Commit f14b2cb1 by Benoit Viguier

### more rewrite

parent a22a9b1f
 ... @@ -69,24 +69,22 @@ conditional swap between $Q$ and $R$ in the TweetNaCl implementation. ... @@ -69,24 +69,22 @@ conditional swap between $Q$ and $R$ in the TweetNaCl implementation. \subsection{The X25519 key exchange} \subsection{The X25519 key exchange} \label{preliminaries:A} \label{preliminaries:A} \todo{Rephrase, use byte arrays, define clamping, state where things live.} Inputs are two 32-bytes arrays, one is $n$ the other one represent the $x$-coordinate of $P$. To ensure security and avoid low order subgroups, values of $n$ are forced into the shape of $2^{254} + 8\{0,1,\ldots,2^{251-1}\}$. This is done by setting bit 255 to \texttt{0}; bit 254 to \texttt{1} and the lower 3 bits to \texttt{0}, making it a multiple of 8. For any value $x \in \F{p}$, for the elliptic curve $E$ over $\F{p^2}$ For any value $x \in \F{p}$, for the elliptic curve $E$ over $\F{p^2}$ defined by $y^2 = x^3 + 486662 x^2 + x$, there exist a point $P$ over $E(\F{p^2})$ defined by $y^2 = x^3 + 486662 x^2 + x$, there exist a point $P$ over $E(\F{p^2})$ such that $x$ is the $x$-coordinate of $P$. such that $x$ is the $x$-coordinate of $P$. Remark that $x$ is also the $x$-coordinate of $-P$. Given a natural number $n$ and $x$, X25519 returns the $x$-coordinate of the Given $n \in \N$ and $x \in \F{\p}$, such that $x$ is the $x$-coordinate of scalar multiplication of $P$ by $n$, thus $n \cdot P$. Note that the result is the a point $P$ of $E(\F{\p})$, X25519 returns the $x$-coordinate of the same with $n \cdot (-P) = -(n \cdot P)$. scalar multiplication of $P$ by $n$, thus $n \cdot P$. % Note that the result is the same with $n \cdot (-P) = -(n \cdot P)$. X25519 makes use of the little endian bijection for its arguements of 32-bytes: \texttt{n} the secret key and \texttt{p} the public key. Curve25519 has a cofactor of 8. In order to avoid attacks where an attacker could discover some bits of the private key, values of $n$ are forced into the shape of $2^{254} + 8\{0,1,\ldots,2^{251-1}\}$. This is done by setting bit 255 to \texttt{0}; bit 254 to \texttt{1} and the lower 3 bits to \texttt{0}, making it effectively a multiple of 8. This operation is known as the clamping. RFC~7748~\cite{rfc7748} formalized the X25519 Diffie–Hellman key-exchange algorithm. RFC~7748~\cite{rfc7748} formalized the X25519 Diffie–Hellman key-exchange algorithm. Given the base point $B$ where $B.x=9$, each party generate a secret random number Given the base point $B$ where $B.x=9$, each party generate a secret random number ... @@ -186,8 +184,8 @@ sv car25519(gf o) ... @@ -186,8 +184,8 @@ sv car25519(gf o) } } } } \end{lstlisting} \end{lstlisting} % In order to simplify the verification of this function, In order to simplify the verification of this function, % we extract the last step of the loop $i = 15$. we extract the last step of the loop $i = 15$. % \begin{lstlisting}[language=Ctweetnacl] % \begin{lstlisting}[language=Ctweetnacl] % sv car25519(gf o) % sv car25519(gf o) % { % { ... @@ -271,7 +269,8 @@ the \TNaCle{crypto_scalarmult} API function of TweetNaCl. ... @@ -271,7 +269,8 @@ the \TNaCle{crypto_scalarmult} API function of TweetNaCl. In order to compute the scalar multiplication, In order to compute the scalar multiplication, X25519 uses the Montgomery ladder~\cite{Mon85}. X25519 uses the Montgomery ladder~\cite{Mon85}. \todo{explain, projective coordinates, etc} $x$-coordinates are represented as fractions, the computation of the actual value is differed to the end of the ladder with \TNaCle{inv25519}. First extract and clamp the value of $n$. Then unpack the value of $p$. First extract and clamp the value of $n$. Then unpack the value of $p$. As per RFC~7748~\cite{rfc7748}, set its most significant bit to 0. As per RFC~7748~\cite{rfc7748}, set its most significant bit to 0. ... ...