[curves] curve25519 without clamping
David Lazar
lazard at csail.mit.edu
Sat Mar 17 14:18:57 PDT 2018
Hi,
I'm trying to use the amd64-optimized curve25519 implementation with
unclamped scalars. I'm using the Go library, but my question applies
to the SUPERCOP sources too.
I've deleted lines 65-67 (the clamping) here:
https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L65
I've also changed the 6 to a 7 on line 43:
https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L43
This seems to produce the correct answers for scalars where the low 3
bits are zero.
Where in the amd64 code is it assumed that the low 3 bits are zero? Is
there any easy way to fix the code to work when the low 3 bits are
non-zero?
Thanks,
David
More information about the Curves
mailing list