Commit b813f4aa authored by Benoit Viguier's avatar Benoit Viguier
Browse files

less todo

parent d064dd2a
......@@ -71,10 +71,17 @@ conditional swap between $Q$ and $R$ in the TweetNaCl implementation.
\todo{Rephrase, use byte arrays, define clamping, state where things live.}
Inputs are two 32-bytes arrays, one is $n$ the other one represent
the $x$-coordinate of $P$.
To ensure security and avoid low order subgroups, values of $n$ are forced
into the shape of $2^{254} + 8\{0,1,\ldots,2^{251-1}\}$.
This is done by setting bit 255 to \texttt{0}; bit 254 to \texttt{1} and the lower
3 bits to \texttt{0}, making it a multiple of 8.
For any value $x \in \F{p}$, for the elliptic curve $E$ over $\F{p^2}$
defined by $y^2 = x^3 + 486662 x^2 + x$, there exist a point $P$ over $E(\F{p^2})$
such that $x$ is the $x$-coordinate of $P$.
% (abreviated as $P.x$).
Remark that $x$ is also the $x$-coordinate of $-P$.
Given a natural number $n$ and $x$, X25519 returns the $x$-coordinate of the
......@@ -90,21 +97,22 @@ over $s_a$ and $P_b$ (respectively $s_b$ and $P_a$).
\subsection{TweetNaCl specifics}
\todo{Some more text}
In order to gain space, TweetNaCl uses a few shortcuts.
As it names stands for, TweetNaCl aims for code compactness (in tweets).
As a result it uses a few defines and typedef to gain precious bytes while
still remaining readable.
#define FOR(i,n) for (i = 0;i < n;++i)
#define sv static void
typedef unsigned char u8;
typedef long long i64;
\todo{Comment on argument order}
Any TweetNaCl functions takes pointers as arguments.
The first one defines the output. It is then followed by the inputs arguments.
\subsection{X25519 in TweetNaCl}
\todo{Add a sentence or two here to prepare the reader.}
We now describe the implementation of X25519 in TweetNaCl.
\subheading{Arithmetic in \Ffield.}
In X25519, all computations are performed in $\F{p}$.
......@@ -259,11 +267,12 @@ byte array.
\subheading{The Montgomery ladder.}
With these low-level arithmetic and helper function at hand, we can now
turn our attention to the core of the X25519 computation:
the \TNaCle{crypto\_scalarmult} API function of TweetNaCl.
the \TNaCle{crypto_scalarmult} API function of TweetNaCl.
In order to compute the scalar multiplication,
X25519 uses the Montgomery ladder~\cite{Mon85}.
\todo{explain, projective coordinates, etc}
of .
First extract and clamp the value of $n$. Then unpack the value of $p$.
As per RFC~7748~\cite{rfc7748}, set its most significant bit to 0.
Finally compute the Montgomery ladder over the clamped $n$ and $p$,
......@@ -67,21 +67,6 @@ sv pack25519(u8 *o,const gf n)
static int neq25519(const gf a, const gf b)
u8 c[32],d[32];
return crypto_verify_32(c,d);
static u8 par25519(const gf a)
u8 d[32];
return d[0]&(unsigned char)1;
sv unpack25519(gf o, const u8 *n)
int i;
......@@ -133,18 +118,6 @@ sv inv25519(gf o,const gf a)
FOR(i,16) o[i]=c[i];
sv pow2523(gf o,const gf a)
gf c;
int i;
for(i=250;i>=0;i--) {
if(i!=1) M(c,c,a);
FOR(i,16) o[i]=c[i];
int crypto_scalarmult(u8 *q,const u8 *n,const u8 *p)
u8 z[32];
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment