From: Niels Möller <nisse@lysator.liu.se>
Date: Thu, 2 Oct 2014 13:55:41 +0000 (+0200)
Subject: Notes on EdDSA decompression.
X-Git-Tag: nettle_3.1rc1~79
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a3fb911ea645a5d4d0a624e1bcf4c788044dab85;p=thirdparty%2Fnettle.git

Notes on EdDSA decompression.
---

diff --git a/misc/ecc-formulas.tex b/misc/ecc-formulas.tex
index d696ca50..6c61982d 100644
--- a/misc/ecc-formulas.tex
+++ b/misc/ecc-formulas.tex
@@ -181,7 +181,8 @@ suggests using the twisted Edwards curve,
 \begin{equation*}
   -x^2 + y^2 = 1 + d' x^2 y^2 \pmod{p}
 \end{equation*}
-(For this we use the same $d' = -d = (121665/121666) \bmod p$).
+(For this we use $d' = -d$, with $d = (121665/121666) \bmod p$, where
+$d$ is the same as in the curve25519 equivalence described below).
 Assuming -1 has a square root modulo $p$, a point $(x, y)$ lies on
 this curve if and only if $(\sqrt{-1} x, p)$ lies of the non-twisted
 Edwards curve. The point addition formulas for the twisted Edwards
@@ -225,6 +226,18 @@ because they are complete. See
 
 In our notation $a = -1$, and the $d'$ above is $-d$.
 
+\subsection{Decompression}
+
+For EdDSA, points are represented by the $y$ coordinate and only the
+low bit, or ``sign'' bit, of the $x$ coordinate. Then $x^2$ can be
+computed as
+\begin{align*}
+  x^2 &= (1-y^2) (d y^2 - 1)^{-1} \\
+  &= 121666 (1-y^2) (121665 y^2 - 121666)^{-1}
+\end{align*}
+We then get $x$ from a square root, and we can use a trick of djb's to
+avoid the inversion.
+
 \section{Curve25519}
 
 Curve25519 is defined as the Montgomery curve