Commit b813f4aa by Benoit Viguier

### less todo

parent d064dd2a
 ... ... @@ -71,10 +71,17 @@ conditional swap between $Q$ and $R$ in the TweetNaCl implementation. \todo{Rephrase, use byte arrays, define clamping, state where things live.} Inputs are two 32-bytes arrays, one is $n$ the other one represent the $x$-coordinate of $P$. To ensure security and avoid low order subgroups, values of $n$ are forced into the shape of $2^{254} + 8\{0,1,\ldots,2^{251-1}\}$. This is done by setting bit 255 to \texttt{0}; bit 254 to \texttt{1} and the lower 3 bits to \texttt{0}, making it a multiple of 8. For any value $x \in \F{p}$, for the elliptic curve $E$ over $\F{p^2}$ defined by $y^2 = x^3 + 486662 x^2 + x$, there exist a point $P$ over $E(\F{p^2})$ such that $x$ is the $x$-coordinate of $P$. % (abreviated as $P.x$). Remark that $x$ is also the $x$-coordinate of $-P$. Given a natural number $n$ and $x$, X25519 returns the $x$-coordinate of the ... ... @@ -90,21 +97,22 @@ over $s_a$ and $P_b$ (respectively $s_b$ and $P_a$). \subsection{TweetNaCl specifics} \label{preliminaries:B} \todo{Some more text} In order to gain space, TweetNaCl uses a few shortcuts. As it names stands for, TweetNaCl aims for code compactness (in tweets). As a result it uses a few defines and typedef to gain precious bytes while still remaining readable. \begin{lstlisting}[language=Ctweetnacl] #define FOR(i,n) for (i = 0;i < n;++i) #define sv static void typedef unsigned char u8; typedef long long i64; \end{lstlisting} \todo{Comment on argument order} Any TweetNaCl functions takes pointers as arguments. The first one defines the output. It is then followed by the inputs arguments. \subsection{X25519 in TweetNaCl} \label{preliminaries:B} \todo{Add a sentence or two here to prepare the reader.} We now describe the implementation of X25519 in TweetNaCl. \subheading{Arithmetic in \Ffield.} In X25519, all computations are performed in $\F{p}$. ... ... @@ -259,11 +267,12 @@ byte array. \subheading{The Montgomery ladder.} With these low-level arithmetic and helper function at hand, we can now turn our attention to the core of the X25519 computation: the \TNaCle{crypto\_scalarmult} API function of TweetNaCl. the \TNaCle{crypto_scalarmult} API function of TweetNaCl. In order to compute the scalar multiplication, X25519 uses the Montgomery ladder~\cite{Mon85}. \todo{explain, projective coordinates, etc} of . First extract and clamp the value of $n$. Then unpack the value of $p$. As per RFC~7748~\cite{rfc7748}, set its most significant bit to 0. Finally compute the Montgomery ladder over the clamped $n$ and $p$, ... ...
 ... ... @@ -67,21 +67,6 @@ sv pack25519(u8 *o,const gf n) } } static int neq25519(const gf a, const gf b) { u8 c[32],d[32]; pack25519(c,a); pack25519(d,b); return crypto_verify_32(c,d); } static u8 par25519(const gf a) { u8 d[32]; pack25519(d,a); return d[0]&(unsigned char)1; } sv unpack25519(gf o, const u8 *n) { int i; ... ... @@ -133,18 +118,6 @@ sv inv25519(gf o,const gf a) FOR(i,16) o[i]=c[i]; } sv pow2523(gf o,const gf a) { gf c; int i; set25519(c,a); for(i=250;i>=0;i--) { S(c,c); if(i!=1) M(c,c,a); } FOR(i,16) o[i]=c[i]; } int crypto_scalarmult(u8 *q,const u8 *n,const u8 *p) { u8 z[32]; ... ...
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!