[Cfrg] A2 versus A^2 and BB verus AA

Paul Lambert <paul@marvell.com> Sat, 10 January 2015 19:15 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45DD11A6FFC for <cfrg@ietfa.amsl.com>; Sat, 10 Jan 2015 11:15:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.232
X-Spam-Level:
X-Spam-Status: No, score=0.232 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0WfK7nHlAgJe for <cfrg@ietfa.amsl.com>; Sat, 10 Jan 2015 11:15:47 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF151A00F8 for <cfrg@irtf.org>; Sat, 10 Jan 2015 11:15:47 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id t0AJFdZ9013978; Sat, 10 Jan 2015 11:15:39 -0800
Received: from sc-owa03.marvell.com ([199.233.58.149]) by mx0b-0016f401.pphosted.com with ESMTP id 1rsdac0974-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 10 Jan 2015 11:15:39 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA03.marvell.com ([::1]) with mapi; Sat, 10 Jan 2015 11:15:38 -0800
From: Paul Lambert <paul@marvell.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "agl@google.com" <agl@google.com>, "mpg@elzevir.fr" <mpg@elzevir.fr>, "simon@josefsson.org" <simon@josefsson.org>
Date: Sat, 10 Jan 2015 11:15:36 -0800
Thread-Topic: A2 versus A^2 and BB verus AA
Thread-Index: AdAtCdCSN7hHq9cPQT6BDynBrcNckQ==
Message-ID: <D0D6B088.5815C%paul@marvell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-01-10_02:2015-01-10,2015-01-10,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1501100204
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/RYtOJDmPfZ7Mu-p_jKiGjr2T4eQ>
Subject: [Cfrg] A2 versus A^2 and BB verus AA
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jan 2015 19:15:49 -0000

In reviewing and trying to implement curve25519 from:
   draft-josefsson-tls-curve25519-06,
   draft-agl-cfrgcurve-00
   and http://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html

I¹ve noticed a possible error in draft-josefsson-tls-curve25519-06:

A  = X2 + Z2
               AA = A2           <‹ should be A^2
               B  = X2 - Z2
               BB = B2           <‹‹ should be B^2
               E  = AA - BB
               C  = X3 + Z3
               D  = X3 - Z3
               DA = D * A
               CB = C * B
               X5 = (DA + CB)^2
               Z5 = X1 * (DA - CB)^2
               X4 = AA * BB
               Z4 = E * (BB + a24 * E)    <‹‹‹‹‹ correctly uses ŒBB¹


This looks like a cut-and-paste error.  The Œ^2¹ is a superscript in the
EFD definitions.

In draft-agl-cfrgcurve-00 it appears that the ŒAA¹ term  is not consistent
with the josefsson text or the EFD that both use BB

A = x_2 + z_2
    AA = A^2
    B = x_2 - z_2
    BB = B^2
    E = AA - BB
    C = x_3 + z_3
    D = x_3 - z_3
    DA = D * A
    CB = C * B
    x_3 = (DA + CB)^2
    z_3 = x_1 * (DA - CB)^2
    x_2 = AA * BB
    z_2 = E * (AA + a24 * E)    <‹‹‹‹‹‹  versus E*(BB+a24*E)


Is this a typo? Š here¹s the EFD version for reference

A = X2+Z2
      AA = A^2
      B = X2-Z2
      BB = B^2
      E = AA-BB
      C = X3+Z3
      D = X3-Z3
      DA = D*A
      CB = C*B
      X5 = (DA+CB)^2
      Z5 = X1*(DA-CB)^2
      X4 = AA*BB
      Z4 = E*(BB+a24*E)             <‹‹‹‹‹  also uses ŒBB'


Hummm Š maybe it works anyway since AA and BB both have z2^2 term Š.
 Z4 = 4*x2*z2*(x2^2+A*x2*z2+z2^2))

Ether way it would be nice to match the EFD and the TLS definition



Paul