Difference on montgomery curve equation between EFD and RFC7748How is the curve equation used in...
Do items de-spawn in Diablo?
Latex does not go to next line
Are there historical instances of the capital of a colonising country being temporarily or permanently shifted to one of its colonies?
Is it necessary to separate DC power cables and data cables?
How is the wildcard * interpreted as a command?
How can I get players to stop ignoring or overlooking the plot hooks I'm giving them?
Rewrite the power sum in terms of convolution
Child Theme Path Being Ignored With wp_enqueue_scripts
Why would one plane in this picture not have gear down yet?
Can one live in the U.S. and not use a credit card?
Reverse string, can I make it faster?
How many characters using PHB rules does it take to be able to have access to any PHB spell at the start of an adventuring day?
If I receive an SOS signal, what is the proper response?
What was the Kree's motivation in Captain Marvel?
Can I pump my MTB tire to max (55 psi / 380 kPa) without the tube inside bursting?
Doesn't allowing a user mode program to access kernel space memory and execute the IN and OUT instructions defeat the purpose of having CPU modes?
Database Backup for data and log files
Accepted offer letter, position changed
Is it work or heat?
Single word request: Harming the benefactor
What Happens when Passenger Refuses to Fly Boeing 737 Max?
Could you please stop shuffling the deck and play already?
When stopping and starting a tile job, what to do with the extra thinset from previous row's cleanup?
What are the practical Opportunty Attack values for a bugbear, holding a reach weapon, with Polearm Mastery?
Difference on montgomery curve equation between EFD and RFC7748
How is the curve equation used in ECC?Montgomery Ladder vs Double-and-AddWhat is the difference between order of base point and curve order in EC?Inversion Free Direct Conversion between Twisted Edwards (X,Y,Z) and Montgomery (X,Z)Differential addition on Montgomery curveHow Elliptic Curve equation is chosen?What is the difference between regular and “twisted” ECC curves?Understanding the elliptic curve equation by exampleDiscrete logarithm on Montgomery curve twistCurve 25519 (X25519, Ed25519) Convert coordinates between Montgomery curve and twisted Edwards curve
$begingroup$
There is a subtle difference between the 2 implementations for a Montgomery curve defined from the 2 following links
https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html
A = X2+Z2
AA = A^2
B = X2-Z2
BB = B^2
E = AA-BB
C = X3+Z3
D = X3-Z3
DA = D*A
CB = C*B
X5 = (DA+CB)^2
Z5 = X1*(DA-CB)^2
X4 = AA*BB
Z4 = E*(BB+a24*E)
https://tools.ietf.org/html/rfc7748
A = x_2 + z_2
AA = A^2
B = x_2 - z_2
BB = B^2
E = AA - BB
C = x_3 + z_3
D = x_3 - z_3
DA = D * A
CB = C * B
x_3 = (DA + CB)^2
z_3 = x_1 * (DA - CB)^2
x_2 = AA * BB
z_2 = E * (AA + a24 * E)
This AA / BB change on the last line does affect the result of a point multiplication with same input parameters.
Is there a reason for that difference ?
elliptic-curves x25519 rfc7748 x448
edited 4 hours ago
puzzlepalace
2,8601133
asked 5 hours ago
PierrePierre
36718
$endgroup$
add a comment |
$begingroup$
There is a subtle difference between the 2 implementations for a Montgomery curve defined from the 2 following links
https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html
A = X2+Z2
AA = A^2
B = X2-Z2
BB = B^2
E = AA-BB
C = X3+Z3
D = X3-Z3
DA = D*A
CB = C*B
X5 = (DA+CB)^2
Z5 = X1*(DA-CB)^2
X4 = AA*BB
Z4 = E*(BB+a24*E)
https://tools.ietf.org/html/rfc7748
A = x_2 + z_2
AA = A^2
B = x_2 - z_2
BB = B^2
E = AA - BB
C = x_3 + z_3
D = x_3 - z_3
DA = D * A
CB = C * B
x_3 = (DA + CB)^2
z_3 = x_1 * (DA - CB)^2
x_2 = AA * BB
z_2 = E * (AA + a24 * E)
This AA / BB change on the last line does affect the result of a point multiplication with same input parameters.
Is there a reason for that difference ?
elliptic-curves x25519 rfc7748 x448
edited 4 hours ago
puzzlepalace
2,8601133
asked 5 hours ago
PierrePierre
36718
$endgroup$
$begingroup$
It looks to be a typo in RFC. When BB is used (as in EFD and original P.L. Montgomery paper), the test vectors can be reproduced. Submitted a review comment to RFC. Errare humanum est. How many existing implementations will fail to inter-operate ?
$endgroup$
– Pierre
2 hours ago
add a comment |
$begingroup$
There is a subtle difference between the 2 implementations for a Montgomery curve defined from the 2 following links
https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html
A = X2+Z2
AA = A^2
B = X2-Z2
BB = B^2
E = AA-BB
C = X3+Z3
D = X3-Z3
DA = D*A
CB = C*B
X5 = (DA+CB)^2
Z5 = X1*(DA-CB)^2
X4 = AA*BB
Z4 = E*(BB+a24*E)
https://tools.ietf.org/html/rfc7748
A = x_2 + z_2
AA = A^2
B = x_2 - z_2
BB = B^2
E = AA - BB
C = x_3 + z_3
D = x_3 - z_3
DA = D * A
CB = C * B
x_3 = (DA + CB)^2
z_3 = x_1 * (DA - CB)^2
x_2 = AA * BB
z_2 = E * (AA + a24 * E)
This AA / BB change on the last line does affect the result of a point multiplication with same input parameters.
Is there a reason for that difference ?
elliptic-curves x25519 rfc7748 x448
edited 4 hours ago
puzzlepalace
2,8601133
asked 5 hours ago
PierrePierre
36718
$endgroup$
There is a subtle difference between the 2 implementations for a Montgomery curve defined from the 2 following links
https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html
A = X2+Z2
AA = A^2
B = X2-Z2
BB = B^2
E = AA-BB
C = X3+Z3
D = X3-Z3
DA = D*A
CB = C*B
X5 = (DA+CB)^2
Z5 = X1*(DA-CB)^2
X4 = AA*BB
Z4 = E*(BB+a24*E)
https://tools.ietf.org/html/rfc7748
A = x_2 + z_2
AA = A^2
B = x_2 - z_2
BB = B^2
E = AA - BB
C = x_3 + z_3
D = x_3 - z_3
DA = D * A
CB = C * B
x_3 = (DA + CB)^2
z_3 = x_1 * (DA - CB)^2
x_2 = AA * BB
z_2 = E * (AA + a24 * E)
This AA / BB change on the last line does affect the result of a point multiplication with same input parameters.
Is there a reason for that difference ?
elliptic-curves x25519 rfc7748 x448
elliptic-curves x25519 rfc7748 x448
edited 4 hours ago
puzzlepalace
2,8601133
asked 5 hours ago
PierrePierre
36718
edited 4 hours ago
puzzlepalace
2,8601133
asked 5 hours ago
PierrePierre
36718
edited 4 hours ago
puzzlepalace
2,8601133
edited 4 hours ago
puzzlepalace
2,8601133
edited 4 hours ago
puzzlepalace
2,8601133
2,8601133
asked 5 hours ago
PierrePierre
36718
asked 5 hours ago
PierrePierre
36718
asked 5 hours ago
PierrePierre
36718
36718
$begingroup$
It looks to be a typo in RFC. When BB is used (as in EFD and original P.L. Montgomery paper), the test vectors can be reproduced. Submitted a review comment to RFC. Errare humanum est. How many existing implementations will fail to inter-operate ?
$endgroup$
– Pierre
2 hours ago
add a comment |
$begingroup$
It looks to be a typo in RFC. When BB is used (as in EFD and original P.L. Montgomery paper), the test vectors can be reproduced. Submitted a review comment to RFC. Errare humanum est. How many existing implementations will fail to inter-operate ?
$endgroup$
– Pierre
2 hours ago
$begingroup$
It looks to be a typo in RFC. When BB is used (as in EFD and original P.L. Montgomery paper), the test vectors can be reproduced. Submitted a review comment to RFC. Errare humanum est. How many existing implementations will fail to inter-operate ?
$endgroup$
– Pierre
2 hours ago
$begingroup$
It looks to be a typo in RFC. When BB is used (as in EFD and original P.L. Montgomery paper), the test vectors can be reproduced. Submitted a review comment to RFC. Errare humanum est. How many existing implementations will fail to inter-operate ?
$endgroup$
– Pierre
2 hours ago
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
This is not a bug: it arises from different choice of sign in the definition of a24 := (a ± 2)/4; the RFC uses - while the EFD uses +.
RFC, following the Curve25519 paper:
The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and (156326 - 2) / 4 = 39081 for curve448/X448.
EFD, following Montgomery's paper (paywall-free):
Assumptions: 4*a24=a+2.
This apparent discrepancy was raised by Paul Lambert on the CFRG mailing list during discussion on the draft. It doesn't really matter which one you choose, as long as you're consistent about it!
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
$endgroup$
$begingroup$
Thanks for the explanation. I didn't spot the little difference on a24 definition between the RFC and the EFD.
$endgroup$
– Pierre
33 mins ago
add a comment |
$begingroup$
This is not a typo; it is a difference in how the Montgomery doubling formula was derived between the original paper and the curve25519 paper. Both are correct.
To double a point on a Montgomery curve
$$
y^2 = x^3 + Ax^2 + x,,
$$
one has the identity relating the doubled point $(x_3, cdot)$ and the source point $(x_1, cdot)$:
$$
x_3 4x_1(x_1^2 + Ax_1 + 1) = (x_1^2 - 1)^2,.
$$
The doubled point $x_3$ can thus be computed as the fraction
$$
frac{(x_1^2 - 1)^2}{4x_1(x_1^2 + Ax_1 + 1)},.
$$
But to minimize the operation number, and obtain several common subexpressions, we can write $(x_1^2 - 1)^2$ as $(x_1+1)^2(x_1-1)^2$, $4x_1$ as $(x_1 + 1)^2 - (x_1 - 1)^2$, and $x_1^2 + Ax_1 + 1$ as either $(x_1-1)^2 + ((A+2)/4)4x_1$ or $(x_1+1)^2 + ((A-2)/4)4x_1$. It is this latter somewhat arbitrary choice that results in there being two almost identical Montgomery doubling formulas.
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67942%2fdifference-on-montgomery-curve-equation-between-efd-and-rfc7748%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
This is not a bug: it arises from different choice of sign in the definition of a24 := (a ± 2)/4; the RFC uses - while the EFD uses +.
RFC, following the Curve25519 paper:
The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and (156326 - 2) / 4 = 39081 for curve448/X448.
EFD, following Montgomery's paper (paywall-free):
Assumptions: 4*a24=a+2.
This apparent discrepancy was raised by Paul Lambert on the CFRG mailing list during discussion on the draft. It doesn't really matter which one you choose, as long as you're consistent about it!
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
$endgroup$
$begingroup$
Thanks for the explanation. I didn't spot the little difference on a24 definition between the RFC and the EFD.
$endgroup$
– Pierre
33 mins ago
add a comment |
$begingroup$
This is not a bug: it arises from different choice of sign in the definition of a24 := (a ± 2)/4; the RFC uses - while the EFD uses +.
RFC, following the Curve25519 paper:
The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and (156326 - 2) / 4 = 39081 for curve448/X448.
EFD, following Montgomery's paper (paywall-free):
Assumptions: 4*a24=a+2.
This apparent discrepancy was raised by Paul Lambert on the CFRG mailing list during discussion on the draft. It doesn't really matter which one you choose, as long as you're consistent about it!
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
$endgroup$
$begingroup$
Thanks for the explanation. I didn't spot the little difference on a24 definition between the RFC and the EFD.
$endgroup$
– Pierre
33 mins ago
add a comment |
$begingroup$
This is not a bug: it arises from different choice of sign in the definition of a24 := (a ± 2)/4; the RFC uses - while the EFD uses +.
RFC, following the Curve25519 paper:
The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and (156326 - 2) / 4 = 39081 for curve448/X448.
EFD, following Montgomery's paper (paywall-free):
Assumptions: 4*a24=a+2.
This apparent discrepancy was raised by Paul Lambert on the CFRG mailing list during discussion on the draft. It doesn't really matter which one you choose, as long as you're consistent about it!
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
$endgroup$
This is not a bug: it arises from different choice of sign in the definition of a24 := (a ± 2)/4; the RFC uses - while the EFD uses +.
RFC, following the Curve25519 paper:
The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and (156326 - 2) / 4 = 39081 for curve448/X448.
EFD, following Montgomery's paper (paywall-free):
Assumptions: 4*a24=a+2.
This apparent discrepancy was raised by Paul Lambert on the CFRG mailing list during discussion on the draft. It doesn't really matter which one you choose, as long as you're consistent about it!
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
answered 2 hours ago
Squeamish OssifrageSqueamish Ossifrage
19.3k12883
19.3k12883
$begingroup$
Thanks for the explanation. I didn't spot the little difference on a24 definition between the RFC and the EFD.
$endgroup$
– Pierre
33 mins ago
add a comment |
$begingroup$
Thanks for the explanation. I didn't spot the little difference on a24 definition between the RFC and the EFD.
$endgroup$
– Pierre
33 mins ago
$begingroup$
Thanks for the explanation. I didn't spot the little difference on a24 definition between the RFC and the EFD.
$endgroup$
– Pierre
33 mins ago
$begingroup$
Thanks for the explanation. I didn't spot the little difference on a24 definition between the RFC and the EFD.
$endgroup$
– Pierre
33 mins ago
add a comment |
$begingroup$
This is not a typo; it is a difference in how the Montgomery doubling formula was derived between the original paper and the curve25519 paper. Both are correct.
To double a point on a Montgomery curve
$$
y^2 = x^3 + Ax^2 + x,,
$$
one has the identity relating the doubled point $(x_3, cdot)$ and the source point $(x_1, cdot)$:
$$
x_3 4x_1(x_1^2 + Ax_1 + 1) = (x_1^2 - 1)^2,.
$$
The doubled point $x_3$ can thus be computed as the fraction
$$
frac{(x_1^2 - 1)^2}{4x_1(x_1^2 + Ax_1 + 1)},.
$$
But to minimize the operation number, and obtain several common subexpressions, we can write $(x_1^2 - 1)^2$ as $(x_1+1)^2(x_1-1)^2$, $4x_1$ as $(x_1 + 1)^2 - (x_1 - 1)^2$, and $x_1^2 + Ax_1 + 1$ as either $(x_1-1)^2 + ((A+2)/4)4x_1$ or $(x_1+1)^2 + ((A-2)/4)4x_1$. It is this latter somewhat arbitrary choice that results in there being two almost identical Montgomery doubling formulas.
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
$endgroup$
add a comment |
$begingroup$
This is not a typo; it is a difference in how the Montgomery doubling formula was derived between the original paper and the curve25519 paper. Both are correct.
To double a point on a Montgomery curve
$$
y^2 = x^3 + Ax^2 + x,,
$$
one has the identity relating the doubled point $(x_3, cdot)$ and the source point $(x_1, cdot)$:
$$
x_3 4x_1(x_1^2 + Ax_1 + 1) = (x_1^2 - 1)^2,.
$$
The doubled point $x_3$ can thus be computed as the fraction
$$
frac{(x_1^2 - 1)^2}{4x_1(x_1^2 + Ax_1 + 1)},.
$$
But to minimize the operation number, and obtain several common subexpressions, we can write $(x_1^2 - 1)^2$ as $(x_1+1)^2(x_1-1)^2$, $4x_1$ as $(x_1 + 1)^2 - (x_1 - 1)^2$, and $x_1^2 + Ax_1 + 1$ as either $(x_1-1)^2 + ((A+2)/4)4x_1$ or $(x_1+1)^2 + ((A-2)/4)4x_1$. It is this latter somewhat arbitrary choice that results in there being two almost identical Montgomery doubling formulas.
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
$endgroup$
add a comment |
$begingroup$
This is not a typo; it is a difference in how the Montgomery doubling formula was derived between the original paper and the curve25519 paper. Both are correct.
To double a point on a Montgomery curve
$$
y^2 = x^3 + Ax^2 + x,,
$$
one has the identity relating the doubled point $(x_3, cdot)$ and the source point $(x_1, cdot)$:
$$
x_3 4x_1(x_1^2 + Ax_1 + 1) = (x_1^2 - 1)^2,.
$$
The doubled point $x_3$ can thus be computed as the fraction
$$
frac{(x_1^2 - 1)^2}{4x_1(x_1^2 + Ax_1 + 1)},.
$$
But to minimize the operation number, and obtain several common subexpressions, we can write $(x_1^2 - 1)^2$ as $(x_1+1)^2(x_1-1)^2$, $4x_1$ as $(x_1 + 1)^2 - (x_1 - 1)^2$, and $x_1^2 + Ax_1 + 1$ as either $(x_1-1)^2 + ((A+2)/4)4x_1$ or $(x_1+1)^2 + ((A-2)/4)4x_1$. It is this latter somewhat arbitrary choice that results in there being two almost identical Montgomery doubling formulas.
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
$endgroup$
This is not a typo; it is a difference in how the Montgomery doubling formula was derived between the original paper and the curve25519 paper. Both are correct.
To double a point on a Montgomery curve
$$
y^2 = x^3 + Ax^2 + x,,
$$
one has the identity relating the doubled point $(x_3, cdot)$ and the source point $(x_1, cdot)$:
$$
x_3 4x_1(x_1^2 + Ax_1 + 1) = (x_1^2 - 1)^2,.
$$
The doubled point $x_3$ can thus be computed as the fraction
$$
frac{(x_1^2 - 1)^2}{4x_1(x_1^2 + Ax_1 + 1)},.
$$
But to minimize the operation number, and obtain several common subexpressions, we can write $(x_1^2 - 1)^2$ as $(x_1+1)^2(x_1-1)^2$, $4x_1$ as $(x_1 + 1)^2 - (x_1 - 1)^2$, and $x_1^2 + Ax_1 + 1$ as either $(x_1-1)^2 + ((A+2)/4)4x_1$ or $(x_1+1)^2 + ((A-2)/4)4x_1$. It is this latter somewhat arbitrary choice that results in there being two almost identical Montgomery doubling formulas.
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
answered 1 hour ago
Samuel NevesSamuel Neves
7,6302641
7,6302641
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67942%2fdifference-on-montgomery-curve-equation-between-efd-and-rfc7748%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
It looks to be a typo in RFC. When BB is used (as in EFD and original P.L. Montgomery paper), the test vectors can be reproduced. Submitted a review comment to RFC. Errare humanum est. How many existing implementations will fail to inter-operate ?
$endgroup$
– Pierre
2 hours ago