to help debug my quick implementation
of the signature algorithm.  This has worked up to the point of trying to
decode points as the python code does not use the suggested formula in
section 5.1.3 (use this trick) but instead just directly computes a square
root on the base formula.

I am therefore unable to determine where my bug is:  In my code, in the
formula, or in how I read the formula.  It might be worthwhile to actually
implement this algorithm for computing square roots if that is what is

By the way, I finally found were the neutral point was defined.  You still
might want to highlight it as part of the point addition sections.

Looking at the python code, I think I see the trick you are using to deal
with step 1 in the decoding code for removing the x_0 bit but it could be
highlighted that it is being done in the field parsing function rather than
the decoding function.