[Cfrg] A2 versus A^2 and BB verus AA

Paul Lambert <paul@marvell.com> Sat, 10 January 2015 19:15 UTC

Date: Sat, 10 Jan 2015 11:15:36 -0800
In reviewing and trying to implement curve25519 from:
   and http://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html

I¹ve noticed a possible error in draft-josefsson-tls-curve25519-06:

A  = X2 + Z2
               AA = A2           <‹ should be A^2
               B  = X2 - Z2
               BB = B2           <‹‹ should be B^2
               E  = AA - BB
               C  = X3 + Z3
               D  = X3 - Z3
               DA = D * A
               CB = C * B
               X5 = (DA + CB)^2
               Z5 = X1 * (DA - CB)^2
               X4 = AA * BB
               Z4 = E * (BB + a24 * E)    <‹‹‹‹‹ correctly uses ŒBB¹

This looks like a cut-and-paste error.  The Œ^2¹ is a superscript in the
EFD definitions.

In draft-agl-cfrgcurve-00 it appears that the ŒAA¹ term  is not consistent
with the josefsson text or the EFD that both use BB

A = x_2 + z_2
    AA = A^2
    B = x_2 - z_2
    BB = B^2
    E = AA - BB
    C = x_3 + z_3
    D = x_3 - z_3
    DA = D * A
    CB = C * B
    x_3 = (DA + CB)^2
    z_3 = x_1 * (DA - CB)^2
    x_2 = AA * BB
    z_2 = E * (AA + a24 * E)    <‹‹‹‹‹‹  versus E*(BB+a24*E)

Is this a typo? Š here¹s the EFD version for reference

A = X2+Z2
      AA = A^2
      B = X2-Z2
      BB = B^2
      E = AA-BB
      C = X3+Z3
      D = X3-Z3
      DA = D*A
      CB = C*B
      X5 = (DA+CB)^2
      Z5 = X1*(DA-CB)^2
      X4 = AA*BB
      Z4 = E*(BB+a24*E)             <‹‹‹‹‹  also uses ŒBB'

Hummm Š maybe it works anyway since AA and BB both have z2^2 term Š.
 Z4 = 4*x2*z2*(x2^2+A*x2*z2+z2^2))

Ether way it would be nice to match the EFD and the TLS definition
