Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proving order of Curve25519 #1479

Open
andres-erbsen opened this issue Nov 5, 2022 · 1 comment
Open

Proving order of Curve25519 #1479

andres-erbsen opened this issue Nov 5, 2022 · 1 comment

Comments

@andres-erbsen
Copy link
Contributor

If we want to prove that Curve25519 has order 8*l and the base point has order l, I think we can actually do this.

|{ x^3 + 486662*x^2 + x | x \in F_p }| <= p
forall x, |{ y | y^2 = x }| <= 2
n = |{(x,y) | y^2 = x^3 + 486662*x^2 + x :> F_p}| = the order of the elliptive curve; n <= 2*p
B = (9, ?) and l from https://github.com/mit-plv/fiat-crypto/blob/master/src/Spec/Curve25519.v#L6
check that l * B = 0. this is a heavy computation, we probably want to use the montgomery ladder and a non-silly field inversion
use group theorems from coqprime or https://www.math.miami.edu/~cscaduto/teaching/461-spring-2021/Lecture%20notes/461-Lecture-10.pdf
m = order of B defined as smallest m s.t m*B=0; m <= n
0 = l * B = l%m*B, so l%m = 0
m divides l, and l is prime, so l=m
explicitly input a point of order 8 and naively check it has order 8
8 divides n, l divides n, 8*l <= n <= 2*p < 2*8*l -> n = 8*l
@andres-erbsen
Copy link
Contributor Author

@talkon I mentioned using the order of Curve25519 today; this is the tracking issue for this. I just now added a computation to check that Curve25519 basepoint times its order gives 0 at https://github.com/mit-plv/fiat-crypto/pull/1514/files . I expect that to actually make use of this you'll need to deduplicate the definitions of ladderstep and montladder, currently there are slightly different copies under Spec and Curves. Further, the current computation includes an extraneous conversion out of projective montgomery x/z coordinates to normal montgomery x coordinate, which means it would also return 0 for the point with x coordinate equal to 0 instead of the identity point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant