[curves] curve25519 without clamping
David Lazar
lazard at csail.mit.edu
Wed Mar 21 07:43:00 PDT 2018
One issue is that the mladder function is missing the final
conditional swap. Thanks to Rene Struik for pointing this out.
On Sat, Mar 17, 2018 at 5:18 PM, David Lazar <lazard at csail.mit.edu> wrote:
> Hi,
>
> I'm trying to use the amd64-optimized curve25519 implementation with
> unclamped scalars. I'm using the Go library, but my question applies
> to the SUPERCOP sources too.
>
> I've deleted lines 65-67 (the clamping) here:
>
> https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L65
>
> I've also changed the 6 to a 7 on line 43:
>
> https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L43
>
> This seems to produce the correct answers for scalars where the low 3
> bits are zero.
>
> Where in the amd64 code is it assumed that the low 3 bits are zero? Is
> there any easy way to fix the code to work when the low 3 bits are
> non-zero?
>
> Thanks,
> David
More information about the Curves
mailing list