Switch curve25519 implementation to use the Ed25519 twisted Edwards curve.

diff --git a/ChangeLog b/ChangeLog
index 40092c9bcaff3eebdf1ddd4373650cf0e6e0170d..a4c230b23d63f87187bc914439f9b2f4ccb1436c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2014-08-29  Niels Möller  <nisse@lysator.liu.se>
+
+       Switch the curve25519 implementation to use the isomorphism to the
+       twisted Edwards curve which is used for Ed25519 signatures.
+       * eccdata.c (ecc_curve_init): Tweaked the transformation constant
+       for the isomorphism between curve25519 and the twisted Edwards
+       curve.
+       * ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve.
+       * ecc-add-eh.c (ecc_add_eh): Likewise.
+       * ecc-dup-eh.c (ecc_dup_eh): Likewise.
+
 2014-08-28  Niels Möller  <nisse@lysator.liu.se>
 
        * ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h,

diff --git a/ecc-add-eh.c b/ecc-add-eh.c
index a3471b268378f8724d7136214cee78e127823bd9..311b2d9b3f666677c1e1c2f4f144cce7958dc1aa 100644 (file)
--- a/ecc-add-eh.c
+++ b/ecc-add-eh.c
@@ -94,17 +94,17 @@ ecc_add_eh (const struct ecc_curve *ecc,
   ecc_modp_mul (ecc, x3, C, D);
   ecc_modp_mul (ecc, E, x3, ecc->b);
 
-  ecc_modp_sub (ecc, C, D, C);
+  ecc_modp_add (ecc, C, D, C); /* ! */
   ecc_modp_sqr (ecc, B, z1);
   ecc_modp_sub (ecc, F, B, E);
   ecc_modp_add (ecc, G, B, E);  
 
   /* x3 */
-  ecc_modp_mul (ecc, B, F, T);
+  ecc_modp_mul (ecc, B, G, T); /* ! */
   ecc_modp_mul (ecc, x3, B, z1);
 
   /* y3 */
-  ecc_modp_mul (ecc, B, G, C);
+  ecc_modp_mul (ecc, B, F, C); /* ! */
   ecc_modp_mul (ecc, y3, B, z1);
 
   /* z3 */

diff --git a/ecc-add-ehh.c b/ecc-add-ehh.c
index b009d84f98b7ebb23464f11fe75252c1cfa03b6b..b293290b2192198aac0a8fe2e27cc2e81f22aa9c 100644 (file)
--- a/ecc-add-ehh.c
+++ b/ecc-add-ehh.c
@@ -76,6 +76,10 @@ ecc_add_ehh (const struct ecc_curve *ecc,
      x3 = A*F*T                3 mul           A, C, G
      y3 = A*G*(D-C)    2 mul           F, G
      z3 = F*G          mul
+
+     But when working with the twist curve, we need to the factor
+     x1*x2. We need to switch sign in y3 expressions, and swap F and
+     G.
   */
 #define C scratch
 #define D (scratch + ecc->size)
@@ -95,7 +99,7 @@ ecc_add_ehh (const struct ecc_curve *ecc,
   ecc_modp_sub (ecc, T, T, D);
   ecc_modp_mul (ecc, x3, C, D);
   ecc_modp_mul (ecc, E, x3, ecc->b);
-  ecc_modp_sub (ecc, C, D, C);
+  ecc_modp_add (ecc, C, D, C); /* ! */
   
   ecc_modp_mul (ecc, A, z1, z2);
   ecc_modp_sqr (ecc, B, A);
@@ -104,11 +108,11 @@ ecc_add_ehh (const struct ecc_curve *ecc,
   ecc_modp_add (ecc, G, B, E);
 
   /* x3 */
-  ecc_modp_mul (ecc, B, F, T);
+  ecc_modp_mul (ecc, B, G, T); /* ! */
   ecc_modp_mul (ecc, x3, B, A);
 
   /* y3 */
-  ecc_modp_mul (ecc, B, G, C);
+  ecc_modp_mul (ecc, B, F, C); /* ! */
   ecc_modp_mul (ecc, y3, B, A);
 
   /* z3 */

diff --git a/ecc-dup-eh.c b/ecc-dup-eh.c
index 7065063113c98bd7f1a6ef10bdad39c4ec590bb6..6258071a7c54f646112ed229cbb57e6e312d62bf 100644 (file)
--- a/ecc-dup-eh.c
+++ b/ecc-dup-eh.c
@@ -62,6 +62,18 @@ ecc_dup_eh (const struct ecc_curve *ecc,
      x' = (b-e)*j      mul             c, d, e, j
      y' = e*(c-d)      mul             e, j
      z' = e*j          mul
+
+     But for the twisted curve, we need some sign changes.
+
+     b = (x+y)^2       sqr             b
+     c = x^2           sqr             b, c
+     d = y^2           sqr             b, c, d
+   ! e = -c+d                          b, c, d, e
+     h = z^2           sqr             b, c, d, e, h
+   ! j = -e+2*h                                b, c, d, e, j
+   ! x' = (b-c-d)*j    mul             c, d, e, j
+   ! y' = e*(c+d)      mul             e, j
+     z' = e*j          mul
   */
 #define b scratch 
 #define c (scratch  + ecc->size)
@@ -80,17 +92,18 @@ ecc_dup_eh (const struct ecc_curve *ecc,
   /* h, can use r as scratch, even for in-place operation. */
   ecc_modp_sqr (ecc, r, p + 2*ecc->size);
   /* e, */
-  ecc_modp_add (ecc, e, c, d);
-  /* b - e */
-  ecc_modp_sub (ecc, b, b, e);
+  ecc_modp_sub (ecc, e, d, c);
+  /* b - c - d */
+  ecc_modp_sub (ecc, b, b, c);
+  ecc_modp_sub (ecc, b, b, d);
   /* j */
   ecc_modp_add (ecc, r, r, r);
-  ecc_modp_sub (ecc, j, e, r);
+  ecc_modp_sub (ecc, j, r, e);
 
   /* x' */
   ecc_modp_mul (ecc, r, b, j);
   /* y' */
-  ecc_modp_sub (ecc, c, c, d);
+  ecc_modp_add (ecc, c, c, d); /* Redundant */
   ecc_modp_mul (ecc, r + ecc->size, e, c);
   /* z' */
   ecc_modp_mul (ecc, b, e, j);

diff --git a/eccdata.c b/eccdata.c
index 2fb43650c0501dc92cda11359730724cf9416283..9533d7835c08997d5b7e14a1117ef6cfbf76f087 100644 (file)
--- a/eccdata.c
+++ b/eccdata.c
@@ -575,10 +575,15 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size)
                          */
                          "2dfc9311d490018c7338bf8688861767"
                          "ff8ff5b2bebe27548a14b235eca6874a",
-                         /* sqrt(486664) mod p, from PARI/GP
-                            sqrt(Mod(486664, p)) */
-                         "141b0b6806563d503de05885280b5910"
-                         "9ca5ee38d7b56c9c165db7106377bbd8");
+                         /* A square root of -486664 mod p, PARI/GP
+                            -sqrt(Mod(-486664, p)) in PARI/GP.
+
+                            Sign is important to map to the right
+                            generator on the twisted edwards curve
+                            used for EdDSA. */
+                         "70d9120b9f5ff9442d84f723fc03b081"
+                         "3a5e2c2eb482e57d3391fb5500ba81e7"
+                         );
       ecc->ref = ecc_alloc (3);
       ecc_set_str (&ecc->ref[0], /* 2 g */
                   "20d342d51873f1b7d9750c687d157114"