[email protected] (Niels Möller) writes: > I have a couple of questions regarding curve25519.
I can answer a few of them myself now. > 1. The input of the curve255519 function is the x coordiante only. I > compute the y cordinate, via a square root. This might fail... I > don't really understand Theorem 2.1 in the curve25519 paper, but it > seems to indicate that for curve25519 to be defined for arbitrary x, > one needs to consider coordinates in the extended field > > x = x_0 + x_1 sqrt(2) > y = y_0 + y_1 sqrt(2) Doing these coordinates in the extended field just tacks on the factor sqrt(2) on the y coordinates (and similarly to one of the cooordinates of the corresponding Edwards curve), and in this special case, that's equivalent to working on a "twist" curve over the base field F_p. Probably not too painful to implement, but unclear if it's worth the effort. > Are there any testcases for such questionable inputs? This question remains, as well as the question of interesting usecases. > 2. API for the curve25519 function. I think I sent a mail about this > previously. Should it be a single function (with some magic > optimization for the input x == 9), or two functions? What do the > NaCl and Sodium libraries do, and do they get it right? See http://nacl.cr.yp.to/scalarmult.html. It's two functions, crypto_scalarmult(q,n,p); and crypto_scalarmult_base(q,n); I think nettle should use some different names (unless, maybe, some curve25519-compat.h file is included). But I think we can use the same arguments. If we don't implement points with y coordinates outside of the base field, the crypto_scalarmult function needs a return value, to indicate success or failure. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
