From 0325aa2fd66f054bf12afc2309766a5346b375db Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 12 Feb 2018 12:56:07 +0000 Subject: [PATCH] Generalize the distinct-x proof to allow negative indices. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index aea9df42..4910eb75 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -7138,12 +7138,14 @@ The incomplete affine-Montgomery addition formulae given in The following theorem helps to determine when these incomplete addition formulae can be safely used: +\newcommand{\halfs}{\frac{s-1}{2}} + \introlist \begin{theorem} Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$. -Let $k_{\barerange{1}{2}}$ be integers in $\range{1}{(s-1)/2}$. +Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$. Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with -$k_1 \neq k_2$. Then the non-unified addition constraints +$k_1 \neq \pm k_2$. Then the non-unified addition constraints \begin{formulae} \item $\constraint{x_2 - x_1}{\lambda}{y_2 - y_1}$ @@ -7157,18 +7159,23 @@ implement the affine-Montgomery addition $P_1 + P_2 = (x_3, y_3)$ in all cases. \begin{proof} The given constraints are equivalent to the Montgomery addition formulae under the side condition $x_1 \neq x_2$. (Note that neither $P_i$ can be -the zero point.) Assume for a contradiction that $x_1 = x_2$. For any -$P_1 = \scalarmult{k1}{Q}$, there can be only one other point $-P_1$ with +the zero point since $k_{\barerange{1}{2}} \neq 0 \pmod s$.) +Assume for a contradiction that $x_1 = x_2$. For any +$P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with the same $x$-coordinate. (This follows from the fact that the curve equation determines $\pm y$ as a function of $x$.) -But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{s - k_1}{Q}$. -Since $\fun{k \typecolon \range{0}{s-1}}{\scalarmult{k}{Q} \typecolon \GroupJ}$ -is injective, either $k_2 = k_1$ (contradiction), or $k_2 = s - k_1$ -(contradiction since $k_{\barerange{1}{2}}$ are in $\range{1}{(s-1)/2}$). +But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$. +Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$ +is injective and $k_{\barerange{1}{2}}$ are in $\range{-\halfs}{\halfs}$, +then $k_2 = \pm k_1$ (contradiction). \end{proof} The conditions of this theorem are called the \distinctXCriterion. +In particular, if $k_{\barerange{1}{2}}$ are integers in $\range{1}{\halfs}$ +then it is sufficient to require $k_1 \neq k_2$, since that implies +$k_1 \neq \pm k_2$. + \introlist Affine-Montgomery doubling can be implemented as: