\section{Proving that X25519 in Coq matches the mathematical model}

\label{sec:maths}

\begin{theorem}\label{thm:Elliptic-CSM}

\todo{DESCRIBE}

In this section we prove the following theorem:

\begin{theorem}

\label{thm:Elliptic-CSM}

The implementation of X25519 in TweetNaCl (\TNaCle{crypto_scalarmult}) computes the

$\F{p}$-restricted $x$-coordinate scalar multiplication on $E(\F{p^2})$ where $p$ is $\p$

and $E$ is the elliptic curve $y^2= x^3+486662 x^2+ x$.

\end{theorem}

In this section we first present the work of Bartzia and Strub \cite{DBLP:conf/itp/BartziaS14} (\ref{subsec:ECC-Weierstrass}).

We extend it to support Montgomery curves (\ref{subsec:ECC-Montgomery}) with homogeneous coordinates (\ref{subsec:ECC-projective}) and prove the correctness of the ladder (\ref{subsec:ECC-ladder}).

We then prove the Montgomery ladder computes

the x-coordinate of scalar multiplication over $\F{p^2}$

(Theorem 2.1 by Bernstein \cite{Ber06}) where $p$ is the prime $\p$.

We first review the work of Bartzia and Strub \cite{BartziaS14} (\ref{subsec:ECC-Weierstrass}).

We extend it to support Montgomery curves (\ref{subsec:ECC-Montgomery})

with homogeneous coordinates (\ref{subsec:ECC-projective}) and prove the

correctness of the ladder (\ref{subsec:ECC-ladder}).