nisse@lysator.liu.se (Niels Möller) writes:
- I'm considering changing the struct ecc_point representation to use montgomery representation of the for the individual coordinates, for primes where we use that. Then ecc_a_to_* will (almost?) be redundant.
I still think ecc_a_to_* could be eliminated. They do redc conversions for curves that use that, and some copying of the unit field element.
I noticed an inconsistency here. For curve25519 and curve448, we do sqrt and inversion using powering. If using powering for other curves, as is needed for the sqrt operation with compact representation, it's desirable to do this with inputs and outputs in redc form, for moduli where we use redc.
However, inversion using side-channel silent gcdext, ecc_mod_inv, as is used by all other curves, is unaware of redc. Instead, there's some extra redc processing where it's called in ecc_j_to_a.
If we want to compute v = z^-1 (mod p), but in redc form with v' = vB and z' = zB, then we have
v z = 1 (mod p)
but
v' z' = B^2 (mod p)
So for redc curves we need to compute v' as
v' = (z' / B^2)^-1 (mod p)
Regards, /Niels