Hello Van Gegel, You must select sign(v), the sign of the square root, and bit 255 all at random, and the point can’t be confined to a subgroup of curve25519.
But also, this is for a PAKE right? I thought you were implementing a two-point EKE to avoid Elligator. If you’re implementing Elligator, why not use SPEKE, where you would only need the forward direction? — Mike Sent from my phone. Please excuse brevity and typos. > On Mar 14, 2018, at 05:46, Van Gegel <[email protected]> wrote: > > Hello, Messaging! > > I'm trying to adapt Elligator2 p2r() to the uNaCl X25519 library for > embedded systems. > The original p2r() uses the sign(v) to select between sqrt(-u/(2(u+A))) and > sqrt(-(u+A)/(2u))) . > But X25519 point has no v ( sign(v) is always assumed to be 0 ). > Can I use sign(v)=0 or must select the sign(v) randomly to get a completely > random representation string of X25519 u-point with p2r()? > > Thanks, > Van Gegel. > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
