Commit b62693bb authored by Timmy Weerwag's avatar Timmy Weerwag
Browse files

Some typos

parent 93aef6f8
......@@ -105,7 +105,7 @@ Points on an elliptic curve form an abelian group when equipped with the followi
\item The negation of a point $P = (x,y)$ is defined by reflection over the $x$-axis, \ie $-P = (x, -y)$.
\item The addition of two points $P$ and $Q$ is defined as the negation of the third intersection point
of the line passing through $P$ and $Q$, or tangent to $P$ if $P = Q$.
\item $\Oinf$ is the neutral element under this law: if 3 points are collinear, their sum is equal to $\Oinf$
\item $\Oinf$ is the neutral element under this law: if 3 points are collinear, their sum is equal to $\Oinf$.
\end{itemize}
These operations are defined in Coq as follows (where we omit the code for the tangent case):
\begin{lstlisting}[language=Coq]
......@@ -293,14 +293,14 @@ Similarly, we also prove the formula for point doubling.% (\lref{lemma:xDBL}).
we have $X_3/Z_3 = \chi(2P_1)$.
\end{lemma}
With \lref{lemma:xADD} and \lref{lemma:xDBL}, we are able to compute efficiently
With \lref{lemma:xADD} and \lref{lemma:xDBL}, we are able to efficiently compute
differential additions and point doublings using projective coordinates.
\subsubsection{Scalar multiplication algorithms}
\label{subsec:ECC-ladder}
By taking \aref{alg:montgomery-ladder} and replacing \texttt{xDBL\&ADD} by a
combination of the formulae from \lref{lemma:xADD} and \lref{lemma:xDBL},
combination of the formulas from \lref{lemma:xADD} and \lref{lemma:xDBL}, % formula/s/ to make it consistent with the rest of the text -T
we define a ladder \coqe{opt_montgomery} (in which $\K$ has not been fixed yet).
% similar to the one used in TweetNaCl (with \coqe{montgomery_rec}).
% shown above.
......@@ -361,18 +361,18 @@ The white tiles are definitions while green tiles are important lemmas and theor
A brief overview of the complete proof is described below.
We first pose $a = 486662$, $b = 1$, $b' = 2$, $p = 2^{255}-19$, with the equations $C = M_{a,b}$, and $T = M_{a,b'}$.
We prove the primality of $p$ and define the field $\F{p}$.
Subsequently, we show that neither $2$ nor $a^2 - 2$ are square in $\F{p}$.
Subsequently, we show that neither $2$ nor $a^2 - 2$ is a square in $\F{p}$.
We consider $\F{p^2}$ and define $C(\F{p})$, $T(\F{p})$, and $C(\F{p^2})$.
We prove that for all $x \in \F{p}$ there exists a point of \xcoord $x$ either on $C(\F{p})$ or on the quadratic twist $T(\F{p})$.
We prove that all points in $M(\F{p})$ and $T(\F{p})$ can be projected in $M(\F{p^2})$ and derive that computations done in $M(\F{p})$ and $T(\F{p})$ yield to the same results if projected to $M(\F{p^2})$.
We prove that for all $x \in \F{p}$ there exists a point with \xcoord $x$ either on $C(\F{p})$ or on the quadratic twist $T(\F{p})$.
We prove that all points in $M(\F{p})$ and $T(\F{p})$ can be projected in $M(\F{p^2})$ and derive that computations done in $M(\F{p})$ and $T(\F{p})$ yield the same results if projected to $M(\F{p^2})$.
Using \tref{thm:montgomery-ladder-correct} we prove that the ladder is correct for $M(\F{p})$ and $T(\F{p})$; with the previous results, this results in the correctness of the ladder for $M(\F{p^2})$, in other words the correctness of X25519.
Now that we have an red line for the proof, we turn our attention to the details.
Now that we have a red line for the proof, we turn our attention to the details.
Indeed \tref{thm:montgomery-ladder-correct} cannot be applied directly to prove that X25519 is
doing the computations over $M(\F{p^2})$. This would infer that $\K = \F{p^2}$ and we would need to satisfy
hypothesis~\ref{hyp:a_minus_4_not_square}:%
Hypothesis~\ref{hyp:a_minus_4_not_square}:%
% $a^2-4$ is not a square in \K:
$$\forall x \in \K,\ x^2 \neq a^2-4.$$
$$\forall x \in \K,\ x^2 \neq a^2-4,$$
which is not possible as there always exists $x \in \F{p^2}$ such that $x^2 = a^2-4$.
Consequently, we first study Curve25519 and one of its quadratic twists Twist25519,
both defined over \F{p}.
......@@ -419,14 +419,15 @@ This allows us to study $M_{486662,1}(\F{p})$ and $M_{486662,2}(\F{p})$, one of
With \tref{thm:montgomery-ladder-correct} we derive the following two lemmas:
\begin{lemma}
For all $x \in \F{p},\ n \in \N,\ P \in \F{p} \times \F{p}$,\\
such that $P \in M_{486662,1}(\F{p})$ and $\chi_0(P) = x$.
$$Curve25519\_Fp(n,x) = \chi_0(n \cdot P)$$
Let $x \in \F{p}$, $n \in \N$, $P \in \F{p} \times \F{p}$
such that $P \in M_{486662,1}(\F{p})$ and $\chi_0(P) = x$, then
$$Curve25519\_Fp(n,x) = \chi_0(n \cdot P).$$
% I was thrown off by the full stop about what the actual statement was. -T
\end{lemma}
\begin{lemma}
For all $x \in \F{p},\ n \in \N,\ P \in \F{p} \times \F{p}$\\
such that $P \in M_{486662,2}(\F{p})$ and $\chi_0(P) = x$.
$$Twist25519\_Fp(n,x) = \chi_0(n \cdot P)$$
Let $x \in \F{p}$, $n \in \N$, $P \in \F{p} \times \F{p}$
such that $P \in M_{486662,2}(\F{p})$ and $\chi_0(P) = x$, then
$$Twist25519\_Fp(n,x) = \chi_0(n \cdot P).$$
\end{lemma}
As the Montgomery ladder does not depend on $b$, it is trivial to
see that the computations done for points in $M_{486662,1}(\F{p})$ and in
......@@ -436,11 +437,11 @@ $M_{486662,2}(\F{p})$ are the same.
% curve25519_Fp_ladder n x = twist25519_Fp_ladder n x.
% \end{lstlisting}
Because $2$ is not a square in $\F{p}$, it allows us split $\F{p}$ into two sets.
Because $2$ is not a square in $\F{p}$, it allows us to split $\F{p}$ into two sets.
\begin{lemma}
\label{lemma:square-or-2square}
For all $x$ in $\F{p}$, there exists $y$ in $\F{p}$ such that
$$y^2 = x\ \ \ \lor\ \ 2y^2 = x$$
For all $x$ in $\F{p}$, there exists a $y$ in $\F{p}$ such that
$$y^2 = x\ \ \ \lor\ \ 2y^2 = x.$$
\end{lemma}
For all $x \in \F{p}$, we can compute $x^3 + ax^2 + x$. Using \lref{lemma:square-or-2square}
we can find a $y$ such that $(x,y)$ is either on the curve or on the quadratic twist:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment