From d2e794750b6baf116367f541295a8c835298e31c Mon Sep 17 00:00:00 2001 From: "Riad S. Wahby" Date: Sat, 26 Oct 2019 19:31:58 -0700 Subject: [PATCH 1/2] consistency: (mod N) in parens --- draft-irtf-cfrg-hash-to-curve.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-irtf-cfrg-hash-to-curve.md b/draft-irtf-cfrg-hash-to-curve.md index 980ac899..dec8e21e 100644 --- a/draft-irtf-cfrg-hash-to-curve.md +++ b/draft-irtf-cfrg-hash-to-curve.md @@ -1224,7 +1224,7 @@ is_square(x) := { True, if x^((q - 1) / 2) is 0 or 1 in F; algorithm particular to F. We give algorithms for the three most common cases immediately below; other cases are analogous. - Note that Case 3 below applies to GF(p^2) when p = 3 mod 8. + Note that Case 3 below applies to GF(p^2) when p = 3 (mod 8). {{AR13}} and {{S85}} describe methods that work for other field extensions. Regardless of the method chosen, the sqrt function MUST be performed in constant time. @@ -2574,18 +2574,18 @@ fraction of the points on almost any curve. Ulas {{U07}} describes a simpler version of this map, and Brier et al. {{BCIMRT10}} give a further simplification, which the authors call the "simplified SWU" map. -The simplified map applies only to fields of characteristic p = 3 mod 4; +The simplified map applies only to fields of characteristic p = 3 (mod 4); Wahby and Boneh {{WB19}} generalize to fields of any characteristic. Boneh and Franklin give a deterministic algorithm mapping to certain -supersingular curves over fields of characteristic p = 2 mod 3 {{BF01}}. +supersingular curves over fields of characteristic p = 2 (mod 3) {{BF01}}. Icart gives another deterministic algorithm which maps to any curve -over a field of characteristic p = 2 mod 3 {{Icart09}}. +over a field of characteristic p = 2 (mod 3) {{Icart09}}. Several extensions and generalizations follow this work, including {{FSV09}}, {{FT10}}, {{KLR10}}, {{F11}}, and {{CK11}}. Following the work of Farashahi {{F11}}, Fouque et al. {{FJT13}} describe a -mapping to curves of characteristic p = 3 mod 4 having a number of points +mapping to curves of characteristic p = 3 (mod 4) having a number of points divisible by 4. Bernstein et al. {{BHKL13}} optimize this mapping and describe a related mapping that they call "Elligator 2," which applies to any curve over a field of odd characteristic having a point of order 2. From 94cf0597d75c1f2b7dcfe51fb4ebf7a46088fd37 Mon Sep 17 00:00:00 2001 From: Christopher Wood Date: Sat, 26 Oct 2019 19:59:05 -0700 Subject: [PATCH 2/2] Wrap a few more `mod x` expressions in parens. --- draft-irtf-cfrg-hash-to-curve.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-irtf-cfrg-hash-to-curve.md b/draft-irtf-cfrg-hash-to-curve.md index dec8e21e..c77cd1ef 100644 --- a/draft-irtf-cfrg-hash-to-curve.md +++ b/draft-irtf-cfrg-hash-to-curve.md @@ -1436,7 +1436,7 @@ Steps: 3. for i in (1, ..., m): 4. info = info_pfx || I2OSP(i, 1) 5. t = HKDF-Expand(msg_prime, info, L) -6. e_i = OS2IP(t) mod p +6. e_i = OS2IP(t) (mod p) 7. u = (e_1, ..., e_m) 8. return u ~~~ @@ -1831,7 +1831,7 @@ For both of these curves, {{RFC7748}} lists both the Montgomery and twisted Edwa forms and gives the corresponding rational maps. The rational map for edwards25519 ({{RFC7748}}, Section 4.1) -uses the constant sqrt\_neg\_486664 = sqrt(-486664) mod 2^255 - 19. +uses the constant sqrt\_neg\_486664 = sqrt(-486664) (mod 2^255 - 19). To ensure compatibility, this constant MUST be chosen such that sgn0(sqrt\_neg\_486664) == 1. Analogous ambiguities in other standardized rational maps MUST be @@ -2932,7 +2932,7 @@ Constants: Steps: 1. t1 = u^2 2. t1 = 2 * t1 -3. xd = t1 + 1 // Nonzero: -1 is square mod p, t1 is not +3. xd = t1 + 1 // Nonzero: -1 is square (mod p), t1 is not 4. x1n = -486662 // x1 = x1n / xd = -486662 / (1 + 2 * u^2) 5. t2 = xd^2 6. gxd = t2 * xd // gxd = xd^3