diff --git a/aux/ristretto/ristretto.sage b/aux/ristretto/ristretto.sage index 901b24a..0f217a6 100644 --- a/aux/ristretto/ristretto.sage +++ b/aux/ristretto/ristretto.sage @@ -278,15 +278,11 @@ class Decaf_1_1_Point(QuotientEdwardsPoint): if self.cofactor==8 and negative(x*y*self.isoMagic): x,y = self.torque() - - isr2 = isqrt(a*(y^2-1)) * sqrt(a*d-1) - + sr = xsqrt(1-a*x^2) - assert sr in [isr2*x*y,-isr2*x*y] - - altx = 1/isr2*self.isoMagic - if negative(altx): s = (1+x*y*isr2)/(a*x) - else: s = (1-x*y*isr2)/(a*x) + altx = x*y*self.isoMagic / sr + if negative(altx): s = (1+sr)/x + else: s = (1-sr)/x return self.gfToBytes(s,mustBePositive=True) @@ -297,11 +293,11 @@ class Decaf_1_1_Point(QuotientEdwardsPoint): s = cls.bytesToGf(s,mustBePositive=True) if s==0: return cls() - isr = isqrt(s^4 + 2*(a-2*d)*s^2 + 1) - altx = 2*s*isr*cls.isoMagic - if negative(altx): isr = -isr + t = xsqrt(s^4 + 2*(a-2*d)*s^2 + 1) + altx = 2*s*cls.isoMagic/t + if negative(altx): t = -t x = 2*s / (1+a*s^2) - y = (1-a*s^2) * isr + y = (1-a*s^2) / t if cls.cofactor==8 and (negative(x*y*cls.isoMagic) or y==0): raise InvalidEncodingException("x*y is invalid: %d, %d" % (x,y)) @@ -455,7 +451,7 @@ class IsoEd448Point(RistrettoPoint): @classmethod def base(cls): return cls( # RFC has it wrong - -345397493039729516374008604150537410266655260075183290216406970281645695073672344430481787759340633221708391583424041788924124567700732, + 345397493039729516374008604150537410266655260075183290216406970281645695073672344430481787759340633221708391583424041788924124567700732, -363419362147803445274661903944002267176820680343659030140745099590306164083365386343198191849338272965044442230921818680526749009182718 ) @@ -464,7 +460,6 @@ class TwistedEd448GoldilocksPoint(Decaf_1_1_Point): d = F(-39082) a = F(-1) qnr = -1 - magic = isqrt(a*d-1) cofactor = 4 encLen = 56 isoMagic = IsoEd448Point.magic @@ -478,14 +473,13 @@ class Ed448GoldilocksPoint(Decaf_1_1_Point): d = F(-39081) a = F(1) qnr = -1 - magic = isqrt(a*d-1) cofactor = 4 encLen = 56 isoMagic = IsoEd448Point.magic @classmethod def base(cls): - return -2*cls( # FIXME: make not negative + return 2*cls( 224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710, 298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660 ) diff --git a/aux/ristretto/ristretto.tex b/aux/ristretto/ristretto.tex index 7fc955a..d646506 100644 --- a/aux/ristretto/ristretto.tex +++ b/aux/ristretto/ristretto.tex @@ -65,7 +65,12 @@ $$(x,y) = \left(\frac{u}{v}\cdot\frac{\sqrt{a-d}}{2},\ \ \frac{u-1}{u+1}\right)$ If $M = (u,v)$ is a point on the Montgomery curve, then the $u$-coordinate of $2M$ is $(u^2-1)^2 / (4v^2)$ is necessarily square. It follows that if $(x,y)$ is a point on $E_{a,d}$, and $a-d$ is square, then $(1+y)/(1-y)$ is also square. -\todo{Nega montgomery} +Likewhise, when $d-a$ is square in \F, $E_{a,d}$ is isomorphic to the Montgomery curve +$$v^2 = u\cdot\left(u^2 - 2\cdot\frac{a+d}{a-d}\cdot u + 1\right)$$ +by the map +$$(u,v) = \left(\frac{y+1}{y-1},\ \ \frac{y+1}{y-1}\cdot\frac1x\cdot\frac{2}{\sqrt{d-a}}\right)$$ +with inverse +$$(x,y) = \left(\frac{u}{v}\cdot\frac{\sqrt{d-a}}{2},\ \ \frac{1+u}{1-u}\right)$$ \section{Lemmas} First, we characterize the 2-torsion and 4-torsion groups.\\ diff --git a/src/GENERATED/c/p25519/f_generic.c b/src/GENERATED/c/p25519/f_generic.c index 4edf7f6..35c7ce1 100644 --- a/src/GENERATED/c/p25519/f_generic.c +++ b/src/GENERATED/c/p25519/f_generic.c @@ -106,14 +106,14 @@ void gf_strong_reduce (gf a) { assert(word_is_zero(carry + scarry_0)); } -/** Add two gf elements */ +/** Subtract two gf elements d=a-b */ void gf_sub (gf d, const gf a, const gf b) { gf_sub_RAW ( d, a, b ); gf_bias( d, 2 ); gf_weak_reduce ( d ); } -/** Subtract d = a-b */ +/** Add two field elements d = a+b */ void gf_add (gf d, const gf a, const gf b) { gf_add_RAW ( d, a, b ); gf_weak_reduce ( d ); diff --git a/src/GENERATED/c/p448/f_generic.c b/src/GENERATED/c/p448/f_generic.c index 66f9b08..71080f2 100644 --- a/src/GENERATED/c/p448/f_generic.c +++ b/src/GENERATED/c/p448/f_generic.c @@ -106,14 +106,14 @@ void gf_strong_reduce (gf a) { assert(word_is_zero(carry + scarry_0)); } -/** Add two gf elements */ +/** Subtract two gf elements d=a-b */ void gf_sub (gf d, const gf a, const gf b) { gf_sub_RAW ( d, a, b ); gf_bias( d, 2 ); gf_weak_reduce ( d ); } -/** Subtract d = a-b */ +/** Add two field elements d = a+b */ void gf_add (gf d, const gf a, const gf b) { gf_add_RAW ( d, a, b ); gf_weak_reduce ( d );