then for any point $P_1$ and $P_2$ on $M_{a,b}(\K)$ such that $X_1/Z_1=\chi(P_1), X_2/Z_2=\chi(P_2)$, and $X_4/Z_4=\chi(P_1- P_2)$, we have $X_3/Z_3=\chi(P_1+P_2)$.\\
then for any point $P_1$ and $P_2$ on $M_{a,b}(\K)$ such that
$X_1/Z_1=\chi(P_1), X_2/Z_2=\chi(P_2)$, and $X_4/Z_4=\chi(P_1- P_2)$,
we have $X_3/Z_3=\chi(P_1+P_2)$.\\
\textbf{Remark:} For any $x \in\K\backslash\{0\}, x/0$ should be understood as $\infty$.
We consider $M_{486662,1}(\F{p})$ and $M_{486662,2}(\F{p})$, one of its quadratic twist.
% $M_{486662,1}(\F{p})$ has the same equation as $M_{486662,1}(\F{p^2})$ while $M_{486662,2}(\F{p})$ is one of its quadratic twist.
\begin{dfn}Let the following instantiations of \aref{alg:montgomery-double-add}:\\
-- $Curve25519\_Fp(n,x)$ for $M_{486662,1}(\F{p})$.\\
-- $Twist25519\_Fp(n,x)$ for $M_{486662,2}(\F{p})$.
\end{dfn}
By instantiating theorem \ref{montgomery-ladder-correct} we derive the following two lemmas:
\begin{lemma} For all $x \in\F{p},\ n \in\N,\ P \in\F{p}\times\F{p}$,\\
With \tref{thm:montgomery-ladder-correct} we derive the following two lemmas:
\begin{lemma}
For all $x \in\F{p},\ n \in\N,\ P \in\F{p}\times\F{p}$,\\
such that $P \in M_{486662,1}(\F{p})$ and $\chi_0(P)= x$.
Given $n$ and $x$, $Curve25519\_Fp(n,x)=\chi_0(n \cdot P)$.
\end{lemma}
\begin{lemma} For all $x \in\F{p},\ n \in\N,\ P \in\F{p}\times\F{p}$\\
\begin{lemma}
For all $x \in\F{p},\ n \in\N,\ P \in\F{p}\times\F{p}$\\
such that $P \in M_{486662,2}(\F{p})$ and $\chi_0(P)= x$.
Given $n$ and $x$, $Twist25519\_Fp(n,x)=\chi_0(n \cdot P)$.
\end{lemma}
As the Montgomery ladder defined above does not depend on $b$, it is trivial to see that the computations done for points of $M_{486662,1}(\F{p})$ and of $M_{486662,2}(\F{p})$ are the same.
As the Montgomery ladder does not depend on $b$, it is trivial to
see that the computations done for points in $M_{486662,1}(\F{p})$ and in
$M_{486662,2}(\F{p})$ are the same.
\begin{lstlisting}[language=Coq]
Theorem curve_twist_eq: forall n x,
curve25519_Fp_ladder n x = twist25519_Fp_ladder n x.
...
...
@@ -461,14 +402,16 @@ Theorem curve_twist_eq: forall n x,
Because $2$ is not a square in $\F{p}$, it allows us split $\F{p}$ into two sets.
\begin{lemma}
\label{square-or-2square}
For all $x$ in $\F{p}$, there exists $y$ in $\F{p}$ such that
$$y^2= x\ \ \ \lor\ \ 2y^2= x$$
\label{lemma:square-or-2square}
For all $x$ in $\F{p}$, there exists $y$ in $\F{p}$ such that
$$y^2= x\ \ \ \lor\ \ 2y^2= x$$
\end{lemma}
For all $x \in\F{p}$, we can compute $x^3+ ax^2+ x$. Using Lemma \ref{square-or-2square} we can find a $y$ such that $(x,y)$ is either on the curve or on the quadratic twist:
For all $x \in\F{p}$, we can compute $x^3+ ax^2+ x$. Using \lref{lemma:square-or-2square}
we can find a $y$ such that $(x,y)$ is either on the curve or on the quadratic twist:
\begin{lemma}
\label{curve-or-twist}
For all $x \in\F{p}$, there exists a point $P$ over $M_{486662,1}(\F{p})$ or over $M_{486662,2}(\F{p})$ such that the $x$-coordinate of $P$ is $x$.
\label{lemma:curve-or-twist}
For all $x \in\F{p}$, there exists a point $P$ over $M_{486662,1}(\F{p})$ or
over $M_{486662,2}(\F{p})$ such that the $x$-coordinate of $P$ is $x$.
\end{lemma}
\begin{lstlisting}[language=Coq]
Theorem x_is_on_curve_or_twist: forall x : Zmodp.type,
...
...
@@ -478,8 +421,10 @@ Theorem x_is_on_curve_or_twist: forall x : Zmodp.type,
\subsubsection{Curve25519 over \F{p^2}}
We use the same definitions as in \cite{Ber06}. We consider the extension field $\F{p^2}$ as the set $\F{p}\times\F{p}$ with $\delta=2$, in other words,
the polynomial with coefficients in $\F{p}$ modulo $X^2-2$. In a similar way as for $\F{p}$ we use Module in Coq.
The quadratic extension $\F{p^2}$ is defined as $\F{p}[\sqrt{2}]$ by~\cite{Ber06}.
We can represent it as the set $\F{p}\times\F{p}$ with $\delta=2$, in other words,
the polynomial with coefficients in $\F{p}$ modulo $X^2-2$. In a similar way
as for $\F{p}$ we use Module in Coq.
\begin{lstlisting}[language=Coq]
Module Zmodp2.
Inductive type :=
...
...
@@ -504,16 +449,21 @@ Definition mul (x y : type) : type :=
pi ((x.1 * y.1) + (2%:R * (x.2 * y.2)),
(x.1 * y.2) + (x.2 * y.1)).
\end{lstlisting}
We define the basic operations ($+, -, \times$) with their respective neutral elements ($0, 1$).
Additionally we verify that for each element of in $\F{p^2}\backslash\{0\}$, there exists a multiplicative inverse.
\begin{lemma} For all $x \in\F{p^2}\backslash\{0\}$ and $a,b \in\F{p}$ such that $x =(a,b)$,
Similarly as in $\F{p}$, we define $0^{-1}=0$ and prove \lref{lemma:Zmodp2_ring}.
\begin{lemma}
$\F{p^2}$ is a commutative ring.
\label{lemma:Zmodp2_ring}
$\F{p^2}$ is a commutative ring.
\end{lemma}
We can then specialize the basic operations in order to speed up the verification of formulas by using rewrite rules:
We can then specialize the basic operations in order to speed up the verification
of formulas by using rewrite rules:
\begin{align*}
(a,0) + (b,0) &= (a+b, 0)\\
(a,0) \cdot (b,0) &= (a \cdot b, 0)\\
...
...
@@ -523,13 +473,19 @@ We can then specialize the basic operations in order to speed up the verificatio
(0, a)\cdot (0,b) &= (2\cdot a\cdot b, 0)\\
(0,a)^{-1}&= ((2\cdot a)^{-1},0)
\end{align*}
The injection $a \mapsto(a,0)$ from $\F{p}$ to $\F{p^2}$ preserves $0, 1, +, -, \times$. Thus $(a,0)$ can be abbreviated as $a$ without confusions.
The injection $a \mapsto(a,0)$ from $\F{p}$ to $\F{p^2}$ preserves
$0, 1, +, -, \times$. Thus $(a,0)$ can be abbreviated as $a$ without confusions.
We define $M_{486662,1}(\F{p^2})$. With the rewrite rule above, it is straightforward to prove that any point on the curve $M_{486662,1}(\F{p})$ is also on the curve $M_{486662,1}(\F{p^2})$. Similarly, any point on the quadratic twist $M_{486662,2}(\F{p})$ is also on the curve $M_{486662,1}(\F{p^2})$.
As direct consequence, using lemma \ref{curve-or-twist}, we prove that for all $x \in\F{p}$, there exists a point $P \in\F{p^2}\times\F{p^2}$ on $M_{486662,2}(\F{p})$ such that $\chi_0(P)$ is $(x,0)$
We define $M_{486662,1}(\F{p^2})$. With the rewrite rule above, it is straightforward
to prove that any point on the curve $M_{486662,1}(\F{p})$ is also on the curve
$M_{486662,1}(\F{p^2})$. Similarly, any point on the quadratic twist
$M_{486662,2}(\F{p})$ is also on the curve $M_{486662,1}(\F{p^2})$.
As direct consequence, using \lref{lemma:curve-or-twist}, we prove that for all
$x \in\F{p}$, there exists a point $P \in\F{p^2}\times\F{p^2}$ on
$M_{486662,1}(\F{p^2})$ such that $\chi_0(P)=(x,0)= x$.
\begin{lstlisting}[language=Coq]
Theorem x_is_on_curve_or_twist_implies_x_in_Fp2:
Lemma x_is_on_curve_or_twist_implies_x_in_Fp2:
forall (x:Zmodp.type),
exists (p: mc curve25519_Fp2_mcuType),
p#x0 = Zmodp2.Zmodp2 x 0.
...
...
@@ -547,53 +503,64 @@ Define the functions $\varphi_c$, $\varphi_t$ and $\psi$\\
\end{dfn}
\begin{lemma}
For all $n \in\N$, for all point $P\in\F{p}\times\F{p}$ on the curve $M_{486662,1}(\F{p})$ (respectively on the quadratic twist $M_{486662,2}(\F{p})$), we have:
\begin{align*}
P \in M_{486662,1}(\F{p}) &\implies\varphi_c(n \cdot P) = n \cdot\varphi_c(P)\\
P \in M_{486662,2}(\F{p}) &\implies\varphi_t(n \cdot P) = n \cdot\varphi_t(P)
\end{align*}
\label{lemma:proj}
For all $n \in\N$, for all point $P\in\F{p}\times\F{p}$ on the curve
$M_{486662,1}(\F{p})$ (respectively on the quadratic twist $M_{486662,2}(\F{p})$), we have:
\begin{align*}
P \in M_{486662,1}(\F{p}) &\implies\varphi_c(n \cdot P) = n \cdot\varphi_c(P)\\
P \in M_{486662,2}(\F{p}) &\implies\varphi_t(n \cdot P) = n \cdot\varphi_t(P)
\end{align*}
\end{lemma}
Notice that:
\begin{align*}
\forall P \in M_{486662,1}(\F{p}),\ \ \psi(\chi_0(\varphi_c(P))) = \chi_0(P)\\
\forall P \in M_{486662,2}(\F{p}),\ \ \psi(\chi_0(\varphi_t(P))) = \chi_0(P)
\end{align*}
In summary for all $n \in\N,\ n < 2^{255}$, for any given point $P\in\F{p}\times\F{p}$ on $M_{486662,1}(\F{p})$ or $M_{486662,2}(\F{p})$\texttt{curve25519\_Fp\_ladder} computes the $\chi_0(n \cdot P)$.
We have proved that for all $P \in\F{p^2}\times\F{p^2}$ such that $\chi_0(P)\in\F{p}$ there exists a corresponding point on the curve or the twist over $\F{p}$.
We have proved that for any point, on the curve or the twist we can compute the scalar multiplication by $n$ and yield to the same result as if we did the computation in $\F{p^2}$. As a result we have proved theorem 2.1 of \cite{Ber06}:
In summary for all $n \in\N,\ n < 2^{255}$, for any given point $P\in\F{p}\times\F{p}$
on $M_{486662,1}(\F{p})$ or $M_{486662,2}(\F{p})$, $Curve25519\_Fp$
computes the $\chi_0(n \cdot P)$.
We have proved that for all $P \in\F{p^2}\times\F{p^2}$ such that $\chi_0(P)\in\F{p}$
there exists a corresponding point on the curve or the twist over $\F{p}$.
We have proved that for any point, on the curve or the twist we can compute the
scalar multiplication by $n$ and yield to the same result as if we did the
computation in $\F{p^2}$.
% As a result we have proved theorem 2.1 of \cite{Ber06}:
% No: missing uniqueness !
\begin{theorem}
For all $n \in\N$, $x \in\F{P}$, $P \in M_{486662,1}(\F{p^2})$, such that $n < 2^{255}$ and $\chi_0(P)=\varphi(x)$, \texttt{curve25519\_Fp\_ladder}$(n, x)$ computes $\psi(\chi_0(n \cdot P))$.
\label{thm:general-scalarmult}
For all $n \in\N$, such that $n < 2^{255}$,
for all $x \in\F{p}$ and $P \in M_{486662,1}(\F{p^2})$ such that $\chi_0(P)= x$,
