Hi, I'm trying to use the amd64-optimized curve25519 implementation with unclamped scalars. I'm using the Go library, but my question applies to the SUPERCOP sources too.
I've deleted lines 65-67 (the clamping) here: https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L65 I've also changed the 6 to a 7 on line 43: https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L43 This seems to produce the correct answers for scalars where the low 3 bits are zero. Where in the amd64 code is it assumed that the low 3 bits are zero? Is there any easy way to fix the code to work when the low 3 bits are non-zero? Thanks, David _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves