Commit adfd17c6 authored by Benoit Viguier's avatar Benoit Viguier
Browse files

small fixes

parent 83f8b86b
......@@ -93,12 +93,12 @@ sv inv25519(gf o,const gf a)
}
\end{lstlisting}
The last step of crypto\_scalarmult is the packing of the limbs, it returns
The last step of \texttt{crypto\_scalarmult} is the packing of the limbs, it returns
an array of bytes. It first performs 3 carry propagations in order to guarantee
that each 16-bit limbs values are between $0$ and $2^{16}$.
Then it computes a modulo reduction by \p by iterative substraction and
Then it computes a modulo reduction by $\p$ by iterative substraction and
conditional swap until it reaches a negative number.
This guarantees a unique representation in $\mathbb{Z}_{2^{255}-19}$.
This guarantees a unique representation in $\Zfield$.
After which each 16-bit limbs are splitted into 8-bit limbs.
\begin{lstlisting}[language=Ctweetnacl]
......
......@@ -4,21 +4,21 @@ In this section we first present the work of Bartzia and Strub \cite{DBLP:conf/i
We extend it to support Montgomery curves (\ref{montgomery}) with homogeneous coordinates (\ref{projective}) and prove the correctness of the ladder (\ref{ladder}).
We then prove the montgomery ladder computes
the x-coordinate of scalar multiplication over \F{p^2}
(Theorem 2.1 by Bernstein \cite{Ber06}) where $p$ is the prime \p.
the x-coordinate of scalar multiplication over $\F{p^2}$
(Theorem 2.1 by Bernstein \cite{Ber06}) where $p$ is the prime $\p$.
\subsection{Formalization of Elliptic Curves}
We consider elliptic curves over a field \K. We assume that the
characteristic of \K\ is neither 2 or 3.
We consider elliptic curves over a field $\K$. We assume that the
characteristic of $\K$ is neither 2 or 3.
\begin{definition}
Let a field \K, using an appropriate choice of coordinates, an elliptic curve $E$
Let a field $\K$, using an appropriate choice of coordinates, an elliptic curve $E$
is a plane cubic albreaic curve $E(x,y)$ defined by an equation of the form:
$$E : y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6$$
where the $a_i$'s are in \K\ and the curve has no singular point (\ie no cusps
or self-intersections). The set of points, written $E(\K)$, is formed by the
solutions $(x,y)$ of $E$ augmented by a distinguished point \Oinf\ (called point at infinity):
solutions $(x,y)$ of $E$ augmented by a distinguished point $\Oinf$ (called point at infinity):
$$E(\K) = \{(x,y) \in \K \times \K | E(x,y)\} \cup \{\Oinf\}$$
\end{definition}
......@@ -29,7 +29,7 @@ This equation $E(x,y)$ can be reduced into its Weierstra{\ss} form.
\begin{definition}
Let $a \in \K$, and $b \in \K$ such that $$\Delta(a,b) = -16(4a^3 + 27b^2) \neq 0.$$ The \textit{elliptic curve} $E_{a,b}(\K)$ is the set of all points $(x,y) \in \K^2$ satisfying the equation:
$$y^2 = x^3 + ax + b,$$
along with an additional formal point \Oinf, ``at infinity''. Such curve does not present any singularity.
along with an additional formal point $\Oinf$, ``at infinity''. Such curve does not present any singularity.
\end{definition}
In this setting, Bartzia and Strub defined the parametric type \texttt{ec} which
......@@ -56,7 +56,7 @@ Points of an elliptic curve can be equiped with a structure of an abelian group.
\item The negation of a point $P = (x,y)$ by taking the symetric with respect to the x axis $-P = (x, -y)$.
\item The addition of two points $P$ and $Q$ is defined by the negation of third intersection
of the line passing by $P$ and $Q$ or tangent to $P$ if $P = Q$.
\item \Oinf\ is the neutral element under this law: if 3 points are colinear, their sum is equal to \Oinf.
\item $\Oinf$ is the neutral element under this law: if 3 points are colinear, their sum is equal to $\Oinf$.
\end{itemize}
This operaction can be defined in Coq as follow:
......@@ -93,7 +93,7 @@ the Montgomery form \cite{MontgomerySpeeding}.
\begin{definition}
Let $a \in \K \backslash \{-2, 2\}$, and $b \in \K \backslash \{ 0\}$. The \textit{Montgomery curve} $M_{a,b}(\K)$ is the set of all points $(x,y) \in \K^2$ satisfying the equation:
$$by^2 = x^3 + ax^2 + x,$$
along with an additional formal point \Oinf, ``at infinity''.
along with an additional formal point $\Oinf$, ``at infinity''.
\end{definition}
Using a similar representation, we defined the parametric type \texttt{mc} which
......@@ -267,7 +267,7 @@ With these two lemmas (\ref{lemma-add} and \ref{lemma-double}), we have the basi
\label{ladder}
Suppose we have a scalar $n$ and a point $P$ on some curve. The most straightforward way to compute $nP$ is to repetitively add $P$ \ie computing $P + \ldots + P$.
However there is an more efficient algorithm which makes use of the binary representation of $n$ and by combining doubling and adding and starting from \Oinf.
However there is an more efficient algorithm which makes use of the binary representation of $n$ and by combining doubling and adding and starting from $\Oinf$.
\eg for $n=11$, we compute $2(2(2(2\Oinf + P)) + P)+ P$.
\begin{algorithm}
......@@ -420,7 +420,7 @@ We first study Curve25519 and one of the quadratic twist Twist25519, first defin
\subsubsection{Curves and Twists}
We define \F{p} as the numbers between $0$ and $p = \p$.
We define $\F{p}$ as the numbers between $0$ and $p = \p$.
We create a \coqe{Zmodp} module to encapsulate those definitions.
\begin{lstlisting}[language=Coq]
Module Zmodp.
......@@ -441,7 +441,7 @@ End Zmodp.
We define the basic operations ($+, -, \times$) with their respective neutral elements ($0, 1$).
\begin{lemma}
\F{p} is a commutative ring.
$\F{p}$ is a commutative ring.
\end{lemma}
% \begin{lstlisting}[language=Coq]
% Definition zero : type := pi 0.
......@@ -454,7 +454,7 @@ We define the basic operations ($+, -, \times$) with their respective neutral el
% Lemma Zmodp_ring :
% ring_theory zero one add mul sub opp eq.
% \end{lstlisting}
And finally for $a = 486662$, by using the Legendre symbol we prove that $a^2 - 4$ and $2$ are not squares in \F{p}.
And finally for $a = 486662$, by using the Legendre symbol we prove that $a^2 - 4$ and $2$ are not squares in $\F{p}$.
\begin{lstlisting}[language=Coq]
Lemma a_not_square : forall x: Zmodp.type,
x^+2 != (Zmodp.pi 486662)^+2 - 4%:R.
......@@ -482,10 +482,10 @@ Theorem curve_twist_eq: forall n x,
curve25519_Fp_ladder n x = twist25519_Fp_ladder n x.
\end{lstlisting}
Because $2$ is not a square in \F{p}, it allows us split \F{p} into two sets.
Because $2$ is not a square in $\F{p}$, it allows us split $\F{p}$ into two sets.
\begin{lemma}
\label{square-or-2square}
For all $x$ in \F{p}, there exists $y$ in \F{p} such that
For all $x$ in $\F{p}$, there exists $y$ in $\F{p}$ such that
$$y^2 = x\ \ \ \lor\ \ 2y^2 = x$$
\end{lemma}
For all $x \in \F{p}$, we can compute $x^3 + ax^2 + x$. Using Lemma \ref{square-or-2square} we can find a $y$ such that $(x,y)$ is either on the curve or on the quadratic twist:
......@@ -493,16 +493,16 @@ For all $x \in \F{p}$, we can compute $x^3 + ax^2 + x$. Using Lemma \ref{square-
\label{curve-or-twist}
For all $x \in \F{p}$, there exists a point $P$ over $M_{486662,1}(\F{p})$ or over $M_{486662,2}(\F{p})$ such that the $x$-coordinate of $P$ is $x$.
\end{lemma}
\begin{coq}
\begin{lstlisting}[language=Coq]
Theorem x_is_on_curve_or_twist: forall x : Zmodp.type,
(exists (p : mc curve25519_mcuType), p#x0 = x) \/
(exists (p' : mc twist25519_mcuType), p'#x0 = x).
\end{coq}
\end{lstlisting}
\subsubsection{Curve25519 over \F{p^2}}
We use the same definitions as in \cite{Ber06}. We consider the extension field \F{p^2} as the set $\F{p} \times \F{p}$ with $\delta = 2$, in other words,
the polynomial with coefficients in \F{p} modulo $X^2 - 2$. In a similar way as for \F{p} we use Module in Coq.
We use the same definitions as in \cite{Ber06}. We consider the extension field $\F{p^2}$ as the set $\F{p} \times \F{p}$ with $\delta = 2$, in other words,
the polynomial with coefficients in $\F{p}$ modulo $X^2 - 2$. In a similar way as for $\F{p}$ we use Module in Coq.
\begin{lstlisting}[language=Coq]
Module Zmodp.
Inductive type :=
......@@ -537,9 +537,9 @@ Additionally we verify that for each element of in $\F{p^2}\backslash\{0\}$, the
\begin{lemma} For all $x \in \F{p^2}\backslash\{0\}$ and $a,b \in \F{p}$ such that $x = (a,b)$,
$$x^{-1} = \Big(\frac{a}{a^2-2b^2}\ , \frac{-b}{a^2-2b^2}\Big)$$
\end{lemma}
Similarily as in \F{p}, we define $0^{-1} = 0$.
Similarily as in $\F{p}$, we define $0^{-1} = 0$.
\begin{lemma}
\F{p^2} is a commutative ring.
$\F{p^2}$ is a commutative ring.
\end{lemma}
We can then specialize the basic operations in order to speed up the verifications of formulas by using rewrite rules:
\begin{align*}
......@@ -589,8 +589,8 @@ Notice that:
\end{align*}
In summary for all $n \in \N,\ n < 2^{255}$, for any given point $P\in\F{p}\times\F{p}$ on $M_{486662,1}(\F{p})$ or $M_{486662,2}(\F{p})$ \texttt{curve25519\_Fp\_ladder} computes the $\chi_0(nP)$.
We have proved that for all $P \in \F{p^2}\times\F{p^2}$ such that $\chi_0(P) \in \F{p}$ there exists a corresponding point on the curve or the twist over \F{p}.
We have proved that for any point, on the curve or the twist we can compute the scalar multiplication by $n$ and yield to the same result as if we did the computation in \F{p^2}. As a result we have proved theorem 2.1 of \cite{Ber06}:
We have proved that for all $P \in \F{p^2}\times\F{p^2}$ such that $\chi_0(P) \in \F{p}$ there exists a corresponding point on the curve or the twist over $\F{p}$.
We have proved that for any point, on the curve or the twist we can compute the scalar multiplication by $n$ and yield to the same result as if we did the computation in $\F{p^2}$. As a result we have proved theorem 2.1 of \cite{Ber06}:
\begin{theorem}
For all $n \in \N$, $x \in \F{P}$, $P \in M_{486662,1}(\F{p^2})$, such that $n < 2^{255}$ and $\chi_0(P) = \varphi(x)$, \texttt{curve25519\_Fp\_ladder}$(n, x)$ computes $\psi(\chi_0(nP))$.
\end{theorem}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment