nisse@lysator.liu.se (Niels Möller) writes:
I have a couple of questions regarding curve25519.
I can answer a few of them myself now.
The input of the curve255519 function is the x coordiante only. I compute the y cordinate, via a square root. This might fail... I don't really understand Theorem 2.1 in the curve25519 paper, but it seems to indicate that for curve25519 to be defined for arbitrary x, one needs to consider coordinates in the extended field
x = x_0 + x_1 sqrt(2) y = y_0 + y_1 sqrt(2)
Doing these coordinates in the extended field just tacks on the factor sqrt(2) on the y coordinates (and similarly to one of the cooordinates of the corresponding Edwards curve), and in this special case, that's equivalent to working on a "twist" curve over the base field F_p.
Probably not too painful to implement, but unclear if it's worth the effort.
Are there any testcases for such questionable inputs?
This question remains, as well as the question of interesting usecases.
- API for the curve25519 function. I think I sent a mail about this previously. Should it be a single function (with some magic optimization for the input x == 9), or two functions? What do the NaCl and Sodium libraries do, and do they get it right?
See http://nacl.cr.yp.to/scalarmult.html. It's two functions,
crypto_scalarmult(q,n,p);
and
crypto_scalarmult_base(q,n);
I think nettle should use some different names (unless, maybe, some curve25519-compat.h file is included). But I think we can use the same arguments. If we don't implement points with y coordinates outside of the base field, the crypto_scalarmult function needs a return value, to indicate success or failure.
Regards, /Niels