One issue is that the mladder function is missing the final conditional swap. Thanks to Rene Struik for pointing this out.
On Sat, Mar 17, 2018 at 5:18 PM, David Lazar <laz...@csail.mit.edu> wrote: > Hi, > > I'm trying to use the amd64-optimized curve25519 implementation with > unclamped scalars. I'm using the Go library, but my question applies > to the SUPERCOP sources too. > > I've deleted lines 65-67 (the clamping) here: > > https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L65 > > I've also changed the 6 to a 7 on line 43: > > https://github.com/golang/crypto/blob/c57d4a71915a248dbad846d60825145062b4c18e/curve25519/mont25519_amd64.go#L43 > > This seems to produce the correct answers for scalars where the low 3 > bits are zero. > > Where in the amd64 code is it assumed that the low 3 bits are zero? Is > there any easy way to fix the code to work when the low 3 bits are > non-zero? > > Thanks, > David _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves