[CFRG] EdDSA square roots (RFC 8032)
James Muir <muir.james.a@gmail.com> Wed, 22 December 2021 20:10 UTC
Return-Path: <muir.james.a@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A5433A0B2F for <cfrg@ietfa.amsl.com>; Wed, 22 Dec 2021 12:10:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q5SisFFHDDcq for <cfrg@ietfa.amsl.com>; Wed, 22 Dec 2021 12:10:15 -0800 (PST)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B118B3A0B30 for <cfrg@irtf.org>; Wed, 22 Dec 2021 12:10:15 -0800 (PST)
Received: by mail-qv1-xf34.google.com with SMTP id fo11so3326577qvb.4 for <cfrg@irtf.org>; Wed, 22 Dec 2021 12:10:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=aQo2QDD8OZSeTSTOPQ9r30KaCthCVzbxorbDLH7LuZY=; b=mu+OR7GSZ5nES+YPxQ0AVl900ZbSRk9/5HCrUEz67sU+DAinSZAC2sCU7qPVyXm+Nl v9j6GDqYkaFuLSw/FH3nBeyIquc7Y2JwaQCGc4y+oKHu82/Q37dRxzCuIF1zWSFQXLpo yF8GkuWxbwhros9fXZvqEryRzuNNyCMty6qTDS8P39PYTtcjWxpIZyyAnO9R2bhF9Hxt Gkux9jBDjPVU4p5aRL9FWJnUWVpITkW4LSvwcjtChtbu4xY2ADdFBE1Vbr2xRXWfmpi0 dlmko558LsO0rGsVc6fCXpmRl1EMYCiDnsAAovNMpZTLrzFfAssyb09YTL8iZ9PDgRu+ uR6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=aQo2QDD8OZSeTSTOPQ9r30KaCthCVzbxorbDLH7LuZY=; b=Irq80sxfQMnA7XIPPTOUnFCEHuS2K/lAZ0/Xz1cA5kfM9ANk1B6wmK7J+DXIufaUNo yifb7scBx0Li80hIFyO79v7QD0+3T3mmnspjqzQ+9IufCaSd6xge30vd6dFN+zlkDhP0 fHPF3e6M/am8oWDUzjwg/CI7Iel+vDZ60sNlPa9btgkK1/IytJG/Y9g+Jvhz5VHe+LeF 2cNf0iACoAefSj9LBLnSwxzn73oleoj/ob5Bj5uOIHHUu2kKyDSO21lWtpul3jbfpjL/ Md67ig5SGhxhbm61uC8acp6NjBbX8zEtDRQkRlUdzxHDlXF2QNkiBNG3nrKp+5c167MU NMJA==
X-Gm-Message-State: AOAM530A7uzCQtrbUU61kzU6Ue71gtMNxU4OaaxKXjTrWkrPj9OEFt/O F2KLgAHc6PE48FqR1rrZFM42tA/wYik=
X-Google-Smtp-Source: ABdhPJx1CY7yUTcCLFtMmioukjyDDzOh0xhQBTY3mjiAYymyZxhMDfK25txEH2GL9KEUvGPnY1KJYQ==
X-Received: by 2002:a05:6214:c81:: with SMTP id r1mr3870463qvr.111.1640203813512; Wed, 22 Dec 2021 12:10:13 -0800 (PST)
Received: from [192.168.1.6] ([172.83.169.160]) by smtp.gmail.com with ESMTPSA id bq43sm2618942qkb.32.2021.12.22.12.10.12 for <cfrg@irtf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Dec 2021 12:10:13 -0800 (PST)
To: "cfrg@irtf.org" <cfrg@irtf.org>
From: James Muir <muir.james.a@gmail.com>
Message-ID: <b9c6c307-849b-c9ae-104d-53ab72bb98fe@gmail.com>
Date: Wed, 22 Dec 2021 15:10:10 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/qlKpMBqxXZYmDpXXIx6LO3Oznv4>
Subject: [CFRG] EdDSA square roots (RFC 8032)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Dec 2021 20:10:21 -0000
https://datatracker.ietf.org/doc/html/rfc8032 Ed25519 and Ed448 use point compression and require a square-root-mod-p operation to recover the x-coordinate from an expression involving y. Decoding procedures are given in Sections 5.1.3 (for Ed25519) and 5.2.3 (for Ed448). Mark Wooden noted in a 2017 blog post that the square-root computation can be simplified: https://vox.distorted.org.uk/mdw/2017/05/simpler-quosqrt.html I wanted to summarize Mark's observation here so others can comment on it. The method given in RFC 8032 is taken from page 15 of the Ed25519 paper, "High-speed high-security signatures", but I don't see any reason why it should be preferred over Mark's method, which saves a few multiplications. Link to the Ed25519 paper: http://ed25519.cr.yp.to/ed25519-20110926.pdf Note that the same observation appears to have also been submitted to the RFC 8032 Errata by Franck Rondepierre: https://www.rfc-editor.org/errata/eid5758 https://www.rfc-editor.org/errata/eid5759 Unfortunately, no explanatory notes were included with those errata and they were rejected. Here is my description of the simplified method. Let u = y^2 - 1 and v = d*y^2 + 1. We want to find a square root of the ratio u/v, assuming that u/v is a square; i.e. we want to find x such that x^2 = u/v. Start by computing w = u*v. If u/v is square, then w is also a square, which in turn implies that the order of w modulo p divides (p-1)/2. Consider the Ed448 case first, where p is congruent to 3 mod 4. Compute x = u * w^((p-3)/4). Then x is a square root of u/v because x^2 = u^2 * w^((p-3)/2) = u^2 * w^((p-1)/2 - 1) = u^2 * w^(-1) = u/v So, we see that if u/v is a square, then u*w^((p-3)/4) is one of its square roots. ( Compare this to the expression given in Section 5.2.3: u^3*v * (u^5 * v^3)^((p-3)/4). ) For the Ed25519 case, p is congruent to 1 mod 4 and 5 mod 8. Minus one is a square modulo p; let i denote one of its square roots. The approach suggested in the Ed25519 paper is to find x such that x^4 = (u/v)^2, which implies that x^2 = u/v or x^2 = -u/v, which implies that either x or i*x is a square root of u/v. Compute x = u * w^((p-5)/8). We have x^4 = u^4 * w^((p-5)/2) = u^4 * w^((p-1)/2 - 2) = u^4 * w^(-2) = (u/v)^2 So, we see that if u/v is a square, then either u*w^((p-5)/8) or i*u*w^((p-5)/8) is one of its square roots. ( Compare this to the expression given in Section 5.1.3: u*v^3 * (u * v^7)^((p-5)/8). ) -James M
- [CFRG] EdDSA square roots (RFC 8032) James Muir
- Re: [CFRG] EdDSA square roots (RFC 8032) Ilari Liusvaara
- Re: [CFRG] EdDSA square roots (RFC 8032) James Muir
- Re: [CFRG] EdDSA square roots (RFC 8032) Ilari Liusvaara
- Re: [CFRG] EdDSA square roots (RFC 8032) Paul Hoffman
- Re: [CFRG] EdDSA square roots (RFC 8032) John Mattsson
- Re: [CFRG] EdDSA square roots (RFC 8032) Ilari Liusvaara
- Re: [CFRG] EdDSA square roots (RFC 8032) John Mattsson
- Re: [CFRG] EdDSA square roots (RFC 8032) John Mattsson
- Re: [CFRG] EdDSA square roots (RFC 8032) Carsten Bormann
- Re: [CFRG] EdDSA square roots (RFC 8032) Ilari Liusvaara
- [CFRG] (Re: EdDSA square roots (RFC 8032)) Rene Struik
- Re: [CFRG] (Re: EdDSA square roots (RFC 8032)) Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] (Re: EdDSA square roots (RFC 8032)) John Mattsson
- [CFRG] (resend - apparently hidden 40kB email cap… Rene Struik
- Re: [CFRG] (Re: EdDSA square roots (RFC 8032)) Rene Struik
- Re: [CFRG] (Re: EdDSA square roots (RFC 8032)) Ilari Liusvaara
- Re: [CFRG] (Re: EdDSA square roots (RFC 8032)) Rene Struik
- [CFRG] signature schemes (was: Re: (Re: EdDSA squ… Stephen Farrell
- Re: [CFRG] EdDSA square roots (RFC 8032) Yolan Romailler
- Re: [CFRG] EdDSA square roots (RFC 8032) Blumenthal, Uri - 0553 - MITLL