Commit d0114f8c authored by benoit's avatar benoit
Browse files

more flow

parent b4906681
...@@ -51,7 +51,7 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref ...@@ -51,7 +51,7 @@ $a^2 - 4$ is not a square in $\K$, we prove the correctness of the ladder (\tref
\label{tikz:ProofHighLevel1} \label{tikz:ProofHighLevel1}
\end{figure} \end{figure}
We now turn our attention to the details of the proof. We now turn our attention to the details of the proof of the ladder's correctness.
\begin{dfn} \begin{dfn}
Given a field $\K$, Given a field $\K$,
...@@ -345,7 +345,14 @@ final proof of \coqe{Theorem RFC_Correct}. ...@@ -345,7 +345,14 @@ final proof of \coqe{Theorem RFC_Correct}.
\fref{tikz:ProofHighLevel2} gives a high-level view of the proofs presented here. \fref{tikz:ProofHighLevel2} gives a high-level view of the proofs presented here.
The white tiles are definitions while green tiles are important lemmas and theorems. The white tiles are definitions while green tiles are important lemmas and theorems.
A brief overview of the complete proof is described bellow. \begin{figure}[h]
\centering
\include{tikz/highlevel2}
\caption{Proof dependencies for the correctness of X25519.}
\label{tikz:ProofHighLevel2}
\end{figure}
A brief overview of the complete proof of is described bellow.
We first pose $a = 486662$, $b = 1$, $b' = 2$, $p = 2^{255}-19$, with the equations $C = M_{a,b}$, and $T = M_{a,b'}$. We first pose $a = 486662$, $b = 1$, $b' = 2$, $p = 2^{255}-19$, with the equations $C = M_{a,b}$, and $T = M_{a,b'}$.
We prove the primality of $p$ and define the field $\F{p}$. We prove the primality of $p$ and define the field $\F{p}$.
Subsquently we show that neither $2$ nor $a^2 - 2$ are square in $\F{p}$. Subsquently we show that neither $2$ nor $a^2 - 2$ are square in $\F{p}$.
...@@ -354,26 +361,15 @@ We prove that for all $x \in \F{p}$ there exist a point of \xcoord $x$ either on ...@@ -354,26 +361,15 @@ We prove that for all $x \in \F{p}$ there exist a point of \xcoord $x$ either on
We prove that all points in $M(\F{p})$ and $T(\F{p})$ can be projected in $M(\F{p^2})$ and derive that computations done in $M(\F{p})$ and $T(\F{p})$ yield to the same results if projected to $M(\F{p^2})$. We prove that all points in $M(\F{p})$ and $T(\F{p})$ can be projected in $M(\F{p^2})$ and derive that computations done in $M(\F{p})$ and $T(\F{p})$ yield to the same results if projected to $M(\F{p^2})$.
Using \tref{thm:montgomery-ladder-correct} we prove that the ladder is correct for $M(\F{p})$ and $T(\F{p})$; with the previous results, this results in the correctness of the ladder for $M(\F{p^2})$, in other words the correctness of X25519. Using \tref{thm:montgomery-ladder-correct} we prove that the ladder is correct for $M(\F{p})$ and $T(\F{p})$; with the previous results, this results in the correctness of the ladder for $M(\F{p^2})$, in other words the correctness of X25519.
Now that we have an red line for the proof, we turn our attention to the details.
\begin{figure}[h] Indeed \tref{thm:montgomery-ladder-correct} cannot be applied directly to prove that X25519 is
\centering doing the computations over $M(\F{p^2})$. This would infer that $\K = \F{p^2}$ and we would need to satisfy
\include{tikz/highlevel2}
\caption{Proof dependencies for the correctness of X25519.}
\label{tikz:ProofHighLevel2}
\end{figure}
To be able to use the \tref{thm:montgomery-ladder-correct} we need to satisfy
hypothesis~\ref{hyp:a_minus_4_not_square}:% hypothesis~\ref{hyp:a_minus_4_not_square}:%
% $a^2-4$ is not a square in \K: % $a^2-4$ is not a square in \K:
$$\forall x \in \K,\ x^2 \neq a^2-4.$$ $$\forall x \in \K,\ x^2 \neq a^2-4.$$
However there always exists $x \in \F{p^2}$ such that $x^2 = a^2-4$, which is not possible as there always exists $x \in \F{p^2}$ such that $x^2 = a^2-4$.
preventing the use \tref{thm:montgomery-ladder-correct} Consequently, we first study Curve25519 and one of its quadratic twists Twist25519,
with $\K = \F{p^2}$. both defined over \F{p}.
\begin{sloppypar}
We first study Curve25519 and one of its quadratic twists Twist25519,
both defined over \F{p}.
\end{sloppypar}
\subsubsection{Curves and twists} \subsubsection{Curves and twists}
\label{subsec:Zmodp} \label{subsec:Zmodp}
...@@ -408,9 +404,11 @@ We now consider $M_{486662,1}(\F{p})$ and $M_{486662,2}(\F{p})$, one of its quad ...@@ -408,9 +404,11 @@ We now consider $M_{486662,1}(\F{p})$ and $M_{486662,2}(\F{p})$, one of its quad
% \begin{dfn}Let the following instantiations of \aref{alg:montgomery-double-add}:\\ % \begin{dfn}Let the following instantiations of \aref{alg:montgomery-double-add}:\\
\begin{dfn} \begin{dfn}
%Let the following instantiations of \aref{alg:montgomery-ladder}:\\ %Let the following instantiations of \aref{alg:montgomery-ladder}:\\
We instantiate \coqe{opt_montgomery} in two specific ways:\\ We instantiate \coqe{opt_montgomery} in two specific ways:
-- $Curve25519\_Fp(n,x)$ for $M_{486662,1}(\F{p})$.\\ \begin{itemize}
-- $Twist25519\_Fp(n,x)$ for $M_{486662,2}(\F{p})$. \item[--] $Curve25519\_Fp(n,x)$ for $M_{486662,1}(\F{p})$.
\item[--] $Twist25519\_Fp(n,x)$ for $M_{486662,2}(\F{p})$.
\end{itemize}
\end{dfn} \end{dfn}
With \tref{thm:montgomery-ladder-correct} we derive the following two lemmas: With \tref{thm:montgomery-ladder-correct} we derive the following two lemmas:
...@@ -539,13 +537,15 @@ Lemma x_is_on_curve_or_twist_implies_x_in_Fp2: ...@@ -539,13 +537,15 @@ Lemma x_is_on_curve_or_twist_implies_x_in_Fp2:
We now study the case of the scalar multiplication and show similar proofs. We now study the case of the scalar multiplication and show similar proofs.
\begin{dfn} \begin{dfn}
Define the functions $\varphi_c$, $\varphi_t$ and $\psi$\\ Define the functions $\varphi_c$, $\varphi_t$ and $\psi$
-- $\varphi_c: M_{486662,1}(\F{p}) \mapsto M_{486662,1}(\F{p^2})$\\ \begin{itemize}
such that $\varphi((x,y)) = ((x,0), (y,0))$.\\ \item[--] $\varphi_c: M_{486662,1}(\F{p}) \mapsto M_{486662,1}(\F{p^2})$\\
-- $\varphi_t: M_{486662,2}(\F{p}) \mapsto M_{486662,1}(\F{p^2})$\\ such that $\varphi((x,y)) = ((x,0), (y,0))$.
such that $\varphi((x,y)) = ((x,0), (0,y))$.\\ \item[--] $\varphi_t: M_{486662,2}(\F{p}) \mapsto M_{486662,1}(\F{p^2})$\\
-- $\psi: \F{p^2} \mapsto \F{p}$\\ such that $\varphi((x,y)) = ((x,0), (0,y))$.
such that $\psi(x,y) = x$. \item[--] $\psi: \F{p^2} \mapsto \F{p}$\\
such that $\psi(x,y) = x$.
\end{itemize}
\end{dfn} \end{dfn}
\begin{lemma} \begin{lemma}
......
...@@ -18,7 +18,6 @@ BOLD = "\033[1m" ...@@ -18,7 +18,6 @@ BOLD = "\033[1m"
all: tweetverif.pdf reviews.pdf all: tweetverif.pdf reviews.pdf
# main pdf # main pdf
tweetverif.pdf: FORCE tweetverif.tex tweetnacl.diff tweetverif.pdf: FORCE tweetverif.tex tweetnacl.diff
@echo $(BOLD)$(LIGHTPURPLE)"Building tweetverif.pdf"$(NO_COLOR)$(DARKGRAY) @echo $(BOLD)$(LIGHTPURPLE)"Building tweetverif.pdf"$(NO_COLOR)$(DARKGRAY)
......
...@@ -47,12 +47,12 @@ ...@@ -47,12 +47,12 @@
\begin{scope}[yshift=-2.5 cm,xshift=4.125 cm] \begin{scope}[yshift=-2.5 cm,xshift=4.125 cm]
\draw[fill=green!20] (-0.3,0) -- (1.78,0) -- (1.78,-1.25) -- (-0.3, -1.25) -- cycle; \draw[fill=green!20] (-0.3,0) -- (1.78,0) -- (1.78,-1.25) -- (-0.3, -1.25) -- cycle;
\draw (0.75,0) node[textstyle, anchor=north] {$\forall x \in \F{p},$\\[.6ex]$\forall P \in C(\F{p}),$\\[.6ex]$x = \chi_0(P)\implies$\\[.6ex]lad. $n$ $x = \chi_0(n \cdot P)$}; \draw (0.75,0) node[textstyle, anchor=north] {$\forall x \in \F{p},$\\[.6ex]$\forall P \in C(\F{p}),$\\[.6ex]$x = \chi_0(P)\implies$\\[.6ex]lad $n$ $x = \chi_0(n \cdot P)$};
\end{scope} \end{scope}
\begin{scope}[yshift=-2.5 cm,xshift=6.25 cm] \begin{scope}[yshift=-2.5 cm,xshift=6.25 cm]
\draw[fill=green!20] (-0.3,0) -- (1.78,0) -- (1.78,-1.25) -- (-0.3, -1.25) -- cycle; \draw[fill=green!20] (-0.3,0) -- (1.78,0) -- (1.78,-1.25) -- (-0.3, -1.25) -- cycle;
\draw (0.75,0) node[textstyle, anchor=north] {$\forall x \in \F{p},$\\[.6ex]$\forall Q \in T(\F{p}),$\\[.6ex]$x = \chi_0(Q)\implies$\\[.6ex]lad. $n$ $x = \chi_0(n \cdot Q)$}; \draw (0.75,0) node[textstyle, anchor=north] {$\forall x \in \F{p},$\\[.6ex]$\forall Q \in T(\F{p}),$\\[.6ex]$x = \chi_0(Q)\implies$\\[.6ex]lad $n$ $x = \chi_0(n \cdot Q)$};
\end{scope} \end{scope}
\path [thick, double, ->] (1.875,-1.75) edge [out=-90, in=90] (1.875,-2.5); \path [thick, double, ->] (1.875,-1.75) edge [out=-90, in=90] (1.875,-2.5);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment