[Cfrg] A2 versus A^2 and BB verus AA
Paul Lambert <paul@marvell.com> Sat, 10 January 2015 19:15 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45DD11A6FFC for <cfrg@ietfa.amsl.com>; Sat, 10 Jan 2015 11:15:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.232
X-Spam-Level:
X-Spam-Status: No, score=0.232 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0WfK7nHlAgJe for <cfrg@ietfa.amsl.com>; Sat, 10 Jan 2015 11:15:47 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF151A00F8 for <cfrg@irtf.org>; Sat, 10 Jan 2015 11:15:47 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id t0AJFdZ9013978; Sat, 10 Jan 2015 11:15:39 -0800
Received: from sc-owa03.marvell.com ([199.233.58.149]) by mx0b-0016f401.pphosted.com with ESMTP id 1rsdac0974-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 10 Jan 2015 11:15:39 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA03.marvell.com ([::1]) with mapi; Sat, 10 Jan 2015 11:15:38 -0800
From: Paul Lambert <paul@marvell.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "agl@google.com" <agl@google.com>, "mpg@elzevir.fr" <mpg@elzevir.fr>, "simon@josefsson.org" <simon@josefsson.org>
Date: Sat, 10 Jan 2015 11:15:36 -0800
Thread-Topic: A2 versus A^2 and BB verus AA
Thread-Index: AdAtCdCSN7hHq9cPQT6BDynBrcNckQ==
Message-ID: <D0D6B088.5815C%paul@marvell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-01-10_02:2015-01-10,2015-01-10,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1501100204
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/RYtOJDmPfZ7Mu-p_jKiGjr2T4eQ>
Subject: [Cfrg] A2 versus A^2 and BB verus AA
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jan 2015 19:15:49 -0000
In reviewing and trying to implement curve25519 from: draft-josefsson-tls-curve25519-06, draft-agl-cfrgcurve-00 and http://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html I¹ve noticed a possible error in draft-josefsson-tls-curve25519-06: A = X2 + Z2 AA = A2 <‹ should be A^2 B = X2 - Z2 BB = B2 <‹‹ should be B^2 E = AA - BB C = X3 + Z3 D = X3 - Z3 DA = D * A CB = C * B X5 = (DA + CB)^2 Z5 = X1 * (DA - CB)^2 X4 = AA * BB Z4 = E * (BB + a24 * E) <‹‹‹‹‹ correctly uses ŒBB¹ This looks like a cut-and-paste error. The Œ^2¹ is a superscript in the EFD definitions. In draft-agl-cfrgcurve-00 it appears that the ŒAA¹ term is not consistent with the josefsson text or the EFD that both use BB A = x_2 + z_2 AA = A^2 B = x_2 - z_2 BB = B^2 E = AA - BB C = x_3 + z_3 D = x_3 - z_3 DA = D * A CB = C * B x_3 = (DA + CB)^2 z_3 = x_1 * (DA - CB)^2 x_2 = AA * BB z_2 = E * (AA + a24 * E) <‹‹‹‹‹‹ versus E*(BB+a24*E) Is this a typo? Š here¹s the EFD version for reference A = X2+Z2 AA = A^2 B = X2-Z2 BB = B^2 E = AA-BB C = X3+Z3 D = X3-Z3 DA = D*A CB = C*B X5 = (DA+CB)^2 Z5 = X1*(DA-CB)^2 X4 = AA*BB Z4 = E*(BB+a24*E) <‹‹‹‹‹ also uses ŒBB' Hummm Š maybe it works anyway since AA and BB both have z2^2 term Š. Z4 = 4*x2*z2*(x2^2+A*x2*z2+z2^2)) Ether way it would be nice to match the EFD and the TLS definition Paul
- [Cfrg] A2 versus A^2 and BB verus AA Paul Lambert
- Re: [Cfrg] A2 versus A^2 and BB verus AA Adam Langley
- Re: [Cfrg] A2 versus A^2 and BB verus AA Samuel Neves
- Re: [Cfrg] A2 versus A^2 and BB verus AA Tanja Lange
- Re: [Cfrg] A2 versus A^2 and BB verus AA Adam Langley
- Re: [Cfrg] A2 versus A^2 and BB verus AA Tanja Lange
- Re: [Cfrg] A2 versus A^2 and BB verus AA Samuel Neves
- Re: [Cfrg] A2 versus A^2 and BB verus AA Tanja Lange