Commit 8b9f4c04 authored by Benoit Viguier's avatar Benoit Viguier
Browse files

more space, less details

parent 02d38ac7
......@@ -83,25 +83,15 @@ match m with
(a,b,c,d,e,f)
end.
\end{lstlisting}
% The definitions of the encoding and decoding functions are detailed later
% in this section.
Our formalization differs slightly from the RFC. Indeed in order to optimize the
Our formalization matches perfectly the RFC. In order to optimize the
number of calls to \texttt{CSWAP} (defined in \sref{cswap})
the RFC uses an additional variable to decide
whether a conditional swap is required or not. Our description of the ladder
follows strictly the shape of the exponent as described in \aref{alg:montgomery-ladder}.
This divergence is allowed by the RFC:
\emph{``Note that these formulas are slightly different from Montgomery's
original paper. Implementations are free to use any correct formulas.''}~\cite{rfc7748}.
We later prove our ladder correct in that respect (\sref{sec:maths}).
the RFC uses an additional variable to decide whether a conditional swap
is required or not, this differ from \aref{alg:montgomery-ladder}.
% TweetNaCl implements X25519 with numbers represented as arrays.
% RFC~7748 defines X25519 over field elements. We show the equivalence between
% the different number representations. To simplify our proof, we define operations
% used in the ladder over generic types \coqe{T} and \coqe{T'}.
% Those types are later instantiated as list of integers, integers, natural
% numbers, or field elements.
Later in our proof we use a simpler description of the ladder
(\coqe{montgomery_rec}) which follows strictly the shape of
the exponent and prove those ladder equivalent.
\emph{``To implement the X25519(k, u) [...] functions (where k is
the scalar and u is the u-coordinate), first decode k and u and then
......@@ -109,11 +99,6 @@ perform the following procedure, which is taken from [curve25519] and
based on formulas from [montgomery]. All calculations are performed
in GF(p), i.e., they are performed modulo p.''}~\cite{rfc7748}
% In TweetNaCl, as described in \sref{subsec:Number-TweetNaCl},
% elements of $\F{p}$ are represented as big integers using radix $2^{16}$.
% We use a direct mapping to represent such an array of limbs
% as a list of integers in Coq.
% RFC~7748 states that \emph{``All calculations are performed in GF(p), i.e., they are performed modulo p.''}
Operations used in the Montgomery ladder of \coqe{RFC} are performed on
integers (See Appendix~\ref{subsubsec:RFC-Coq}).
The reduction modulo $\p$ is deferred to the very end as part of the
......@@ -122,7 +107,6 @@ We define the little-endian projection to integers as follows.
\begin{dfn}
Let \Coqe{ZofList} : $\Z \rightarrow \texttt{list}~\Z \rightarrow \Z$,
a function given $n$ and a list $l$ returns its little endian decoding with radix $2^n$.
% We define it in Coq as:
\end{dfn}
\begin{lstlisting}[language=Coq,aboveskip=0pt,belowskip=1pt]
Fixpoint ZofList {n:Z} (a:list Z) : Z :=
......
......@@ -280,43 +280,48 @@ differential additions and point doublings using projective coordinates.
By taking \aref{alg:montgomery-ladder} and replacing \texttt{xDBL\&ADD} by a
combination of the formulae from \lref{lemma:xADD} and \lref{lemma:xDBL},
we define a ladder \coqe{opt_montgomery} (in which $\K$ has not been fixed yet),
similar to the one used in TweetNaCl.
This definition is closely related to \coqe{montgomery_rec_swap} that was used
in the definition of \coqe{RFC}, and is easily proved to correspond to it.
In Coq this correspondence proof is hidden in the proof of \coqe{RFC_Correct} shown above.
we define a ladder \coqe{opt_montgomery} (in which $\K$ has not been fixed yet).
% similar to the one used in TweetNaCl (with \coqe{montgomery_rec}).
% shown above.
% We prove its correctness for any point whose \xcoord is not 0.
%
% \begin{lstlisting}[language=Coq,belowskip=-0.25 \baselineskip]
% Lemma opt_montgomery_x :
% forall (n m : nat) (x : K),
% n < 2^m -> x != 0 ->
% forall (p : mc M), p#x0 = x ->
% opt_montgomery n m x = (p *+ n)#x0.
% \end{lstlisting}
% We can remark that for an input $x = 0$, the ladder returns $0$.
% \begin{lstlisting}[language=Coq,belowskip=-0.25 \baselineskip]
% Lemma opt_montgomery_0:
% forall (n m : nat), opt_montgomery n m 0 = 0.
% \end{lstlisting}
% Also \Oinf\ is the neutral element of $M_{a,b}(\K)$.
% \begin{lstlisting}[language=Coq,belowskip=-0.25 \baselineskip]
% Lemma p_x0_0_eq_0 : forall (n : nat) (p : mc M),
% p #x0 = 0%:R -> (p *+ n) #x0 = 0%R.
% \end{lstlisting}
% This gives us the theorem of the correctness of the Montgomery ladder.
We prove its correctness for any point whose \xcoord is not 0.
\begin{lstlisting}[language=Coq,belowskip=-0.25 \baselineskip]
Lemma opt_montgomery_x :
forall (n m : nat) (x : K),
n < 2^m -> x != 0 ->
forall (p : mc M), p#x0 = x ->
opt_montgomery n m x = (p *+ n)#x0.
\end{lstlisting}
We can remark that for an input $x = 0$, the ladder returns $0$.
\begin{lstlisting}[language=Coq,belowskip=-0.25 \baselineskip]
Lemma opt_montgomery_0:
forall (n m : nat), opt_montgomery n m 0 = 0.
\end{lstlisting}
Also \Oinf\ is the neutral element of $M_{a,b}(\K)$.
\begin{lstlisting}[language=Coq,belowskip=-0.25 \baselineskip]
Lemma p_x0_0_eq_0 : forall (n : nat) (p : mc M),
p #x0 = 0%:R -> (p *+ n) #x0 = 0%R.
\end{lstlisting}
This gives us the theorem of the correctness of the Montgomery ladder.
\begin{theorem}
\label{thm:montgomery-ladder-correct}
For all $n, m \in \N$, $x \in \K$, $P \in M_{a,b}(\K)$,
if $\chi_0(P) = x$ then \coqe{opt_montgomery} returns $\chi_0(n \cdot P)$
\end{theorem}
\begin{lstlisting}[language=Coq,belowskip=-0.5 \baselineskip]
\begin{lstlisting}[language=Coq]
Theorem opt_montgomery_ok (n m: nat) (x : K) :
n < 2^m ->
forall (p : mc M), p#x0 = x ->
opt_montgomery n m x = (p *+ n)#x0.
\end{lstlisting}
The definition of \coqe{opt_montgomery} is closely related to \coqe{montgomery_rec_swap}
that was used in \coqe{RFC}.
We proved their equivalence, and used it in our
final proof of \coqe{Theorem RFC_Correct}.
\subsection{Curves, twists and extension fields}
\label{subsec:curve_twist_fields}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment