[curves] curve25519 without clamping

David Lazar lazard at csail.mit.edu
Sat Mar 17 14:18:57 PDT 2018


Hi,

I'm trying to use the amd64-optimized curve25519 implementation with
unclamped scalars. I'm using the Go library, but my question applies
to the SUPERCOP sources too.

I've deleted lines 65-67 (the clamping) here:

https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L65

I've also changed the 6 to a 7 on line 43:

https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L43

This seems to produce the correct answers for scalars where the low 3
bits are zero.

Where in the amd64 code is it assumed that the low 3 bits are zero? Is
there any easy way to fix the code to work when the low 3 bits are
non-zero?

Thanks,
David


More information about the Curves mailing list