This equation $E(x,y)$ can be reduced into its Weierstra{\ss} form.

\begin{definition}

Let $a \in\K$, and $b \in\K$ such that $$\Delta(a,b)=-16(4a^3+27b^2)\neq0.$$ The \textit{elliptic curve}$E_{a,b}$ is the set of all points $(x,y)\in\K^2$ satisfying the equation:

Let $a \in\K$, and $b \in\K$ such that $$\Delta(a,b)=-16(4a^3+27b^2)\neq0.$$ The \textit{elliptic curve}$E_{a,b}(\K)$ is the set of all points $(x,y)\in\K^2$ satisfying the equation:

$$y^2= x^3+ ax + b,$$

along with an additional formal point \Oinf, ``at infinity''. Such curve does not present any singularity.

\end{definition}

...

...

@@ -91,7 +91,7 @@ homogeneous coordinates and other forms than the Weierstra{\ss} form. We conside

the Montgomery form \cite{MontgomerySpeeding}.

\begin{definition}

Let $a \in\K\backslash\{-2, 2\}$, and $b \in\K\backslash\{0\}$. The \textit{Montgomery curve}$M_{a,b}$ is the set of all points $(x,y)\in\K^2$ satisfying the equation:

Let $a \in\K\backslash\{-2, 2\}$, and $b \in\K\backslash\{0\}$. The \textit{Montgomery curve}$M_{a,b}(\K)$ is the set of all points $(x,y)\in\K^2$ satisfying the equation:

$$by^2= x^3+ ax^2+ x,$$

along with an additional formal point \Oinf, ``at infinity''.

Points on a projective plane are represented with a triple $(X:Y:Z)$. Any points except $(0:0:0)$ defines a point on a projective plane. A scalar multiple of a point defines the same point, \ie

for all $\alpha\neq0$, $(X:Y:Z)$ and $(\alpha X:\alpha Y:\alpha Z)$ defines the same point. For $Z\neq0$, the projective point $(X:Y:Z)$ corresponds to the point $(X/Z,Y/Z)$ on the Euclidian plane, likewise the point $(X,Y)$ on the Euclidian plane corresponds to $(X:Y:1)$ on the projective plane.

We can write the equation for a Montgomery curve $M_{a,b}$ as such:

We can write the equation for a Montgomery curve $M_{a,b}(\K)$ as such:

\begin{equation}

b \bigg(\frac{Y}{Z}\bigg)^2 = \bigg(\frac{X}{Z}\bigg)^3 + a \bigg(\frac{X}{Z}\bigg)^2 + \bigg(\frac{X}{Z}\bigg)

\end{equation}

...

...

@@ -182,27 +182,27 @@ b Y^2Z = X^3 + a X^2Z + XZ^2

\end{equation}

With this equation we can additionally represent the ``point at infinity''. By setting $Z=0$, we derive $X=0$, giving us the ``infinite points'' $(0:Y:0)$ with $Y\neq0$.

By restristing the parameter $a$ of $M_{a,b}$ such that $a^2-4$ is not a square in \K, we ensure that $(0,0)$ is the only point with a $y$-coordinate of $0$.

By restristing the parameter $a$ of $M_{a,b}(\K)$ such that $a^2-4$ is not a square in \K, we ensure that $(0,0)$ is the only point with a $y$-coordinate of $0$.

With those coordinates we prove the following lemmas for the addition of two points.

\begin{definition}We define the functions $\chi$ and $\chi_0$:\\

-- $\chi : M_{a,b}\to\K\cup\{\infty\}$\\

-- $\chi : M_{a,b}(\K)\to\K\cup\{\infty\}$\\

such that $\chi(\Oinf)=\infty$ and $\chi((x,y))= x$.\\

-- $\chi_0 : M_{a,b}\to\K$\\

-- $\chi_0 : M_{a,b}(\K)\to\K$\\

such that $\chi_0(\Oinf)=0$ and $\chi_0((x,y))= x$.

\end{definition}

\begin{lemma}

\label{lemma-add}

Let $M_{a,b}$ be a Montgomery curve such that $a^2-4$ is not a square, and let $X_1, Z_1, X_2, Z_2, X_3, Z_3\in\K$, such that $(X_1,Z_1)\neq(0,0)$, $(X_2,Z_2)\neq(0,0)$, $X_4\neq0$ and $Z_4\neq0$.

Let $M_{a,b}(\K)$ be a Montgomery curve such that $a^2-4$ is not a square, and let $X_1, Z_1, X_2, Z_2, X_3, Z_3\in\K$, such that $(X_1,Z_1)\neq(0,0)$, $(X_2,Z_2)\neq(0,0)$, $X_4\neq0$ and $Z_4\neq0$.

then for any point $P_1$ and $P_2$ on $M_{a,b}$ such that $X_1/Z_1=\chi(P_1), X_2/Z_2=\chi(P_2)$, and $X_4/Z_4=\chi(P_1- P_2)$, we have $X_3/Z_3=\chi(P_1+P_2)$.\\

then for any point $P_1$ and $P_2$ on $M_{a,b}(\K)$ such that $X_1/Z_1=\chi(P_1), X_2/Z_2=\chi(P_2)$, and $X_4/Z_4=\chi(P_1- P_2)$, we have $X_3/Z_3=\chi(P_1+P_2)$.\\

\textbf{Remark:} For any $x \in\K\backslash\{0\}, x/0$ should be understood as $\infty$.

\end{lemma}

% This can be formalized as follow:

...

...

@@ -240,13 +240,13 @@ then for any point $P_1$ and $P_2$ on $M_{a,b}$ such that $X_1/Z_1 = \chi(P_1),

With those coordinates we also prove a similar lemma for point doubling.

\begin{lemma}

\label{lemma-double}

Let $M_{a,b}$ be a Montgomery curve such that $a^2-4$ is not a square, and let $X_1, Z_1, X_2, Z_2, X_3, Z_3\in\K$, such that $(X_1,Z_1)\neq(0,0)$. Define

Let $M_{a,b}(\K)$ be a Montgomery curve such that $a^2-4$ is not a square, and let $X_1, Z_1, X_2, Z_2, X_3, Z_3\in\K$, such that $(X_1,Z_1)\neq(0,0)$. Define

then for any point $P_1$ on $M_{a,b}$ such that $X_1/Z_1=\chi(P_1)$, we have $X_3/Z_3=\chi(2P_1)$.

then for any point $P_1$ on $M_{a,b}(\K)$ such that $X_1/Z_1=\chi(P_1)$, we have $X_3/Z_3=\chi(2P_1)$.

\end{lemma}

% Which is formalized as follow:

% \begin{lstlisting}[language=Coq]

...

...

@@ -323,7 +323,7 @@ Algorithm \ref{montgomery-ladder} is correct, \ie it respects its output conditi

In Curve25519 we are only interested in the $x$ coordinate of points, using Lemmas \ref{lemma-add} and \ref{lemma-double}, and replacing the if statements with conditional swapping we can define a ladder similar to the one used in TweetNaCl. See Algorithm \ref{montgomery-double-add}

\begin{algorithm}

\caption{Montgomery ladder for scalar multiplication on $M_{a,b}$ with optimizations}

\caption{Montgomery ladder for scalar multiplication on $M_{a,b}(\K)$ with optimizations}

\label{montgomery-double-add}

\begin{algorithmic}

\REQUIRE{$x \in\K\backslash\{0\}$, scalars $n$ and $m$, $n < 2^m$}

...

...

@@ -381,7 +381,7 @@ We can remark that for an input $x = 0$, the ladder returns $0$.

Lemma opt_montgomery_0:

forall (n m : nat), opt_montgomery n m 0 = 0.

\end{lstlisting}

Also \Oinf\ is the neutral element over $M_{a,b}$, we have:

Also \Oinf\ is the neutral element over $M_{a,b}(\K)$, we have:

$$\forall P, P +\Oinf\ = P$$

thus we derive the following lemma.

% \begin{lemma}

...

...

@@ -395,7 +395,7 @@ Lemma p_x0_0_eq_0 : forall (n : nat) (p : mc M),

And thus the theorem of the correctness of the Montgomery ladder.

\begin{theorem}

\label{montgomery-ladder-correct}

For all $n, m \in\N$, $x \in\K$, $P \in M_{a,b}$,

For all $n, m \in\N$, $x \in\K$, $P \in M_{a,b}(\K)$,

if $\chi_0(P)= x$ then Algorithm \ref{montgomery-double-add} returns $\chi_0(nP)$

We consider $M_{486662,1}$ and $M_{486662,2}$ over \F{p}. $M_{486662,1}$ has the same equation as Curve25519 while $M_{486662,2}$ is ome of its quadratic twist.

We consider $M_{486662,1}(\F{p})$ and $M_{486662,2}(\F{p})$, one of its quadratic twist.

% $M_{486662,1}(\F{p})$ has the same equation as $M_{486662,1}(\F{p^2})$ while $M_{486662,2}(\F{p})$ is one of its quadratic twist.

By instanciating theorem \ref{montgomery-ladder-correct} we derive the following two lemmas:

\begin{lemma} For all $x \in\F{p},\ n \in\N,\ P \in\F{p}\times\F{p}$,\\

such that $P \in M_{486662,1}$ and $\chi_0(P)= x$.

such that $P \in M_{486662,1}(\F{p})$ and $\chi_0(P)= x$.

Given $n$ and $x$, $Curve25519\_Fp(n,x)=\chi_0(nP)$.

\end{lemma}

\begin{lemma} For all $x \in\F{p},\ n \in\N,\ P \in\F{p}\times\F{p}$\\

such that $P \in M_{486662,2}$ and $\chi_0(P)= x$.

such that $P \in M_{486662,2}(\F{p})$ and $\chi_0(P)= x$.

Given $n$ and $x$, $Twist25519\_Fp(n,x)=\chi_0(nP)$.

\end{lemma}

As the Montgomery ladder defined above does not depends on $b$, it is trivial to see that the computations done for points of $M_{486662,1}$ and of $M_{486662,2}$ are the same.

As the Montgomery ladder defined above does not depends on $b$, it is trivial to see that the computations done for points of $M_{486662,1}(\F{p})$ and of $M_{486662,2}(\F{p})$ are the same.

\begin{lstlisting}[language=Coq]

Theorem curve_twist_eq: forall n x,

curve25519_Fp_ladder n x = twist25519_Fp_ladder n x.

For all $x \in\F{p}$, we can compute $x^3+ ax^2+ x$. Using Lemma \ref{square-or-2square} we can find a $y$ such that $(x,y)$ is either on the curve or on the quadratic twist:

\begin{lemma}

\label{curve-or-twist}

For all $x \in\F{p}$, there exists a point $P$ over $M_{486662,1}$ or over $M_{486662,2}$ such that the $x$-coordinate of $P$ is $x$.

For all $x \in\F{p}$, there exists a point $P$ over $M_{486662,1}(\F{p})$ or over $M_{486662,2}(\F{p})$ such that the $x$-coordinate of $P$ is $x$.

\end{lemma}

\begin{coq}

Theorem x_is_on_curve_or_twist: forall x : Zmodp.type,

...

...

@@ -499,9 +501,8 @@ Theorem x_is_on_curve_or_twist: forall x : Zmodp.type,

\subsubsection{Curve25519 over \F{p^2}}

We use the same definitions as in \cite{Ber06} and we consider the extension field \F{p^2} as the set $\F{p}\times\F{p}$. We prove that two is not a square and...

In a similar way as for \F{p} we use Module in Coq.

We use the same definitions as in \cite{Ber06}. We consider the extension field \F{p^2} as the set $\F{p}\times\F{p}$ with $\delta=2$, in other words,

the polynomial with coefficients in \F{p} modulo $X^2-2$. In a similar way as for \F{p} we use Module in Coq.

\begin{lstlisting}[language=Coq]

Module Zmodp.

Inductive type :=

...

...

@@ -552,8 +553,8 @@ We can then specialize the basic operations in order to speed up the verificatio

\end{align*}

The injection $a \mapsto(a,0)$ from $\F{p}$ to $\F{p^2}$ preserves $0, 1, +, -, \times$. Thus $(a,0)$ can be abbreviated as $a$ without confusions.

We define $M_{486662,1}$ over $\F{p^2}$. With the rewrite rule above, it is straightforward to prove that any point on the curve $M_{486662,1}$ over $\F{p}$ is also on the curve $M_{486662,1}$ over $\F{p^2}$. Similarily, any point on the quadratic twist $M_{486662,2}$ over $\F{p}$ is also on the curve $M_{486662,1}$.

As direct consequence, using lemma \ref{curve-or-twist}, we prove that for all $x \in\F{p}$, there exists a point $P \in\F{p^2}\times\F{p^2}$ on $M_{486662,2}$ such that $\chi_0(P)$ is $(x,0)$

We define $M_{486662,1}(\F{p^2})$. With the rewrite rule above, it is straightforward to prove that any point on the curve $M_{486662,1}(\F{p})$ is also on the curve $M_{486662,1}(\F{p^2})$. Similarily, any point on the quadratic twist $M_{486662,2}(\F{p})$ is also on the curve $M_{486662,1}(\F{p^2})$.

As direct consequence, using lemma \ref{curve-or-twist}, we prove that for all $x \in\F{p}$, there exists a point $P \in\F{p^2}\times\F{p^2}$ on $M_{486662,2}(\F{p})$ such that $\chi_0(P)$ is $(x,0)$

\begin{lstlisting}[language=Coq]

Theorem x_is_on_curve_or_twist_implies_x_in_Fp2:

...

...

@@ -574,24 +575,24 @@ Define the functions $\varphi_c$, $\varphi_t$ and $\psi$\\

\end{definition}

\begin{lemma}

For all $n \in\N$, for all point $P\in\F{p}\times\F{p}$ on the curve $M_{486662,1}$ (respectively on the quadratic twist $M_{486662,2}$), we have:

For all $n \in\N$, for all point $P\in\F{p}\times\F{p}$ on the curve $M_{486662,1}(\F{p})$ (respectively on the quadratic twist $M_{486662,2}(\F{p})$), we have:

\begin{align*}

P \in M_{486662,1}&\implies\varphi_c(n \cdot P) = n \cdot\varphi_c(P)\\

P \in M_{486662,2}&\implies\varphi_t(n \cdot P) = n \cdot\varphi_t(P)

P \in M_{486662,1}(\F{p})&\implies\varphi_c(n \cdot P) = n \cdot\varphi_c(P)\\

P \in M_{486662,2}(\F{p})&\implies\varphi_t(n \cdot P) = n \cdot\varphi_t(P)

\end{align*}

\end{lemma}

Notice that:

\begin{align*}

\forall P \in M_{486662,1}, \psi(\chi_0(\varphi_c(P))) = \chi_0(P)\\

\forall P \in M_{486662,2}, \psi(\chi_0(\varphi_t(P))) = \chi_0(P)\\

\forall P \in M_{486662,1}(\F{p}),\ \ \psi(\chi_0(\varphi_c(P))) = \chi_0(P)\\

\forall P \in M_{486662,2}(\F{p}),\ \ \psi(\chi_0(\varphi_t(P))) = \chi_0(P)

\end{align*}

In summary for all $n \in\N,\ n < 2^{255}$, for any given point $P\in\F{p}\times\F{p}$ on $M_{486662,1}$ or $M_{486662,2}$\texttt{curve25519\_Fp\_ladder} computes the $\chi_0(nP)$.

In summary for all $n \in\N,\ n < 2^{255}$, for any given point $P\in\F{p}\times\F{p}$ on $M_{486662,1}(\F{p})$ or $M_{486662,2}(\F{p})$\texttt{curve25519\_Fp\_ladder} computes the $\chi_0(nP)$.

We have proved that for all $P \in\F{p^2}\times\F{p^2}$ such that $\chi_0(P)\in\F{p}$ there exists a corresponding point on the curve or the twist over \F{p}.

We have proved that for any point, on the curve or the twist we can compute the scalar multiplication by $n$ and yield to the same result as if we did the computation in \F{p^2}. As a result we have proved theorem 2.1 of \cite{Ber06}:

\begin{theorem}

For all $n \in\N$, $x \in\F{P}$, $P \in M_{486662,1}$, such that $n < 2^{255}$ and $\chi_0(P)=\varphi(x)$, \texttt{curve25519\_Fp\_ladder}$(n, x)$ computes $\psi(\chi_0(nP))$.

For all $n \in\N$, $x \in\F{P}$, $P \in M_{486662,1}(\F{p^2})$, such that $n < 2^{255}$ and $\chi_0(P)=\varphi(x)$, \texttt{curve25519\_Fp\_ladder}$(n, x)$ computes $\psi(\chi_0(nP))$.