Discussion:
curve25519 without clamping
(too old to reply)
David Lazar
2018-03-17 21:18:57 UTC
Permalink
Hi,

I'm trying to use the amd64-optimized curve25519 implementation with
unclamped scalars. I'm using the Go library, but my question applies
to the SUPERCOP sources too.

I've deleted lines 65-67 (the clamping) here:

https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L65

I've also changed the 6 to a 7 on line 43:

https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L43

This seems to produce the correct answers for scalars where the low 3
bits are zero.

Where in the amd64 code is it assumed that the low 3 bits are zero? Is
there any easy way to fix the code to work when the low 3 bits are
non-zero?

Thanks,
David
David Lazar
2018-03-21 14:43:00 UTC
Permalink
One issue is that the mladder function is missing the final
conditional swap. Thanks to Rene Struik for pointing this out.
Post by David Lazar
Hi,
I'm trying to use the amd64-optimized curve25519 implementation with
unclamped scalars. I'm using the Go library, but my question applies
to the SUPERCOP sources too.
https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L65
https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L43
This seems to produce the correct answers for scalars where the low 3
bits are zero.
Where in the amd64 code is it assumed that the low 3 bits are zero? Is
there any easy way to fix the code to work when the low 3 bits are
non-zero?
Thanks,
David
Loading...