Merge pull request cfrg#178 from kwantam/fix_p256_map

fix p256 map in appx for new Z value in suites
kwantam · Oct 27, 2019 · f294fed · f294fed
2 parents 79e2b9d + e00dfc5
commit f294fed
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 12 deletions.
diff --git a/draft-irtf-cfrg-hash-to-curve.md b/draft-irtf-cfrg-hash-to-curve.md
@@ -2874,18 +2874,18 @@ Constants:
 1.   B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
 2.  c1 = B / 3
 3.  c2 = (p - 3) / 4          // Integer arithmetic
-4.  c3 = sqrt(8)
+4.  c3 = sqrt(1000)
 
 Steps:
 1.   t1 = u^2
-2.   t3 = -2 * t1
+2.   t3 = -10 * t1            // Z * u^2
 3.   t2 = t3^2
 4.   xd = t2 + t3
 5.  x1n = xd + 1
 6.  x1n = x1n * B
 7.   xd = xd * 3
 8.   e1 = xd == 0
-9.   xd = CMOV(xd, 6, e1)     // If xd == 0, set xd = Z * A == 6
+9.   xd = CMOV(xd, 30, e1)    // If xd == 0, set xd = Z * A == 30
 10.  t2 = xd^2
 11. gxd = t2 * xd             // gxd == xd^3
 12.  t2 = -3 * t2
@@ -2899,8 +2899,8 @@ Steps:
 20.  t4 = t4 * t2             // gx1 * gxd^3
 21.  y1 = t4^c2               // (gx1 * gxd^3)^((p - 3) / 4)
 22.  y1 = y1 * t2             // gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
-23. x2n = t3 * x1n            // x2 = x2n / xd = -2 * u^2 * x1n / xd
-24.  y2 = y1 * c3
+23. x2n = t3 * x1n            // x2 = x2n / xd = -10 * u^2 * x1n / xd
+24.  y2 = y1 * c3             // y2 = y1 * sqrt(-Z^3)
 25.  y2 = y2 * t1
 26.  y2 = y2 * u
 27.  t2 = y1^2

diff --git a/poc/sswu_p256.sage b/poc/sswu_p256.sage
@@ -6,7 +6,7 @@ p = 2^256 - 2^224 + 2^192 + 2^96 - 1
 F = GF(p)
 A = F(-3)
 B = F(0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b)
-Z = F(-2)
+Z = F(-10)
 
 def sqrt(x):
     assert F(x).is_square()
@@ -24,14 +24,16 @@ def sswu_p256(u):
     den = Z^2 * u^4 + Z * u^2
     if den == 0:
         x1 = B / (Z * A)
+        skip_gx2_assert = True
     else:
         x1 = (-B / A) * (1 + 1 / den)
+        skip_gx2_assert = False
 
     gx1 = x1^3 + A * x1 + B
 
     x2 = Z * u^2 * x1
     gx2 = x2^3 + A * x2 + B
-    assert gx2 == Z^3 * u^6 * gx1
+    assert skip_gx2_assert or gx2 == Z^3 * u^6 * gx1
 
     if F(gx1).is_square():
         x = x1
@@ -48,17 +50,17 @@ def sswu_p256(u):
 def map_to_curve_simple_swu_p256(u):
     c1 = B / F(3)
     c2 = (p - 3) // 4
-    c3 = F(8).sqrt()
+    c3 = F(1000).sqrt()
 
     t1 = u^2
-    t3 = -2 * t1
+    t3 = -10 * t1
     t2 = t3^2
     xd = t2 + t3
     x1n = xd + 1
     x1n = x1n * B
     xd = xd * 3
     e1 = xd == 0
-    xd = CMOV(xd, 6, e1)
+    xd = CMOV(xd, 30, e1)
     t2 = xd^2
     gxd = t2 * xd
     t2 = -3 * t2
@@ -112,8 +114,9 @@ def map_to_curve_simple_swu(u):
     y = CMOV(-y, y, e3)
     return (x, y)
 
-def test_map_p256():
-    u = F.random_element()
+def test_map_p256(u=None):
+    if u is None:
+        u = F.random_element()
     (xn, xd, yn, yd) = map_to_curve_simple_swu_p256(u)
     x = xn / xd
     y = yn / yd
@@ -126,6 +129,7 @@ def test_map_p256():
     assert ypp == y
 
 def test_p256():
+    test_map_p256(F(0))
     for _ in range(0, 1024):
         test_map_p256()