mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 06:01:37 +08:00
a822a0cb3c
Description: Mark Wooden and Franck Rondepierre noted that the square-root-mod-p operations used in the EdDSA RFC (RFC 8032) can be simplified. For Ed25519, instead of computing u*v^3 * (u * v^7)^((p-5)/8), we can compute u * (u*v)^((p-5)/8). This saves 3 multiplications and 2 squarings. For more details (including a proof), see the following message from the CFRG mailing list: https://mailarchive.ietf.org/arch/msg/cfrg/qlKpMBqxXZYmDpXXIx6LO3Oznv4/ Note that the Ed448 implementation (see ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio() in ./crypto/ec/curve448/curve448.c) appears to already use this simpler method (i.e. it does not follow the method suggested in RFC 8032). Testing: Build and then run the test suite: ./Configure -Werror --strict-warnings make update make make test Numerical testing of the square-root computation can be done using the following sage script: def legendre(x,p): return kronecker(x,p) # Ed25519 p = 2**255-19 # -1 is a square if legendre(-1,p)==1: print("-1 is a square") # suppose u/v is a square. # to compute one of its square roots, find x such that # x**4 == (u/v)**2 . # this implies # x**2 == u/v, or # x**2 == -(u/v) , # which implies either x or i*x is a square-root of u/v (where i is a square root of -1). # we can take x equal to u * (u*v)**((p-5)/8). # 2 is a generator # this can be checked by factoring p-1 # and then showing 2**((p-1)/q) != 1 (mod p) # for all primes q dividing p-1. g = 2 s = p>>2 # s = (p-1)/4 i = power_mod(g, s, p) t = p>>3 # t = (p-5)/8 COUNT = 1<<18 while COUNT > 0: COUNT -= 1 r = randint(0,p-1) # r = u/v v = randint(1,p-1) u = mod(r*v,p) # compute x = u * (u*v)**((p-5)/8) w = mod(u*v,p) x = mod(u*power_mod(w, t, p), p) # check that x**2 == r, or (i*x)**2 == r, or r is not a square rr = power_mod(x, 2, p) if rr==r: continue rr = power_mod(mod(i*x,p), 2, p) if rr==r: continue if legendre(r,p) != 1: continue print("failure!") exit() print("passed!") Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17544) |
||
|---|---|---|
| .. | ||
| asm | ||
| curve448 | ||
| build.info | ||
| curve25519.c | ||
| ec2_oct.c | ||
| ec2_smpl.c | ||
| ec_ameth.c | ||
| ec_asn1.c | ||
| ec_backend.c | ||
| ec_check.c | ||
| ec_curve.c | ||
| ec_cvt.c | ||
| ec_deprecated.c | ||
| ec_err.c | ||
| ec_key.c | ||
| ec_kmeth.c | ||
| ec_lib.c | ||
| ec_local.h | ||
| ec_mult.c | ||
| ec_oct.c | ||
| ec_pmeth.c | ||
| ec_print.c | ||
| ecdh_kdf.c | ||
| ecdh_ossl.c | ||
| ecdsa_ossl.c | ||
| ecdsa_sign.c | ||
| ecdsa_vrf.c | ||
| eck_prn.c | ||
| ecp_mont.c | ||
| ecp_nist.c | ||
| ecp_nistp224.c | ||
| ecp_nistp256.c | ||
| ecp_nistp521.c | ||
| ecp_nistputil.c | ||
| ecp_nistz256_table.c | ||
| ecp_nistz256.c | ||
| ecp_oct.c | ||
| ecp_ppc.c | ||
| ecp_s390x_nistp.c | ||
| ecp_smpl.c | ||
| ecx_backend.c | ||
| ecx_backend.h | ||
| ecx_key.c | ||
| ecx_meth.c | ||
| ecx_s390x.c | ||