lwig R. Struik Internet-Draft Struik Security Consultancy Intended status: Informational~~July 24, 2019~~March 9, 2020Expires:~~January 25,~~September 10,2020 Alternative Elliptic Curve Representations~~draft-ietf-lwig-curve-representations-08~~draft-ietf-lwig-curve-representations-09Abstract This document specifies how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrass form and illustrates how this can be used to carry out elliptic curve computations using existing implementations of, e.g., ECDSA and ECDH using NIST prime curves.We also provide extensive background material that may be useful for implementers of elliptic curve cryptography.Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in~~RFC 2119 [RFC2119].~~BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on~~January 25,~~September 10,2020. Copyright Notice Copyright (c)~~2019~~2020IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Fostering Code Reuse with New Elliptic Curves . . . . . . . .~~4~~52. Specification of Wei25519 . . . . . . . . . . . . . . . . . .~~4~~53. Use of Representation Switches . . . . . . . . . . . . . . . 5 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. Implementation of X25519 . . . . . . . . . . . . . . . . 6 4.2. Implementation of Ed25519 . . . . . . . . . . . . . . . .~~6~~74.3. Specification of ECDSA25519 . . . . . . . . . . . . . . . 7 4.4. Other Uses(Wei448, ECDH448, ECDSA448, and Others) .. .8 5. Caveats. . . . . . . . . . . . . . . . . . . . .~~7 5. Caveats~~. . . . . .9 5.1. Wire Format. . . . . . . . . . . . . . . . . . . . .~~7~~. . 9 5.2. Representation Conventions . . . . . . . . . . . . . . . 9 5.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 96. Implementation Considerations . . . . . . . . . . . . . . . .~~9~~107. Implementation Status . . . . . . . . . . . . . . . . . . . .~~10~~118. Security Considerations . . . . . . . . . . . . . . . . . . .~~11~~129. Privacy Considerations . . . . . . . . . . . . . . . . . . .~~12~~1310. IANA Considerations . . . . . . . . . . . . . . . . . . . . .~~12~~1310.1.IANA Considerations for Wei25519 . . . . . . . . . . . . 13 10.1.1.COSE Elliptic Curves Registration . . . . . . . . .14 10.1.2. COSE Algorithms Registration (1/2). .~~12 10.2.~~. . . . . . . 14 10.1.3.COSE Algorithms Registration~~(1/2)~~(2/2) . . . . .. . . .14 10.1.4. JOSE Elliptic Curves Registration. . . . . . .~~12 10.3. COSE~~. . 15 10.1.5. JOSE Algorithms Registration (1/2) . . . . . . . . . 15 10.1.6. JOSEAlgorithms Registration (2/2) . . . . . . . . .16 10.2. IANA Considerations for Wei448. .~~13 10.4. JOSE~~. . . . . . . . . . . 16 10.2.1. COSEElliptic Curves Registration . . . . . . . . .16 10.2.2. COSE Algorithms Registration (1/2) . . .. .~~13 10.5. JOSE~~. . . . 17 10.2.3. COSEAlgorithms Registration~~(1/2)~~(2/2) .. . . . . . . .17 10.2.4. JOSE Elliptic Curves Registration. . .~~13 10.6.~~. . . . . . 17 10.2.5.JOSE Algorithms Registration~~(2/2)~~(1/2) .. . . . . . . .18 10.2.6. JOSE Algorithms Registration (2/2). . .~~14~~. . . . . . 1811. Acknowledgements . . . . . . . . . . . . . . . . . . . . . .~~14~~1812. References . . . . . . . . . . . . . . . . . . . . . . . . .~~14~~1912.1. Normative References . . . . . . . . . . . . . . . . . .~~14~~1912.2. Informative References . . . . . . . . . . . . . . . . .~~16~~20Appendix A. Some~~(non-Binary)~~(Non-Binary)Elliptic Curves . . . . . . . . .~~17~~22A.1. Curves in~~short-Weierstrass~~Short-WeierstrassForm . . . . . . . . . . . .~~17~~22A.2. Montgomery Curves . . . . . . . . . . . . . . . . . . . .~~18~~22A.3. Twisted Edwards Curves . . . . . . . . . . . . . . . . .~~18~~23Appendix B. Elliptic Curve Nomenclature and Finite Fields . . .~~18~~23B.1. Elliptic Curve Nomenclature . . . . . . . . . . . . . . .~~18~~23B.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . .~~20~~25Appendix C. Elliptic Curve Group Operations . . . . . . . . . .~~21~~26C.1. Group~~Law~~Lawsfor Weierstrass Curves . . . . . . . . . . . .~~21~~26C.2. Group~~Law~~Lawsfor Montgomery Curves . . . . . . . . . . . .~~. 22~~27C.3. Group~~Law~~Lawsfor Twisted Edwards Curves . . . . . . . . . .~~22~~28Appendix D. Relationship Between Curve Models . . . . . . . . .~~23~~29D.1. Mapping between Twisted Edwards Curves and Montgomery Curves . . . . . . . . . . . . . . . . . . . . . . . . .~~24~~29D.2. Mapping between Montgomery Curves and Weierstrass Curves~~24~~30D.3. Mapping between Twisted Edwards Curves and Weierstrass Curves . . . . . . . . . . . . . . . . . . . . . . . . .~~25~~31Appendix E. Curve25519 and Cousins . . . . . . . . . . . . . . .~~25~~31E.1. Curve Definition and Alternative Representations . . . .~~25~~31E.2. Switching between Alternative Representations . . . . . .~~26~~31E.3. Domain Parameters . . . . . . . . . . . . . . . . . . . .~~27~~33Appendix F. Further Mappings . . . . . . . . . . . . . . . . . .~~29~~35F.1. Isomorphic Mapping between Twisted Edwards Curves . . . .~~30~~35F.2. Isomorphic Mapping between Montgomery Curves . . . . . .~~30~~36F.3. Isomorphic Mapping between Weierstrass Curves . . . . . .~~31~~36F.4. Isogenous Mapping between Weierstrass Curves . . . . . .~~32~~37Appendix G. Further Cousins of Curve25519 . . . . . . . . . . .~~33~~39G.1. Further Alternative Representations . . . . . . . . . . .~~33~~39G.2. Further Switching . . . . . . . . . . . . . . . . . . . .~~33~~39G.3. Further Domain Parameters . . . . . . . . . . . . . . . .~~34 Appendix H.~~40 G.4.Isogeny Details . . . . . . . . . . . . . . . . . .~~36 H.1. Isogeny Parameters . . . . . . . . . . . . . . . . . . . 36 H.1.1. Coefficients of u(x) . . . . . . . . . . . . . . . . 36 H.1.2. Coefficients of v(x) . . . . . . . . . . . . . . . . 38 H.1.3. Coefficients of w(x) . . . . . . . . . . . . .~~. . . 41~~H.2. Dual~~G.4.1.Isogeny Parameters . . . . . . . . . . . . . . . . . 42~~H.2.1. Coefficients of u'(x) . . . . . . . . . . . . . . . . 42 H.2.2. Coefficients of v'(x) . . . . . . . . . . . . . . . . 44 H.2.3. Coefficients of w'(x) .~~G.4.2. Dual Isogeny Parameters. . . . . . . . . . . . . . .~~47~~48Appendix~~I.~~H.Point Compression . . . . . . . . . . . . . . . . .~~48 I.1.~~54 H.1.Point Compression for Weierstrass Curves . . . . . . . .~~49 I.2.~~54 H.2.Point Compression for Montgomery Curves . . . . . . . . .~~49 I.3.~~55 H.3.Point Compression for Twisted Edwards Curves . . . . . .~~50~~56Appendix~~J.~~I.Data Conversions . . . . . . . . . . . . . . . . . .~~51 J.1.~~57 I.1.Conversion between Bit Strings and Integers~~. . . . . . . 52 J.2.~~(BS2I, I2BS) 57 I.2.Conversion between Octet Strings and Integers (OS2I, I2OS) . . . . . . . . . . . . . . . . . . . . . . . . . .~~52 J.3.~~58 I.3.Conversion between Octet Strings and Bit Strings~~(BS2OS, OS2BS)~~(OS2BS, BS2OS). . . . . . . . . . . . . . . . . . . . . . . . .~~52 J.4.~~58 I.4.Conversion between Field Elements and Octet Strings (FE2OS, OS2FE) . . . . . . . . . . . . . . . . . . . . .~~53 J.5.~~58 I.5.Conversion between Elements of Z mod n and Octet Strings (ZnE2OS, OS2ZnE) . . . . . . . . . . . . . . . . . . . .~~53 J.6.~~59 I.6.Ordering Conventions . . . . . . . . . . . . . . . . . .~~54~~59Appendix~~K.~~J.Representation Examples Curve25519 Family Members .~~55 K.1.~~61 J.1.Example with Curve25519 . . . . . . . . . . . . . . . . .~~55 K.2.~~61 J.2.Example with Edwards25519 . . . . . . . . . . . . . . . .~~57 K.3.~~63 J.3.Example with Wei25519 . . . . . . . . . . . . . . . . . .~~59 K.4.~~65 J.4.Example with Wei25519.2 . . . . . . . . . . . . . . . . .~~61 K.5.~~67 J.5.Example with Wei25519.-3 . . . . . . . . . . . . . . . .~~63~~68Appendix~~L.~~K.Auxiliary Functions . . . . . . . . . . . . . . . .~~64 L.1.~~70 K.1.Square Roots in GF(q) . . . . . . . . . . . . . . . . . .~~64 L.1.1.~~70 K.1.1.Square Roots in GF(q), where q = 3 (mod 4) . . . . .~~64 L.1.2.~~70 K.1.2.Square Roots in GF(q), where q = 5 (mod 8) . . . . .~~64 L.2.~~70 K.2.Inversion . . . . . . . . . . . . . . . . . . . . . . . .~~65 L.3. Mapping~~71 K.3. Mappingsto Curve Points . . . . . . . . . . . . . . . .~~. 65 L.3.1.~~71 K.3.1.Mapping to Points of Weierstrass Curve . . . . . . .~~65 L.3.2.~~71 K.3.2.Mapping to Points of Montgomery Curve . . . . . . . .~~66 L.3.3.~~72 K.3.3.Mapping to Points of Twisted Edwards Curve . . . . .~~68 L.4.~~74 K.4. Mappings to High-Order Curve Points . . . . . . . . . . . 74 K.4.1. Mapping to High-Order Points of Weierstrass Curve . . 74 K.4.2. Mapping to High-Order Points of Montgomery Curve . . 75 K.4.3. Mapping to High-Order Points of Twisted Edwards Curve 76 K.5.Randomized Representation of Curve Points . . . . . . . .~~68~~77Appendix~~M.~~L.Curve secp256k1 and Friend . . . . . . . . . . . . .~~68 M.1.~~78 L.1.Curve Definition and Alternative Representation . . . . .~~68 M.2.~~78 L.2.Switching Between Representations . . . . . . . . . . . .~~69 M.3.~~79 L.3.Domain Parameters . . . . . . . . . . . . . . . . . . . .~~69 M.4.~~79 L.4.Isogeny Details . . . . . . . . . . . . . . . . . . . . .~~71 M.4.1.~~81 L.4.1.Isogeny Parameters . . . . . . . . . . . . . . . . .~~71 M.4.2.~~81 L.4.2.Dual Isogeny Parameters . . . . . . . . . . . . . . .~~72 Author's Address~~81 Appendix M. Curve448 and Cousins. . . . . . . . . . . . . . . .82 M.1. Curve Definition and Alternative Representations. . . .82 M.2. Switching between Alternative Representations. . . .~~72 1. Fostering Code Reuse with New Elliptic Curves It is well-known that elliptic curves can be represented using different curve models. Recently, IETF standardized elliptic curves that are claimed to have better performance and improved robustness against "real world" attacks than curves represented in the traditional "short" Weierstrass model. This document specifies an alternative representation of points of Curve25519, a so-called Montgomery curve, and of points of Edwards25519, a so-called twisted Edwards curve, which are both specified in [RFC7748], as points of a specific so-called "short" Weierstrass curve, called Wei25519. We also define how to efficiently switch between these different representations. Use of Wei25519 allows easy definition~~. . 83 M.3. Domain Parameters . . . . . . . . . . . . . . . . . . . . 84 Appendix N. Further Cousinsof~~new signature schemes and key agreement schemes already specified for traditional NIST prime curves, thereby allowing easy integration with existing specifications, such as NIST SP~~Curve448 . . . . . . . . . . . . 87 N.1. Further Alternative Representations . . . . . . . . . . . 87 N.2. Further Switching . . . . . . . . . . . . . . . . . . . . 87 N.3. Further Domain Parameters . . . . . . . . . . . . . . . . 89 N.4. Isogeny Details . . . . . . . . . . . . . . . . . . . . . 91 N.4.1. Isogeny Parameters . . . . . . . . . . . . . . . . . 92 N.4.2. Dual Isogeny Parameters . . . . . . . . . . . . . . . 92 Appendix O. Representation Examples Curve448 Family Members . . 93 O.1. Example with Curve448 . . . . . . . . . . . . . . . . . . 93 O.2. Example with Ed448 . . . . . . . . . . . . . . . . . . . 96 O.3. Example with Wei448 . . . . . . . . . . . . . . . . . . . 98 O.4. Example with Wei448.-3 . . . . . . . . . . . . . . . . . 101 O.5. Example with Edwards448 . . . . . . . . . . . . . . . . . 103 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 105 1. Fostering Code Reuse with New Elliptic Curves Elliptic curves can be represented using different curve models. Recently, IETF standardized elliptic curves that are claimed to have better performance and improved robustness against "real world" attacks than curves represented in the traditional "short" Weierstrass model. This document specifies an alternative representation of points of Curve25519, a so-called Montgomery curve, and of points of Edwards25519, a so-called twisted Edwards curve, which are both specified in [RFC7748], as points of a specific so- called "short" Weierstrass curve, called Wei25519. We also define how to efficiently switch between these different representations. Use of Wei25519 allows easy definition of new instantiations of signature schemes and key agreement schemes already specified for traditional NIST prime curves, thereby allowing easy integration with existing specifications, such as NIST SP 800-56a [SP-800-56a], FIPS Pub 186-4 [FIPS-186-4], and ANSI X9.62-2005 [ANSI-X9.62], and fostering code reuse on platforms that already implement some of these schemes using elliptic curve arithmetic for curves in "short" Weierstrass form (see Appendix C.1). 2. Specification of Wei25519 For the specification of Wei25519 and its relationship to Curve25519 and Edwards25519, see Appendix E. For further details and background information on elliptic curves, we refer to the other appendices. The use of Wei25519 allows reuse of existing generic code that implements short-Weierstrass curves, such as the NIST curve P-256, to also implement the CFRG curves Curve25519 and Edwards25519. (Here, generic code refers to an implementation that does not depend on hardcoded domain parameters (see also Section 6).) We also cater to reusing of existing code where some domain parameters may have been hardcoded, thereby widening the scope of applicability. To this end, we specify the short-Weierstrass curves Wei25519.2 and Wei25519.-3, with hardcoded domain parameter a=2 and a=-3 (mod p), respectively; see Appendix G. (Here, p is the characteristic of the field over which these curves are defined.) 3. Use of Representation Switches The curves Curve25519, Edwards25519, and Wei25519, as specified in Appendix E.3, are all isomorphic, with the transformations of Appendix E.2. These transformations map the specified base point of each of these curves to the specified base point of each of the other curves. Consequently, a public-private key pair (k,R:=k*G) for any one of these curves corresponds, via these isomorphic mappings, to the public-private key pair (k, R':=k*G') for each of these other curves (where G and G' are the corresponding base points of these curves). This observation extends to the case where one also considers curve Wei25519.2 (which has hardcoded domain parameter a=2), as specified in Appendix G.3, since it is isomorphic to Wei25519, with the transformation of Appendix G.2, and, thereby, also isomorphic to Curve25519 and Edwards25519. The curve Wei25519.-3 (which has hardcoded domain parameter a=-3 (mod p)) is not isomorphic to the curve Wei25519, but is related in a slightly weaker sense: the curve Wei25519 is isogenous to the curve Wei25519.-3, where the mapping of Appendix G.2 is an isogeny of degree l=47 that maps the specified base point G of Wei25519 to the specified base point G' of Wei25519.-3 and where the so-called dual isogeny (which maps Wei25519.-3 to Wei25519) has the same degree l=47, but does not map G' to G, but to a fixed multiple hereof, where this multiple is l=47. Consequently, a public-private key pair (k,R:=k*G) for Wei25519 corresponds to the public-private key pair (k, R':= k*G') for Wei25519.-3 (via the l-isogeny), whereas the public-private key pair (k, R':=k*G') corresponds to the public- private key pair (l*k, l*R=l*k*G) of Wei25519 (via the dual isogeny). (Note the extra scalar l=47 here.) Alternative curve representations can, therefore, be used in any cryptographic scheme that involves computations on public-private key pairs, where implementations may carry out computations on the corresponding object for the isomorphic or isogenous curve and convert the results back to the original curve (where, in case this involves an l-isogeny, one has to take into account the factor l). This includes use with elliptic-curve based signature schemes and key agreement and key transport schemes. For some examples of curve computations on each of the curves specified in Appendix E.3 and Appendix G.3, see Appendix J. 4. Examples 4.1. Implementation of X25519 RFC 7748 [RFC7748] specifies the use of X25519, a co-factor Diffie- Hellman key agreement scheme, with instantiation by the Montgomery curve Curve25519. This key agreement scheme was already specified in Section 6.1.2.2 of NIST SP800-56a[SP-800-56a] for elliptic curves in short Weierstrass form. Hence, one can implement X25519 using existing NIST routines by (1) representing a point of the Montgomery curve Curve25519 as a point of the Weierstrass curve Wei25519; (2) instantiating the co-factor Diffie-Hellman key agreement scheme of the NIST specification with the resulting point and Wei25519 domain parameters; (3) representing the key resulting from this scheme (which is a point of the curve Wei25519 in Weierstrass form) as a point of the Montgomery curve Curve25519. The representation change can be implemented via a simple wrapper and involves a single modular addition (see Appendix E.2). Using this method has the additional advantage that one can reuse the public-private key pair routines, domain parameter validation, and other checks that are already part of the NIST specifications. A NIST-compliant version of co-factor Diffie-Hellman key agreement (denoted by ECDH25519) results if one keeps inputs (key contributions) and outputs (shared key) in the short-Weierstrass format (and, hence, does not perform Step (3) above). NOTE: At this point, it is unclear whether this implies that a FIPS- accredited module implementing co-factor Diffie-Hellman for, e.g., P-256 would also extend this accreditation to X25519. 4.2. Implementation of Ed25519 RFC 8032 [RFC8032] specifies Ed25519, a "full" Schnorr signature scheme, with instantiation by the twisted Edwards curve Edwards25519. One can implement the computation of the ephemeral key pair for Ed25519 using an existing Montgomery curve implementation by (1) generating a public-private key pair (k, R':=k*G') for Curve25519; (2) representing this public-private key as the pair (k, R:=k*G) for Ed25519. As before, the representation change can be implemented via a simple wrapper. Note that the Montgomery ladder specified in Section 5 of RFC7748 [RFC7748] does not provide sufficient information to reconstruct R':=(u, v) (since it does not compute the v-coordinate of R'). However, this deficiency can be remedied by using a slightly modified version of the Montgomery ladder that includes reconstruction of the v-coordinate of R':=k*G' at the end of the Montgomery ladder (which uses the v-coordinate of the base point of Curve25519 as well). For details, see Appendix C.1. 4.3. Specification of ECDSA25519 FIPS Pub 186-4 [FIPS-186-4] specifies the signature scheme ECDSA and can be instantiated not just with the NIST prime curves, but also with other Weierstrass curves (that satisfy additional cryptographic criteria). In particular, one can instantiate this scheme with the Weierstrass curve Wei25519 and the hash function SHA-256 [FIPS-180-4], where an implementation may generate an ephemeral public-private key pair for Wei25519 by (1) internally carrying out these computations on the Montgomery curve Curve25519, the twisted Edwards curve Edwards25519, or even the Weierstrass curve Wei25519.-3 (with hardcoded a=-3 domain parameter); (2) representing the result as a key pair for the curve Wei25519. Note that, in either case, one can implement these schemes with the same representation conventions as used with existing NIST specifications, including bit/byte- ordering, compression functions, and the-like. This allows generic implementations of ECDSA with the hash function SHA-256 and with the NIST curve P-256 or with the curve Wei25519 specified in this specification to reuse the same implementation (instantiated with, respectively, the NIST P-256 elliptic curve domain parameters or with the domain parameters of curve Wei25519 specified in Appendix E). We denote by ECDSA25519 the instantiation of ECDSA with SHA-256 and with curve Wei25519, where the signature (r,s) is represented as the right-concatenation of the integers r and s, each represented as fixed-size strings with tight MSB/msb ordering (see Appendix I). 4.4. Other Uses (Wei448, ECDH448, ECDSA448, and Others) Any existing specification of cryptographic schemes using elliptic curves in Weierstrass form and that allows introduction of a new elliptic curve (here: Wei25519) is amenable to similar constructs, thus spawning "offspring" protocols, simply by instantiating these using the new curve in "short" Weierstrass form, thereby allowing code and/or specifications reuse and, for implementations that so desire, carrying out curve computations "under the hood" on Montgomery curve and twisted Edwards curve cousins hereof (where these exist). This would simply require definition of a new object identifier for any such envisioned "offspring" protocol. This could significantly simplify standardization of schemes and help keeping the resource and maintenance cost of implementations supporting algorithm agility [RFC7696] at bay. We illustrate the construction of such offspring protocols for Curve448, another Montgomery curve recently standardized by IETF (see [RFC7748]). Similar to the case with Curve25519, one can represent points of this curve via different curve models, viz. as points of an Edwards curve (Ed448) or as points of a short-Weierstrass curve (Wei448). For the specification of Wei448 and its relationship to Curve448 and Ed448, see Appendix M. As with ECDH25519, one can now easily define a NIST-compliant version of co-factor Diffie-Hellman key agreement (denoted by ECDH448), by simply reusing the example of Section 4.1, but now using the short-Weierstrass curve Wei448, rather than Wei25519. Similarly, one can easily specify ECDSA with Wei448 and a suitable hash function, by simply reusing the example of Section 4.3, but now using the short-Weierstrass curve Wei448, rather than Wei25519, and picking as hash function SHAKE256 [FIPS-202] with output size of d=446 bits. We denote by ECDSA448 the resulting signature scheme (with the same bit/byte-ordering conventions). 5. Caveats The examples above illustrate how specifying the Weierstrass curve Wei25519 (or any curve in short-Weierstrass format, for that matter) may facilitate reuse of existing code and may simplify standards development. However, the following caveats apply: 5.1. Wire Format The transformations between alternative curve representations can be implemented at negligible relative incremental cost if the curve points are represented as affine points. If a point is represented in compressed format, conversion usually requires a costly point decompression step. This is the case in [RFC7748], where the inputs to the co-factor Diffie-Hellman scheme X25519, as well as its output, are represented in u-coordinate-only format. This is also the case in [RFC8032], where the EdDSA signature includes the ephemeral signing key represented in compressed format (see Appendix H for details). Note that in the latter case compression is lossless, whereas it is lossy in the former case; 5.2. Representation Conventions While elliptic curve computations are carried-out in a field GF(q) and, thereby, involve large integer arithmetic, these integers are represented as bit- and byte-strings. Here, [RFC8032] uses least- significant-byte (LSB)/least-significant-bit (lsb) conventions, whereas [RFC7748] uses LSB/most-significant-bit (msb) conventions, and where most other cryptographic specifications, including NIST SP800-56a[SP-800-56a], FIPS Pub 186-4 [FIPS-186-4], and~~ANSI X9.62-2005 [ANSI-X9.62],~~ANSI X9.62-2005 [ANSI-X9.62] use MSB/msb conventions. Since each pair of conventions is different (see Appendix I for details and Appendix J for examples), this does necessitate bit/byte representation conversions; 5.3. Domain Parameters All traditional NIST curves are Weierstrass curves with domain parameter a=-3, while all Brainpool curves [RFC5639] are isomorphic to a Weierstrass curve of this form. Thus, one can expect there to be existing Weierstrass implementations with a hardcoded a=-3 domain parameter ("Jacobian-friendly"). For those implementations, including the curve Wei25519 as a potential vehicle for offering support for the CFRG curves Curve25519 and Edwards25519 is not possible, since not of the required form. Instead, one has to implement Wei25519.-3 and include code that implements the isogeny and dual isogeny from and to Wei25519. The lowest odd-degree isogeny has degree l=47 and requires roughly 9kB of storage for isogeny and dual-isogeny computations (see the tables in Appendix G.4). Note that storage would have reduced to a single 64-byte table if only the curve would have been generated so as to be isomorphic to a Weierstrass curve with hardcoded a=-3 parameter (this corresponds to l=1). NOTE 1: An example of a Montgomery curve defined over the same field as Curve25519 that is isomorphic to a Weierstrass curve with hardcoded a=-3 parameter is the Montgomery curve M_{A,B} with B=1 and A=-1410290 (or, if one wants the base point to still have u-coordinate u=9, with B=1 and A=-3960846). In either case, the resulting curve has the same cryptographic properties as Curve25519 and the same performance (which relies on A being a 3-byte integer, as is the case with the domain parameter A=486662 of Curve25519, and using the same special prime p=2^255-19), while at the same time being "Jacobian-friendly" by design. NOTE 2: While an implementation of Curve25519 via an isogenous Weierstrass curve with domain parameter a=-3 requires a relatively large table (of size roughly 9kB), for the quadratic twist of Curve25519 (i.e., the Montgomery curve M_{A,B'} with A=486662 and B'=2) this implementation approach only requires a table of size less than 0.5kB (over 20x smaller), solely due to the fact that it is l-isogenous to a Weierstrass curve with a=-3 parameter with relatively small parameter l=2 (compared to l=47, as is the case with Curve25519 itself). 6. Implementation Considerations The efficiency of elliptic curve arithmetic is primarily determined by the efficiency of its group operations (see Appendix C). Numerous optimized formulae exist, such as the use of so-called Montgomery ladders with Montgomery curves [Mont-Ladder] or with Weierstrass curves [Wei-Ladder], the use of hardcoded a=-3 domain parameter for Weierstrass curves [ECC-Isogeny], and the use of hardcoded a=-1 domain parameters for twisted Edwards curves [tEd-Formulas]. These all target reduction of the number of finite field operations (primarily, finite field multiplications and squarings). Other optimizations target more efficient modular reductions underlying these finite field operations, by specifying curves defined over a field GF(q), where the field size q has a special form or a specific bit-size (typically, close to a multiple of a machine word). Depending on the implementation strategy, the bit-size of q may also facilitate reduced so-called "carry-effects" of integer arithmetic. Most curves use a combination of these design philosophies. All NIST curves [FIPS-186-4] and Brainpool curves [RFC5639] are Weierstrass curves with a=-3 domain parameter, thus facilitating more efficient elliptic curve group operations (via so-called Jacobian coordinates). The NIST curves and the Montgomery curve Curve25519 are defined over prime fields, where the prime number has a special form, whereas the Brainpool curves - by design - use a generic prime number. None of the NIST prime curves, nor the Brainpool curves, can be expressed as Montgomery or twisted Edwards curves, whereas - conversely - Montgomery curves and twisted curves can be expressed as Weierstrass curves. While use of Wei25519 allows reuse of existing generic code that implements short Weierstrass curves, such as the NIST curve P-256, to also implement the CFRG curves Curve25519 or Edwards25519, this obviously does not result in an implementation of these CFRG curves that exploits the specific structure of the underlying field or other specific domain parameters (since generic). Reuse of generic code, therefore, may result in a less computationally efficient curve implementation than would have been possible if the implementation had specifically targeted Curve25519 or Edwards25519 alone (with the overall cost differential estimated to be somewhere in the interval [1.00-1.25]). If existing generic code offers hardware support, however, the overall speed may still be larger, since less efficient formulae for curve arithmetic using Wei25519 curves compared to a direct implementation of Curve25519 or Edwards25519 arithmetic may be more than compensated for by faster implementations of the finite field arithmetic itself. Overall, one should consider not just code reuse and computational efficiency, but also development and maintenance cost, and, e.g, the cost of providing effective implementation attack countermeasures (see also Section 8). 7. Implementation Status [Note to the RFC Editor] Please remove this entire section before publication, as well as the reference to [RFC7942]. This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to [RFC7942], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit. Nikolas Rosener evaluated the performance of switching between different curve models in his Master's thesis [Rosener]. For an implementation of Wei25519, see <https://github.com/ncme/c25519>. For support of this curve in tinydtls, see <https://github.com/ncme/ tinydtls>. According to <https://community.nxp.com/docs/DOC-330199>, an implementation of Wei25519 on the Kinets LTC ECC HW platform improves the performance by over a factor ten compared to a stand-alone implementation of Curve25519 without hardware support. The signature scheme ECDSA25519 (see Section 4.3) is supported in <https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd/>. 8. Security Considerations The different representations of elliptic curve points discussed in this document are all obtained using a publicly known transformation, which is either an isomorphism or a low-degree isogeny. It is well- known that an isomorphism maps elliptic curve points to equivalent mathematical objects and that the complexity of cryptographic problems (such as the discrete logarithm problem) of curves related via a low-degree isogeny are tightly related. Thus, the use of these techniques does not negatively impact cryptographic security of elliptic curve operations. As to implementation security, reusing existing high-quality code or generic implementations that have been carefully designed to withstand implementation attacks for one curve model may allow a more economical way of development and maintenance than providing this same functionality for each curve model separately (if multiple curve models need to be supported) and, otherwise, may allow a more gradual migration path, where one may initially use existing and accredited chipsets that cater to the pre-dominant curve model used in practice for over 15 years. Elliptic curves are generally used as objects in a broader cryptographic scheme that may include processing steps that depend on the representation conventions used (such as with, e.g., key derivation following key establishment). These schemes should (obviously) unambiguously specify fixed representations of each input and output (e.g., representing each elliptic curve point always in short-Weierstrass form and in uncompressed tight MSB/msb format). To prevent cross-protocol attacks, private keys SHOULD only be used with one cryptographic scheme. Private keys MUST NOT be reused between Ed25519 (as specified in [RFC8032]) and ECDSA25519 (as specified in Section 4.3). To prevent intra-protocol cross-instantiation attacks, ephemeral private keys MUST NOT be reused between instantiations of ECDSA25519. 9. Privacy Considerations The transformations between different curve models described in this document are publicly known and, therefore, do not affect privacy provisions. Use of a public key in any protocol for which successful execution evidences knowledge of the corresponding private key implicitly indicates the entity holding this private key. Reuse of this public key with more than one protocol or more than one protocol instantiation may, therefore, allow traceability of this entity. It may also allow correlation of meta-data communicated with this common data element (e.g., different addressing information), even if an observer cannot technically verify the binding of this meta-data. The randomized representation described in Appendix K.5 allows random curve points to be represented as random pairs of field elements, thereby assisting in obfuscating the presence of these curve points in some applications. 10. IANA Considerations Code points are requested for curve Wei25519 and Wei448 and its use with ECDSA and co-factor ECDH, using the representation conventions of this document. New code points would be required in case one wishes to specify one or more other "offspring" protocols beyond those exemplified in Section 4.4. Specification hereof is, however, outside scope of the current document. 10.1. IANA Considerations for Wei25519 10.1.1. COSE Elliptic Curves Registration This section registers the following value in the IANA "COSE Elliptic Curves" registry [IANA.COSE.Curves]. Name: Wei25519; Value: TBD (Requested value: -1); Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb representation of this specification); Description: short-Weierstrass curve Wei25519; Change Controller: IESG; Reference: Appendix E.3 of this specification; Recommended: Yes. (Note that The "kty" value for Wei25519 may be "OKP" or "EC2".) 10.1.2. COSE Algorithms Registration (1/2) This section registers the following value in the IANA "COSE Algorithms" registry [IANA.COSE.Algorithms]. Name: ECDSA25519; Value: TBD (Requested value: -1); Description: ECDSA with SHA-256 and curve Wei25519; Change Controller: IESG; Reference: Section 4.3 of this specification; Recommended: Yes. 10.1.3. COSE Algorithms Registration (2/2) This section registers the following value in the IANA "COSE Algorithms" registry [IANA.COSE.Algorithms]. Name: ECDH25519; Value: TBD (Requested value: -2); Description: NIST-compliant co-factor Diffie-Hellman w/ curve Wei25519 and key derivation function HKDF SHA256; Change Controller: IESG; Reference: Section 4.1 of this specification (for key derivation, see Section 11.1 of [RFC8152]); Recommended: Yes. 10.1.4. JOSE Elliptic Curves Registration This section registers the following value in the IANA "JSON Web Key Elliptic Curve" registry [IANA.JOSE.Curves]. Curve Name: Wei25519; Curve Description: short-Weierstrass curve Wei25519; JOSE Implementation Requirements: Optional; Change Controller: IESG; Reference: Appendix E.3 of this specification. 10.1.5. JOSE Algorithms Registration (1/2) This section registers the following value in the IANA "JSON Web Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Algorithm Name: ECDSA25519; Algorithm Description: ECDSA using SHA-256 and curve Wei25519; Algorithm Usage Locations: alg; JOSE Implementation Requirements: Optional; Change Controller: IESG; Reference: Section 4.3 of this specification; Algorithm Analysis Document(s): Section 4.3 of this specification. 10.1.6. JOSE Algorithms Registration (2/2) This section registers the following value in the IANA "JSON Web Signatureand~~fostering code reuse on platforms~~Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Algorithm Name: ECDH25519; Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ curve Wei25519 and key derivation function HKDF SHA256; Algorithm Usage Locations: alg; JOSE Implementation Requirements: Optional; Change Controller: IESG; Reference: Section 4.1 of this specification (for key derivation, see Section 5 of [SP-800-56c]); Algorithm Analysis Document(s): Section 4.1 of this specification (for key derivation, see Section 5 of [SP-800-56c]). 10.2. IANA Considerations for Wei448 10.2.1. COSE Elliptic Curves Registration This section registers the following value in the IANA "COSE Elliptic Curves" registry [IANA.COSE.Curves]. Name: Wei448; Value: TBD (Requested value: -2); Key Type: EC2 or OKP (where OKP uses the squeezed MSB/msb representation of this specification); Description: short-Weierstrass curve Wei448; Change Controller: IESG; Reference: Appendix M.3 of this specification; Recommended: Yes. (Notethat~~already implement some~~The "kty" value for Wei448 may be "OKP" or "EC2".) 10.2.2. COSE Algorithms Registration (1/2) This section registers the following value in the IANA "COSE Algorithms" registry [IANA.COSE.Algorithms]. Name: ECDSA448; Value: TBD (Requested value: -21); Description: ECDSA with SHAKE256 and curve Wei448; Change Controller: IESG; Reference: Section 4.4 of this specification; Recommended: Yes. 10.2.3. COSE Algorithms Registration (2/2) This section registers the following value in the IANA "COSE Algorithms" registry [IANA.COSE.Algorithms]. Name: ECDH448; Value: TBD (Requested value: -22); Description: NIST-compliant co-factor Diffie-Hellman w/ curve Wei25519 and key derivation function HKDF SHA512; Change Controller: IESG; Reference: Section 4.4of~~these schemes using elliptic curve arithmetic for curves~~this specification (for key derivation, see Section 11.1 of [RFC8152]); Recommended: Yes. 10.2.4. JOSE Elliptic Curves Registration This section registers the following valuein~~"short" Weierstrass form (see~~the IANA "JSON Web Key Elliptic Curve" registry [IANA.JOSE.Curves]. Curve Name: Wei448; Curve Description: short-Weierstrass curve Wei448; JOSE Implementation Requirements: Optional; Change Controller: IESG; Reference:Appendix~~C.1). 2. Specification~~M.3of~~Wei25519 For~~this specification. 10.2.5. JOSE Algorithms Registration (1/2) This section registersthe~~specification of Wei25519 and its relationship to Curve25519~~following value in the IANA "JSON Web Signatureand~~Edwards25519, see Appendix E. For further details~~Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Algorithm Name: ECDSA448; Algorithm Description: ECDSA using SHAKE256and~~background information on elliptic curves, we refer to the other appendices. The use~~curve Wei448; Algorithm Usage Locations: alg; JOSE Implementation Requirements: Optional; Change Controller: IESG; Reference: Section 4.4of~~Wei25519 allows reuse~~this specification; Algorithm Analysis Document(s): Section 4.4of~~existing generic code that implements short-Weierstrass curves, such as~~this specification. 10.2.6. JOSE Algorithms Registration (2/2) This section registersthe~~NIST curve P-256, to also implement~~following value inthe~~CFRG curves Curve25519~~IANA "JSON Web Signatureand~~Edwards25519. We also cater to reusing~~Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Algorithm Name: ECDH448; Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ curve Wei25519 and key derivation function HKDF SHA512; Algorithm Usage Locations: alg; JOSE Implementation Requirements: Optional; Change Controller: IESG; Reference: Section 4.4of~~existing code where some domain parameters may have been hardcoded, thereby widening the scope~~this specification (for key derivation, see Section 5 of [SP-800-56c]); Algorithm Analysis Document(s): Section 4.4 of this specification (for key derivation, see Section 5 of [SP-800-56c]). 11. Acknowledgements Thanks to Nikolas Rosener for discussions surrounding implementation detailsof~~applicability. To this end, we specify~~the~~short-Weierstrass curves Wei25519.2 and Wei25519.-3, with hardcoded domain parameter a=2~~techniques described in this documentand~~a=-3 (mod p), respectively; see Appendix G. (Here, p is the characteristic~~to Phillip Hallam-Baker for triggering inclusionofverbiage onthe~~field over which these curves are defined.) 3. Use~~useof~~Representation Switches The curves Curve25519, Edwards25519, and Wei25519, as specified in Appendix E.3, are all isomorphic,~~Montgomery ladderswith~~the transformations~~recoveryof~~Appendix E.2. These transformations map~~the~~specified base point of each of these curves~~y-coordinate. Thanksto~~the specified base point of each of the other curves. Consequently, a public-private key pair (k,R:=k*G)~~Stanislav Smyshlyaev and Vasily Nikolaev for their careful reviews. 12. References 12.1. Normative References [ANSI-X9.62] ANSI X9.62-2005, "Public Key Cryptographyfor~~any one of these curves corresponds, via these isomorphic mappings, to~~the~~public-private key pair (k, R':=k*G')~~Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)", American National Standardfor~~each~~Financial Services, Accredited Standards Committee X9, Inc, Anapolis, MD, 2005. [FIPS-180-4] FIPS 180-4, "Secure Hash Standard (SHS), Federal Information Processing Standards Publication 180-4", US Departmentof~~these other curves (where G~~Commerce/National Institute of Standardsand~~G' are the corresponding base points~~Technology, Gaithersburg, MD, August 2015. [FIPS-186-4] FIPS 186-4, "Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4", US Departmentof~~these curves). This observation extends to the case where one also considers curve Wei25519.2 (which has hardcoded domain parameter a=2), as specified in Appendix G.3, since it is isomorphic to Wei25519, with the transformation~~Commerce/National Institute of Standards and Technology, Gaithersburg, MD, July 2013. [FIPS-202] FIPS 202, "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, Federal Information Processing Standards Publication 202", US Departmentof~~Appendix G.2, and, thereby, also isomorphic~~Commerce/National Institute of Standards and Technology, Gaithersburg, MD, August 2015. [RFC2119] Bradner, S., "Key words for use in RFCsto~~Curve25519~~Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC5639] Lochter, M.and~~Edwards25519.~~J. Merkle, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", RFC 5639, DOI 10.17487/RFC5639, March 2010, <https://www.rfc-editor.org/info/rfc5639>. [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms", BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, <https://www.rfc-editor.org/info/rfc7696>. [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>. [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code:The~~curve Wei25519.-3 (which has hardcoded domain parameter a=-3 (mod p)) is not isomorphic to the curve Wei25519, but is related~~Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, <https://www.rfc-editor.org/info/rfc7942>. [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <https://www.rfc-editor.org/info/rfc8032>. [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, July 2017, <https://www.rfc-editor.org/info/rfc8152>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercasein~~a slightly weaker sense: the curve Wei25519 is isogenous to the curve Wei25519.-3, where the mapping~~RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [SEC1] SEC1, "SEC 1: Elliptic Curve Cryptography, Version 2.0", Standards for Efficient Cryptography, , June 2009. [SEC2] SEC2, "SEC 2: Elliptic Curve Cryptography, Version 2.0", Standards for Efficient Cryptography, , January 2010. [SP-800-56a] NIST SP 800-56a, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Log Cryptography, Revision 3", US Departmentof~~Appendix G.2 is an isogeny~~Commerce/National Instituteof~~degree l=47 that maps the specified base point G~~Standards and Technology, Gaithersburg, MD, April 2018. [SP-800-56c] NIST SP 800-56c, "Recommendation for Key-Derivation Methods in Key-Establishment Schemes, Revision 1", US Departmentof~~Wei25519 to the specified base point G'~~Commerce/National Instituteof~~Wei25519.-3~~Standardsand~~where the so-called dual isogeny (which maps Wei25519.-3 to Wei25519) has the same degree l=47, but does not map G' to G, but to a fixed multiple hereof, where this multiple is l=47. Consequently, a public-private key pair (k,R:=k*G) for Wei25519 corresponds to the public-private key pair (k, R':= k*G') for Wei25519.-3 (via the l-isogeny), whereas the public-private key pair (k, R':=k*G') corresponds~~Technology, Gaithersburg, MD, April 2018. 12.2. Informative References [ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in Cryptography", Cambridge University Press, Lecture Notes Series 265, July 1999. [ECC-Isogeny] E. Brier, M. Joye, "Fast Point Multiplication on Elliptic Curves through Isogenies", AAECC, Lecture Notes in Computer Science, Vol. 2643, New York: Springer-Verlag, 2003. [GECC] D. Hankerson, A.J. Menezes, S.A. Vanstone, "GuidetoElliptic Curve Cryptography", New York: Springer-Verlag, 2004. [IANA.COSE.Algorithms] IANA, "COSE Algorithms", IANA, https://www.iana.org/assignments/cose/ cose.xhtml#algorithms. [IANA.COSE.Curves] IANA, "COSE Elliptic Curves", IANA, https://www.iana.org/assignments/cose/cose.xhtml#elliptic- curves. [IANA.JOSE.Algorithms] IANA, "JSON Web Signature and Encryption Algorithms", IANA, https://www.iana.org/assignments/jose/jose.xhtml#web- signature-encryption-algorithms. [IANA.JOSE.Curves] IANA, "JSON Web Key Elliptic Curve", IANA, https://www.iana.org/assignments/jose/jose.xhtml#web-key- elliptic-curve. [Mont-Ladder] P.L. Montgomery, "Speedingthe~~public- private key pair (l*k, l*R=l*k*G)~~Pollard and Elliptic Curve Methodsof~~Wei25519 (via the dual isogeny). (Note the extra scalar l=47 here.) Alternative curve representations can, therefore, be used~~Factorization", Mathematics of Computation, Vol. 48, 1987. [Rosener] N. Rosener, "Evaluating the Performance of Transformations Between Curve Representationsin~~any cryptographic scheme that involves computations on public-private key pairs, where implementations may carry out computations~~Elliptic Curve Cryptography for Constrained Device Security", M.Sc. Universitat Bremen, August 2018. [SWUmap] E. Brier, J-S. Coron, Th. Icart, D. Madore, H. Randriam, M. Tibouchi, "Efficient Indifferentiable Hashing into Ordinary Elliptic Curves", CRYPTO 2010, Lecture Notes in Computer Science, Vol. 6223, New York: Springer-Verlag, 2010. [tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, "Twisted Edwards Curves", Africacrypt 2008, Lecture Notes in Computer Science, Vol. 5023, New York: Springer-Verlag, 2008. [tEd-Formulas] H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted Edwards Curves Revisited", ASIACRYPT 2008, Lecture Notes in Computer Science, Vol. 5350, New York: Springer-Verlag, 2008. [Tibouchi] M. Tibouchi, "Elligator Squared -- Uniform Pointson~~the corresponding object~~Elliptic Curves of Prime Order as Uniform Random Strings", Financial Cryptography 2014, Lecture Notes in Computer Science, Vol. 8437, New York: Springer-Verlag, 2014. [Wei-Ladder] T. Izu, Ts. Takagi,, "A Fast Parallel Elliptic Curve Multiplication Resistant Against Side Channel Attacks", CentreforApplied Cryptographic Research, Corr 2002-03, 2002. Appendix A. Some (Non-Binary) Elliptic Curves This section definesthe~~isomorphic or isogenous~~three differentcurvemodels we consider, viz. short-Weierstrass curves, Montgomery curves,and~~convert the results back to the original curve (where,~~twisted Edwards curves. A.1. Curvesin~~case this involves an l-isogeny, one has to take into account~~Short-Weierstrass Form Let GF(q) denotethe~~factor l). This includes use~~finite fieldwith~~elliptic-curve based signature schemes and key agreement~~q elements, where q is an odd prime powerand~~key transport schemes. For some examples of~~where q is not divisible by three. Let W_{a,b} be the Weierstrasscurve~~computations on each~~with defining equation Y^2 = X^3 + a*X + b, where a and b are elementsof~~the curves specified in Appendix E.3~~GF(q)and~~Appendix G.3, see Appendix K. 4. Examples 4.1. Implementation~~where 4*a^3 + 27*b^2 is nonzero. The pointsof~~X25519 RFC 7748 [RFC7748] specifies~~W_{a,b} arethe~~use~~ordered pairs (X, Y) whose coordinates are elementsof~~X25519, a co-factor Diffie- Hellman key agreement scheme,~~GF(q) and that satisfy the defining equation (the so-called affine points), togetherwith~~instantiation by~~the~~Montgomery curve Curve25519.~~special point O (the so-called "point at infinity").This~~key agreement scheme was already specified in Section 6.1.2.2 of NIST SP 800-56a [SP-800-56a] for elliptic curves in short Weierstrass form. Hence, one can implement X25519 using existing NIST routines by (1) representing~~set formsagroup under addition, via the so-called "chord-and-tangent" rule, where thepointat infinity serves as the identity element. See Appendix C.1 for detailsof thegroup operation. A.2.Montgomery~~curve Curve25519 as a point of~~Curves Let GF(q) denotethe~~Weierstrass curve Wei25519; (2) instantiating~~finite field with q elements, where q is an odd prime power. Let M_{A,B} bethe~~co-factor Diffie-Hellman key agreement scheme~~Montgomery curve with defining equation B*v^2 = u^3 + A*u^2 + u, where A and B are elements of GF(q) and where A is unequal to (+/-)2 and where B is nonzero. The pointsofM_{A,B} arethe~~NIST specification~~ordered pairs (u, v) whose coordinates are elements of GF(q) and that satisfy the defining equation (the so- called affine points), togetherwith the~~resulting~~specialpoint~~and Wei25519 domain parameters; (3) representing the key resulting from this scheme (which is~~O (the so- called "point at infinity"). This set formsa~~point of~~group under addition, via the so-called "chord-and-tangent" rule, wherethe~~curve Wei25519 in Weierstrass form) as a~~point~~of~~at infinity serves asthe~~Montgomery curve Curve25519. The representation change can be implemented via a simple wrapper and involves a single modular addition (see~~identity element. SeeAppendix~~D.2). Using this method has~~C.2 for details ofthe~~additional advantage that one can reuse~~group operation. A.3. Twisted Edwards Curves Let GF(q) denotethe~~public-private key pair routines, domain parameter validation,~~finite field with q elements, where q is an odd prime power. Let E_{a,d} be the twisted Edwards curve with defining equation a*x^2 + y^2 = 1+ d*x^2*y^2, where aand~~other checks that~~dare~~already part~~distinct nonzero elements of GF(q). The pointsofE_{a,d} arethe~~NIST specifications. A NIST-compliant version~~ordered pairs (x, y) whose coordinates are elementsof~~co-factor Diffie-Hellman key agreement (denoted by ECDH25519) results if one keeps inputs (key contributions)~~GF(q)and~~outputs (shared key) in~~that satisfythe~~short-Weierstrass format (and, hence, does not perform Step (3) above). NOTE: At~~defining equation (the so-called affine points). It can be shown thatthis~~point, it~~set forms a group under addition if ais~~unclear whether this implies that~~a~~FIPS- accredited module implementing co-factor Diffie-Hellman for, e.g., P-256 would also extend this accreditation to X25519. 4.2. Implementation~~square in GF(q), whereas d is not, where the point O:=(0, 1) serves as the identity element. (Note that the identity element satisfies the defining equation.) See Appendix C.3 for detailsof~~Ed25519 RFC 8032 [RFC8032] specifies Ed25519, a "full" Schnorr signature scheme, with instantiation by~~thegroup operation. An Edwards curve is atwisted Edwards curve~~Edwards25519. One can implement~~with a=1. Appendix B. Elliptic Curve Nomenclature and Finite Fields This section provides brief background information on elliptic curves and finite fields that should be sufficient to understand constructions and examples in this document. B.1. Elliptic Curve Nomenclature Each curve defined in Appendix A forms a commutative group under addition (denoted by '+'). In Appendix C we specifythe~~computation of~~group laws, which depend onthe~~ephemeral key pair for Ed25519 using an existing Montgomery~~curve~~implementation by (1) generating a public-private key pair (k, R':=k*G') for Curve25519; (2) representing this public-private key~~model in question. For completeness, we here include some common elliptic curve nomenclature and basic properties (primarily soas~~the pair (k, R:=k*G)~~to keep this document self-contained). These notions are mainly used in Appendix E and Appendix G and not essentialfor~~Ed25519. As before, the representation change~~our exposition. This sectioncan be~~implemented via~~skipped at first reading. Any point P ofa~~simple wrapper. Note that~~curve E is a generator ofthe~~Montgomery ladder specified in Section 5~~cyclic subgroup (P):={k*P | k = 0, 1, 2,...}of~~RFC7748 [RFC7748] does not provide sufficient information to reconstruct R':=(u, v) (since it does not compute~~the~~v-coordinate~~curve. (Here, k*P denotes the sumof~~R'). However, this deficiency can be remedied by using a slightly modified version~~k copiesofP, where 0*P isthe~~Montgomery ladder that includes reconstruction~~identity element Oof the~~v-coordinate~~curve; k*P is commonly referred to as scalar multiplicationof~~R':=k*G' at~~P by k.) If (P) has cardinality l, then l is calledthe~~end~~orderof~~hereof (which uses~~P. The order of curve E isthe~~v-coordinate~~cardinalityof the~~base~~set of its points, commonly denoted by |E|. A curve is cyclic if it is generated by somepoint of~~Curve25519 as well). For details, see Appendix C.1. 4.3. Specification~~this curve. All curvesof~~ECDSA25519 FIPS Pub 186-4 [FIPS-186-4] specifies the signature scheme ECDSA and can be instantiated not just with the NIST~~prime~~curves, but also with other Weierstrass~~order are cyclic, while allcurves~~(that satisfy additional cryptographic criteria). In particular, one can instantiate this scheme with the Weierstrass curve Wei25519 and the hash function SHA-256,~~of order h*n,where~~an implementation may generate an ephemeral public-private key pair for Wei25519 by (1) internally carrying out these computations on the Montgomery curve Curve25519, the twisted Edwards curve Edwards25519, or even the Weierstrass curve Wei25519.-3 (with hardcoded a=-3 domain parameter); (2) representing the result as~~n isa~~key pair for the curve Wei25519. Note that, in either case, one can implement these schemes with the same representation conventions as used with existing NIST specifications, including bit/byte-ordering, compression functions,~~large prime numberand~~the-like. This allows generic implementations~~where h is a small number (the so-called co-factor), have a large cyclic subgroupof~~ECDSA with the hash function SHA-256 and with the NIST curve P-256 or with the curve Wei25519 specified in~~prime order n. Inthis~~specification~~case, a generator of order n is called a base point, commonly denoted by G. A point of order dividing h is saidto~~reuse the same implementation (instantiated with, respectively, the NIST P-256 elliptic curve domain parameters or with~~be inthe~~domain parameters~~small subgroup. For curvesof~~curve Wei25519 specified in Appendix E). 4.4. Other Uses Any existing specification~~prime order, this small subgroup is the singleton set, consistingof~~cryptographic schemes using elliptic curves in Weierstrass form and~~only the identity element O. A pointthat~~allows introduction of a new elliptic curve (here: Wei25519)~~is~~amenable~~not in the small subgroup is saidto~~similar constructs, thus spawning "offspring" protocols, simply by instantiating these using~~be a high-order point (since it has order at least n). If R is a point ofthe~~new~~curve~~in "short" Weierstrass form, thereby allowing code and/or specifications reuse and, for implementations~~thatis also contained in (P), there is a unique integer k in the interval [0, l-1]so~~desire, carrying out curve computations "under~~that R=k*P, where l isthe~~hood" on Montgomery curve and twisted Edwards curve cousins hereof (where these exist). This would simply require definition~~orderof~~a new object identifier for any such envisioned "offspring" protocol.~~P.This~~could significantly simplify standardization of schemes and help keeping~~number is calledthe~~resource and maintenance cost~~discrete logarithmof~~implementations supporting algorithm agility [RFC7696] at bay. 5. Caveats~~R to the base P.The~~examples above illustrate how specifying~~discrete logarithm problem isthe~~Weierstrass curve Wei25519 (or any curve in short-Weierstrass format, for that matter) may facilitate reuse~~problemof~~existing code and may simplify standards development. However,~~findingthe~~following caveats apply: 1. Wire format. The transformations between alternative curve representations can be implemented at negligible relative incremental cost if~~discrete logarithm of R tothe~~curve~~base P for any twopoints~~are represented as affine points. If~~P and R of the curve, if sucha~~point~~number exists. If Pis~~represented in compressed format, conversion usually requires~~a~~costly~~fixed basepoint~~decompression step. This is the case in [RFC7748], where~~G ofthe~~inputs to~~curve,the~~co-factor Diffie-Hellman scheme X25519, as well as its output, are represented in u-coordinate-only format. This~~pair (k, R:=k*G)is~~also~~commonly called a public-private key pair,the~~case in [RFC8032], where~~integer kthe~~EdDSA signature includes~~private key, andthe~~ephemeral signing~~point R the corresponding public key. The privatekey~~represented in compressed format (see Appendix I for details); 2. Representation conventions. While elliptic curve computations are carried-out in a field GF(q) and, thereby, involve large integer arithmetic, these integers are~~k can berepresented as~~bit- and byte-strings. Here, [RFC8032] uses least-significant-byte (LSB)/least-significant-bit (lsb) conventions, whereas [RFC7748] uses LSB/most-significant-bit (msb) conventions, and~~an integer in the interval [0,n-1],where~~most other cryptographic specifications, including NIST SP800-56a [SP-800-56a], FIPS Pub 186-4 [FIPS-186-4], and ANSI X9.62-2005 [ANSI-X9.62] use MSB/msb conventions. Since each pair of conventions is different (see Appendix J for details and Appendix K for examples),~~G has order n. Ifthis~~does necessitate bit/byte~~representation~~conversions; 3. Domain parameters. All traditional NIST curves are Weierstrass curves with domain parameter a=-3, while all Brainpool curves [RFC5639] are isomorphic~~is nonzero, R has order n; otherwise, it has order one and is the identity element O of the curve. In this document, a quadratic twist of a curve E defined over a field GF(q) is a curve E' relatedtoE, with cardinality |E'|, where |E|+|E'|=2*(q+1). If E isa~~Weierstrass~~curvein one of the curve models specified in this document, a quadratic twistof this~~form. Thus, one~~curvecan~~expect there to~~be~~existing Weierstrass implementations with a hardcoded a=-3 domain parameter ("Jacobian-friendly"). For those implementations, including~~expressed usingthesamecurve~~Wei25519 as~~model, although (naturally) with its own curve parameters. Two curves E and E' defined overa~~potential vehicle for offering support for~~field GF(q) are said to be isogenous if these havethe~~CFRG~~same order and are said to be isomorphic if these have the same group structure. Note that isomorphiccurves~~Curve25519~~have necessarily the same orderand~~Edwards25519 is not possible, since not~~are, thus, a special typeof~~the required form. Instead, one has to implement Wei25519.-3~~isogenous curves. Further details are out of scope. Weierstrass curves can have prime order, whereas Montgomery curvesand~~include code~~twisted Edwards curves always have an orderthat~~implements~~is a multiple of four (and, thereby, a small subgroup of cardinality four). An ordered pair (x, y) whose coordinates are elements of GF(q) can be associated with any ordered triple ofthe~~isogeny~~form [x*z: y*z: z], where z is a nonzero element of GF(q),and~~dual isogeny~~can be uniquely recoveredfrom~~and to Wei25519. This isogeny has degree l=47 and requires roughly 9kB~~such a representation. The latter representation is commonly called a representation in projective coordinates. Sometimes, yet other representations are useful (e.g., representation in Jacobian coordinates). Further details are outof~~storage for isogeny and dual-isogeny computations (see the tables~~scope. The group lawsin Appendix~~H). Note that storage would have reduced to a single 64-byte table if only~~C are mostly expressed in terms of affine points, but can also be expressed in terms ofthe~~curve would have been generated so~~representation of these points in projective coordinates, thereby allowing clearing of denominators. The group laws may also involve non-affine points (suchas~~to be isomorphic to~~the point at infinity O ofa Weierstrass curve~~with hardcoded a=-3 parameter (this corresponds to l=1). NOTE 1: An example~~orof a Montgomery~~curve defined over the same~~curve). Those can also be represented in projective coordinates. Further details are out of scope. B.2. Finite Fields Thefield~~as Curve25519 that~~GF(q), where qis~~isomorphic to~~a~~Weierstrass curve with hardcoded a=-3 parameter~~prime power,isdefined as follows. If q:=p is a prime number,the~~Montgomery curve M_{A,B} with B=1 and A=-1410290 (or, if one wants the base point to still have u-coordinate u=9, with B=1 and A=-3960846). In either case,~~field GF(p) consists ofthe~~resulting curve has~~integers inthe~~same cryptographic properties as Curve25519~~interval [0,p-1]and~~the same performance (which relies~~two binary operationson~~A being a 3-byte integer, as is the case with the domain parameter A=486662 of Curve25519,~~this set: additionand~~using the same special~~multiplication modulo p. This field is commonly called aprime~~p=2^255-19), while at~~field. If q:=p^m, where p is a prime number and where m>0,the~~same time being "Jacobian-friendly" by design. NOTE 2: While an implementation~~field GF(q) is defined in termsof~~Curve25519 via~~an~~isogenous Weierstrass curve~~irreducible polynomial f(z) in z of degree mwith~~domain parameter a=-3 requires a relatively large table (of size roughly 9kB), for~~coefficients in GF(p) (i.e., f(z) cannot be written asthe~~quadratic twist~~product of two polynomials in z of lower degree with coefficients in GF(p)): in this case, GF(q) consistsof~~Curve25519 (i.e.,~~the~~Montgomery curve M_{A,B'}~~polynomials in z of degree smaller than mwith~~A=486662~~coefficients in GF(p)and~~B'=2)~~two binary operations onthis~~implementation approach only requires~~set: polynomial addition and polynomial multiplication modulo the irreducible polynomial f(z). By definition, each element x of GF(q) isa~~table~~polynomial in zof~~size less~~degree smallerthan~~0.5kB (over 20x smaller), solely due to the fact that it is l-isogenous to~~m and can, therefore, be uniquely represented asa~~Weierstrass curve with a=-3 parameter~~vector (x_{m-1}, x_{m-2}, ..., x_1, x_0) of length mwith~~relatively small parameter l=2 (compared to l=47, as~~coefficients in GF(p), where x_iis the~~case with Curve25519 itself). 6. Implementation Considerations The efficiency~~coefficientof~~elliptic curve arithmetic is primarily determined by the efficiency~~z^iof~~its group operations (see Appendix C). Numerous optimized formulae exist, such as~~polynomial x. Note that this representation depends onthe~~use~~irreducible polynomial f(z)of~~so-called Montgomery ladders with Montgomery curves [Mont-Ladder] or with Weierstrass curves [Wei-Ladder],~~the~~use~~field GF(p^m) in question (which is often fixed in practice). Note that GF(q) contains the prime field GF(p) as a subset. If m=1, the definitionsof~~hardcoded a=-3 domain parameter for Weierstrass curves [ECC-Isogeny],~~GF(p)and~~the use~~GF(p^1) above coincide, since each nonzero elementof~~hardcoded a=-1 domain parameters for twisted Edwards curves [tEd-Formulas]. These all target reduction~~GF(p) can be viewed as a polynomial in zof~~the~~degree zero. If m>1, then GF(q) is called a (nontrivial) extension field of GF(p). Thenumberp is called the characteristicof~~finite field operations (primarily, finite~~GF(q). Afield~~multiplications~~element y is called a square in GF(q) if it can be expressed as y:=x^2 for some x in GF(q); it is called a non-square in GF(q) otherwise. If y is a square in GF(q), we denote by sqrt(y) one of its square roots (the other one being -sqrt(y)). For methods for computing square rootsand~~squarings). Other optimizations target more efficient modular reductions underlying~~inverses in GF(q) - ifthese~~finite field operations, by specifying curves defined over~~exist - see Appendix K.1 and Appendix K.2, respectively. For methods for mappinganonzerofield~~GF(q), where the field size q has a special form or~~element that is nota~~specific bit-size (typically, close~~square in GF(q)to a~~multiple of a machine word). Depending on the implementation strategy, the bit-size of q may also facilitate reduced so-called "carry-effects"~~pointof~~integer arithmetic. Most curves use~~a~~combination of these design philosophies. All NIST curves [FIPS-186-4] and Brainpool curves [RFC5639] are Weierstrass curves with a=-3 domain parameter, thus facilitating more efficient elliptic curve group operations (via so-called Jacobian coordinates).~~curve, see Appendix K.3. NOTE:The~~NIST~~curves~~and the Montgomery curve Curve25519~~in Appendix E and Appendix Garealldefined overaprime~~fields, where~~field GF(p), thereby reducing all operations to simple modular integer arithmetic. Strictly speaking we could, therefore, have refrained from introducing extension fields. Nevertheless, we includedthe~~prime number has~~more general exposition, so as to accommodate potential introduction of new curves that are defined overa~~special form, whereas~~(nontrivial) extension field at some point inthe~~Brainpool~~future. This includescurves~~- by design - use~~proposed for post-quantum isogeny-based schemes, which are defined overa~~generic prime number. None of the NIST curves, nor~~quadratic extension field (i.e., where q:=p^2), and elliptic curves used with pairing-based cryptography. The exposition in either case is almostthe~~Brainpool curves, can be expressed~~same and now automatically yields, e.g., data conversion routines for any finite field object (see Appendix I). Readers not interested in this, could simply view all fieldsasprime fields. Appendix C. Elliptic Curve Group Operations This section specifies group operations for elliptic curves in short- Weierstrass form, forMontgomery~~or twisted Edwards~~curves,~~whereas - conversely - Montgomery curves~~andfortwisted~~curves can be expressed as Weierstrass~~Edwardscurves.~~While use of Wei25519 allows reuse of existing generic code that implements short~~C.1. Group Laws forWeierstrass~~curves, such as~~Curves For each point P ofthe~~NIST~~Weierstrasscurve~~P-256, to also implement the CFRG curves Curve25519 or Edwards25519, this obviously does not result in an implementation of these CFRG curves that exploits~~W_{a,b},the~~specific structure~~point at infinity O serves as identity element, i.e., P + O = O + P = P. For each affine point P:=(X, Y)of the~~underlying field or other specific domain parameters (since generic). Reuse of generic code, therefore, may result in a less computationally efficient~~Weierstrasscurve~~implementation than would have been possible if the implementation had specifically targeted Curve25519 or Edwards25519 alone (with~~W_{a,b},the~~overall cost differential estimated to be somewhere in~~point -P isthe~~interval [1.00-1.25]). If existing generic code offers hardware support, however,~~point (X, -Y) and one has P + (-P) = O (i.e., -P isthe~~overall speed may still be larger, since less efficient formulae for curve arithmetic using Wei25519 curves compared to a direct implementation~~inverseof~~Curve25519 or Edwards25519 arithmetic may~~P). For the point at infinity O, one has -O:=O. Let P1:=(X1, Y1) and P2:=(X2, Y2)be~~more than compensated for by faster implementations~~distinct affine pointsof the~~finite field arithmetic itself. Overall, one should consider~~Weierstrass curve W_{a,b} and let Q:=P1 + P2, where Q isnot~~just code reuse~~the identity element. Then Q:=(X, Y), where X + X1 + X2 = lambda^2and~~computational efficiency, but also development~~Y + Y1 = lambda*(X1 - X), where lambda:= (Y2 - Y1)/(X2 - X1). Let P:=(X1, Y1) be an affine point of the Weierstrass curve W_{a,b}and~~maintenance cost, and, e.g,~~let Q:=2*P, where Q is notthe~~cost of providing effective implementation attack countermeasures (see also Section 8). 7. Implementation Status [Note to~~identity element. Then Q:=(X, Y), where X + 2*X1 = lambda^2 and Y + Y1 = lambda*(X1 - X), where lambda:=(3*X1^2 + a)/(2*Y1). Fromthe~~RFC Editor] Please remove this entire section before publication, as well as~~group laws above it follows that if P=(X, Y), P1=(X1, Y1), and P2=(X2, Y2) are distinct affine points ofthe~~reference to [RFC7942]. This section records~~Weierstrass curve W_{a,b} with P2:=P+P1 and if Y is nonzero, thenthe~~status~~Y-coordinateof~~known implementations~~P1 can be expressed in termsof the~~protocol defined by this specification at~~X-coordinates of P, P1, and P2, andthe~~time~~Y-coordinateof~~posting~~P, since 2*Y*Y1=(X*X1+a)*(X+X1)+2*b-X2*(X-X1)^2. This property allows recoveryof~~this Internet-Draft, and is based on a proposal described in [RFC7942]. The description~~the Y-coordinateof~~implementations in this section~~a point P1=k*P thatis~~intended to assist~~computed viathe~~IETF in its decision processes in progressing drafts to RFCs. Please~~so-called Montgomery ladder, where P is an affine point with nonzero Y-coordinate (i.e., it does not have order two). For future reference,note that the~~listing of any individual implementation here does not imply endorsement by~~expression above uniquely determinesthe~~IETF. Furthermore, no effort has been spent to verify~~X-coordinate of P2 in terms ofthe~~information presented here that was supplied by IETF contributors. This is not intended as,~~X-coordinates of Pand~~must not be construed to be, a catalog~~P1 and the productof~~available implementations or~~their~~features. Readers~~Y-coordinates. Further detailsare~~advised to note that other implementations may exist. According to [RFC7942], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit~~outof~~running code, which may serve~~scope. C.2. Group Laws for Montgomery Curves For each point P of the Montgomery curve M_{A,B}, the point at infinity O servesas~~evidence~~identity element, i.e., P + O = O + P = P. For each affine point P:=(u, v)of~~valuable experimentation and feedback that have made~~the~~implemented protocols more mature. It~~Montgomery curve M_{A,B}, the point -Pis~~up to~~the~~individual working groups to use this information as they see fit. Nikolas Rosener evaluated~~point (u, -v) and one has P + (-P) = O (i.e., -P isthe~~performance of switching between different curve models in his Master's thesis [Rosener]. For an implementation~~inverseof~~Wei25519, see <https://github.com/ncme/c25519>.~~P).For~~support~~the point at infinity O, one has -O:=O. Let P1:=(u1, v1) and P2:=(u2, v2) be distinct affine pointsof~~this~~the Montgomerycurve~~in tinydtls, see <https://github.com/ncme/ tinydtls>. According to <https://community.nxp.com/docs/DOC-330199>,~~M_{A,B} and let Q:=P1 + P2, where Q is not the identity element. Then Q:=(u, v), where u + u1 + u2 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where lambda:=(v2 - v1)/(u2 - u1). Let P:=(u1, v1) bean~~implementation~~affine pointof~~Wei25519 on~~the~~Kinets LTC ECC HW platform improves~~Montgomery curve M_{A,B} and let Q:=2*P, where Q is notthe~~performance by over a factor ten compared to a stand-alone implementation~~identity element. Then Q:=(u, v), where u + 2*u1 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where lambda:=(3*u1^2 + 2*A*u1+1)/(2*B*v1). From the group laws above it follows that if P=(u, v), P1=(u1, v1), and P2=(u2, v2) are distinct affine pointsof~~Curve25519 without hardware support. The signature scheme ECDSA25519 (see Section 4.3)~~the Montgomery curve M_{A,B} with P2:=P+P1 and if vis~~supported in <https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd/>. 8. Security Considerations The different representations~~nonzero, then the v-coordinateof~~elliptic curve points discussed~~P1 can be expressedin~~this document are all obtained using~~terms of the u-coordinates of P, P1, and P2, and the v-coordinate of P, since 2*B*v*v1=(u*u1+1)*(u+u1+2*A)-2*A-u2*(u-u1)^2. This property allows recovery of the v-coordinate ofa~~publicly known transformation, which~~point P1=k*P thatis~~either an isomorphism or a low-degree isogeny. It~~computed via the so-called Montgomery ladder, where Pis~~well- known that~~an~~isomorphism maps elliptic curve points to equivalent mathematical objects and~~affine point with nonzero v-coordinate (i.e., it does not have order two). For future reference, notethat the~~complexity~~expression above uniquely determines the u-coordinate of P2 in termsof~~cryptographic problems (such as~~the~~discrete logarithm problem)~~u-coordinatesof~~curves related via a low-degree isogeny are tightly related. Thus,~~P and P1 andthe~~use~~productof~~these techniques does not negatively impact cryptographic security~~their v-coordinates. Further details are outof~~elliptic curve operations. As to implementation security, reusing existing high-quality code or generic implementations that have been carefully designed to withstand implementation attacks~~scope. C.3. Group Lawsfor~~one curve model may allow~~Twisted Edwards Curves Note: The group laws below hold for twisted Edwards curves E_{a,d} wherea~~more economical way of development and maintenance than providing~~is a square in GF(q), whereas d is not. Inthis~~same functionality~~case, the addition formulae below are definedfor each~~curve model separately (if multiple curve models need to be supported) and, otherwise, may allow a more gradual migration path, where one may initially use existing and accredited chipsets that cater~~pair of points, without exceptions. Generalizations of this group lawtoother twisted Edwards curves are out of scope. For each point P ofthe~~pre-dominant~~twisted Edwardscurve~~model used in practice for over 15 years. Elliptic curves are generally used as objects in a broader cryptographic scheme that may include processing steps that depend on~~E_{a,d},the~~representation conventions used (such~~point O:=(0,1) servesas~~with, e.g., key derivation following key establishment). These schemes should (obviously) unambiguously specify fixed representations of each input and output (e.g., representing~~identity element, i.e., P + O = O + P = P. Foreach~~elliptic~~point P:=(x, y) of the twisted EdwardscurveE_{a,d}, thepoint~~always in short-Weierstrass form~~-P is the point (-x, y)and~~in uncompressed tight MSB/msb format). To prevent cross-protocol attacks, private keys SHOULD only be used with~~one~~cryptographic scheme. Private keys MUST NOT~~has P + (-P) = O (i.e., -P is the inverse of P). Let P1:=(x1, y1) and P2:=(x2, y2)be~~reused between Ed25519 (as specified in [RFC8032])~~points of the twisted Edwards curve E_{a,d}and~~ECDSA25519 (as specified in Section 4.3). To prevent intra-protocol cross-instantiation attacks, ephemeral private keys MUST NOT~~let Q:=P1 + P2. Then Q:=(x, y), where x = (x1*y2 + x2*y1)/(1 + d*x1*x2*y1*y2) and y = (y1*y2 - a*x1*x2)/(1 - d*x1*x2*y1*y2). Let P:=(x1, y1)be~~reused between instantiations~~a pointof~~ECDSA25519. 9. Privacy Considerations The transformations between different~~the twisted Edwardscurve~~models described in this document~~E_{a,d} and let Q:=2*P. Then Q:=(x, y), where x = (2*x1*y1)/(1 + d*x1^2*y1^2) and y = (y1^2 - a*x1^2)/(1 - d*x1^2*y1^2). Note that one can use the formulae for point addition for point doubling, taking inverses, and adding the identity element as well (i.e., the point addition formulaeare~~publicly known and, therefore, do not affect privacy provisions. The randomized representation described in Appendix L.4 allows random curve points~~uniform and complete (subjectto~~be represented as random pairs of field elements, thereby assisting in obfuscating~~our Note above)). Fromthe~~presence of these curve~~group laws above (subject to our Note above) it follows that if P=(x, y), P1=(x1, y1), and P2=P=(x2, y2) arepoints~~in some applications. 10. IANA Considerations An object identifier is requested for~~of the twisted Edwardscurve~~Wei25519 and its use~~E_{a,d}with~~ECDSA~~P2:=P+P1and~~co-factor ECDH, using~~if x is nonzero, thenthe~~representation conventions~~x-coordinateof~~this document. There is *currently* no further IANA action required for this document. New object identifiers would~~P1 canbe~~required~~expressedin~~case one wishes to specify one or more~~termsof the~~"offspring" protocols exemplified in Section 4.4. 10.1. COSE Elliptic Curves Registration This section registers the following value in the IANA "COSE Elliptic Curves" registry [IANA.COSE.Curves]. Name: Wei25519; Value: TBD (Requested value: -1); Key Type: EC2 or OKP (where OKP uses~~y-coordinates of P, P1, and P2, andthe~~squeezed MSB/msb representation~~x-coordinateof~~this specification); Description: short-Weierstrass curve Wei25519; Reference: Appendix E.3~~P, since x*x1*(a-d*y*y1*y2)=y*y1-y2. (Here, observe that a-d*y*y1*y2 is nonzero per our Note above.) This property allows recoveryof~~this specification; Recommended: Yes. (Note~~the x-coordinate of a point P1=k*Pthat~~The "kty" value for Wei25519 may be "OKP"~~is computed via the so-called Montgomery ladder, where P is an affine point with nonzero x-coordinate (i.e., it does not have order oneor~~"EC2".) 10.2. COSE Algorithms Registration (1/2) This section registers~~two). For future reference, note that the group law (subject to our Note above) uniquely determinesthe~~following value~~y-coordinate of P2interms ofthe~~IANA "COSE Algorithms" registry [IANA.COSE.Algorithms]. Name: ECDSA25519; Value: TBD (Requested value: -1); Description: ECDSA w/ SHA-256 and curve Wei25519; Reference: Section 4.3~~y-coordinatesof~~this specification; Recommended: Yes. 10.3. COSE Algorithms Registration (2/2) This section registers~~P and P1 andthe~~following value~~product of their x-coordinates. Further details are out of scope. Appendix D. Relationship Between Curve Models The non-binary curves specifiedin~~the IANA "COSE Algorithms" registry [IANA.COSE.Algorithms]. Name: ECDH25519; Value: TBD (Requested value: -2); Description: NIST-compliant co-factor Diffie-Hellman w/~~Appendix A are expressed in differentcurve~~Wei25519~~models, viz. as curves in short-Weierstrass form, as Montgomery curves, or as twisted Edwards curves. These curve models are related, as follows. D.1. Mapping between Twisted Edwards Curvesand~~key derivation function HKDF SHA256; Reference: Section 4.1~~Montgomery Curves One can map pointsof~~this specification (for key derivation, see Section 11.1~~the Montgomery curve M_{A,B} to pointsof~~[RFC8152]); Recommended: Yes. 10.4. JOSE Elliptic Curves Registration This section registers~~the~~following value in~~twisted Edwards curve E_{a,d}, where a:=(A+2)/B and d:=(A-2)/B and, conversely, map points ofthe~~IANA "JSON Web Key Elliptic Curve" registry [IANA.JOSE.Curves]. Curve Name: Wei25519; Curve Description: short-Weierstrass~~twisted Edwardscurve~~Wei25519; JOSE Implementation Requirements: optional; Change Controller: IANA; Reference: Appendix E.3~~E_{a,d} to pointsofthe Montgomery curve M_{A,B}, where A:=2*(a+d)/(a-d) and where B:=4/(a-d). For twisted Edwards curves we consider (i.e., those where a is a square in GF(q), whereas d is not),this~~specification. 10.5. JOSE Algorithms Registration (1/2) This section registers~~defines a one- to-one correspondence, which - in fact - is an isomorphism between M_{A,B} and E_{a,d}, thereby showing that, e.g.,the~~following value~~discrete logarithm problemineither curve model is equally hard. Forthe~~IANA "JSON Web Signature~~Montgomery curvesand~~Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Algorithm Name: ECDSA25519; Algorithm Description: ECDSA w/ SHA-256~~twisted Edwards curves we consider, the mapping from M_{A,B} to E_{a,d} is defined by mapping the point at infinity Oand~~curve Wei25519; Algorithm Usage Locations: alg; JOSE Implementation Requirements: optional; Change Controller: IANA; Reference: Section 4.3~~the point (0, 0)of~~this specification; Algorithm Analysis Documents: Section 4.3~~order twoof~~this specification. 10.6. JOSE Algorithms Registration (2/2) This section registers~~M_{A,B} to, respectively,the~~following value in~~point (0, 1) andthe~~IANA "JSON Web Signature~~point (0, -1) of order two of E_{a,d}, while mapping each other point (u, v) of M_{A,B} to the point (x,y):=(u/v,(u-1)/(u+1)) of E_{a,d}. The inverse mapping from E_{a,d} to M_{A,B} is defined by mapping the point (0, 1)and~~Encryption Algorithms" registry [IANA.JOSE.Algorithms]. Algorithm Name: ECDH25519; Algorithm Description: NIST-compliant co-factor Diffie-Hellman w/ curve Wei25519~~the point (0, -1) of order two of E_{a,d} to, respectively, the point at infinity Oand~~key derivation function HKDF SHA256; Algorithm Usage Locations: alg; Change Controller: IANA; Reference: Section 4.1~~the point (0, 0)of~~this specification (for key derivation, see Section 5~~order twoof~~[SP-800-56c]); Algorithm Analysis Documents: Section 4.1~~M_{A,B}, while each other point (x, y)of~~this specification (for key derivation, see Section 5~~E_{a,d} is mapped to the point (u,v):=((1+y)/(1-y),(1+y)/((1-y)*x))of~~[SP-800-56c]). 11. Acknowledgements Thanks~~M_{A,B}. Implementations may take advantage of this mappingto~~Nikolas Rosener~~carry out elliptic curve group operations originally definedfor~~discussions surrounding implementation details of~~a twisted Edwards curve onthe~~techniques described in this document~~corresponding Montgomery curve, or vice-versa,andtranslating the result backto~~Phillip Hallam-Baker for triggering inclusion of verbiage on~~the~~use of~~original curve, thereby potentially allowing code reuse. D.2. Mapping betweenMontgomery~~ladders with recovery~~Curves and Weierstrass Curves One can map pointsof the~~y-coordinate. Thanks~~Montgomery curve M_{A,B}to~~Stanislav Smyshlyaev~~points of the Weierstrass curve W_{a,b}, where a:=(3-A^2)/(3*B^2)and~~Vasily Nikolaev for their careful reviews. 12. References 12.1. Normative References [ANSI-X9.62] ANSI X9.62-2005, "Public Key Cryptography for~~b:=(2*A^3-9*A)/(27*B^3). This defines a one-to-one correspondence, which - in fact - is an isomorphism between M_{A,B} and W_{a,b}, thereby showing that, e.g.,the~~Financial Services Industry:~~discrete logarithm problem in either curve model is equally hard.The~~Elliptic Curve Digital Signature Algorithm (ECDSA)", American National Standard for Financial Services, Accredited Standards Committee X9, Inc, Anapolis, MD, 2005. [FIPS-186-4] FIPS 186-4, "Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4", US Department of Commerce/National Institute~~mapping from M_{A,B} to W_{a,b} is defined by mapping the point at infinity Oof~~Standards and Technology, Gaithersburg, MD, July 2013. [RFC2119] Bradner, S., "Key words for use in RFCs~~M_{A,B}to~~Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", RFC 5639, DOI 10.17487/RFC5639, March 2010, <https://www.rfc-editor.org/info/rfc5639>. [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms", BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, <https://www.rfc-editor.org/info/rfc7696>. [RFC7748] Langley, A., Hamburg, M.,~~the point at infinity O of W_{a,b}, while mapping each other point (u,v) of M_{A,B} to the point (X,Y):=((u+A/3)/B,v/B) of W_{a,b}. Note that not all Weierstrass curves can be injectively mapped to Montgomery curves, since the latter have a point of order twoand~~S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>. [RFC7942] Sheffer, Y.~~the former may not. In particular, if a Weierstrass curve has prime order, such as is the case with the so-called "NIST prime curves", this inverse mapping is not defined. If the Weierstrass curve W_{a,b} has a point (alpha,0) of order twoand~~A. Farrel, "Improving Awareness~~c:=a+3*(alpha)^2 is a square in GF(q), one can map pointsof~~Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, <https://www.rfc-editor.org/info/rfc7942>. [RFC8032] Josefsson, S.~~this curve to points of the Montgomery curve M_{A,B}, where A:=3*alpha/ gammaand~~I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <https://www.rfc-editor.org/info/rfc8032>. [RFC8152] Schaad, J., "CBOR Object Signing~~B:=1/gammaand~~Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, July 2017, <https://www.rfc-editor.org/info/rfc8152>. [SEC1] SEC1, "SEC 1: Elliptic Curve Cryptography, Version 2.0", Standards for Efficient Cryptography, , June 2009. [SEC2] SEC2, "SEC 2: Elliptic Curve Cryptography, Version 2.0", Standards for Efficient Cryptography, , January 2010. [SP-800-56a] NIST SP 800-56a, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Log Cryptography, Revision 3", US Department~~where gamma is any square rootof~~Commerce/National Institute~~c. In this case, the mapping from W_{a,b} to M_{A,B} is defined by mapping the point at infinity O of W_{a,b} to the point at infinity O of M_{A,B}, while mapping each other point (X,Y)of~~Standards~~W_{a,b} to the point (u,v):=((X-alpha)/gamma,Y/gamma) of M_{A,B}. As before, this defines a one-to-one correspondence, which - in fact - is an isomorphism between W_{a,b}and~~Technology, Gaithersburg, MD, April 2018. [SP-800-56c] NIST SP 800-56c, "Recommendation~~M_{A,B}. It is easy to see that the mapping from W_{a,b} to M_{A,B} and that from M_{A,B} to W_{a,b} (if defined) are each other's inverse. This mapping can be used to implement elliptic curve group operations originally definedfor~~Key-Derivation Methods~~a twisted Edwards curve or for a Montgomery curve using group operations for the corresponding elliptic curvein~~Key-Establishment Schemes, Revision 1", US Department of Commerce/National Institute of Standards~~short-Weierstrass formand~~Technology, Gaithersburg, MD, April 2018. 12.2. Informative References [ECC] I.F. Blake, G. Seroussi, N.P. Smart, "Elliptic Curves in Cryptography", Cambridge University Press, Lecture Notes Series 265, July 1999. [ECC-Isogeny] E. Brier, M. Joye, "Fast Point Multiplication on Elliptic Curves through Isogenies", AAECC, Lecture Notes in Computer Science, Vol. 2643, New York: Springer-Verlag, 2003. [GECC] D. Hankerson, A.J. Menezes, S.A. Vanstone, "Guide~~translating the result backto~~Elliptic Curve Cryptography", New York: Springer-Verlag, 2004. [IANA.COSE.Algorithms] IANA, "COSE Algorithms", IANA, https://www.iana.org/assignments/cose/ cose.xhtml#algorithms. [IANA.COSE.Curves] IANA, "COSE Elliptic Curves", IANA, https://www.iana.org/assignments/cose/cose.xhtml#elliptic- curves. [IANA.JOSE.Algorithms] IANA, "JSON Web Signature and Encryption Algorithms", IANA, https://www.iana.org/assignments/jose/jose.xhtml#web- signature-encryption-algorithms. [IANA.JOSE.Curves] IANA, "JSON Web Key Elliptic Curve", IANA, https://www.iana.org/assignments/jose/jose.xhtml#web-key- elliptic-curve. [Mont-Ladder] P.L. Montgomery, "Speeding~~the~~Pollard~~original curve, thereby potentially allowing code reuse. Note that implementations for elliptic curves with short-Weierstrass form that hard-code the domain parameter a to a= -3 (which value is known to allow more efficient implementations) cannot always be used this way, since the curve W_{a,b} resulting from an isomorphic mapping cannot always be expressed as a Weierstrass curve with a=-3 via a coordinate transformation. For more details, see Appendix F. D.3. Mapping between Twisted Edwards Curvesand~~Elliptic Curve Methods of Factorization", Mathematics~~Weierstrass Curves One can map pointsof~~Computation, Vol. 48, 1987. [Rosener] N. Rosener, "Evaluating~~the~~Performance of Transformations Between Curve Representations in Elliptic Curve Cryptography for Constrained Device Security", M.Sc. Universitat Bremen, August 2018. [SWUmap] E. Brier, J-S. Coron, Th. Icart, D. Madore, H. Randriam, M. Tibouchi, "Efficient Indifferentiable Hashing into Ordinary Elliptic Curves", CRYPTO 2010, Lecture Notes in Computer Science, Vol. 6223, New York: Springer-Verlag, 2010. [tEd] D.J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, "Twisted~~twistedEdwards~~Curves", Africacrypt 2008, Lecture Notes in Computer Science, Vol. 5023, New York: Springer-Verlag, 2008. [tEd-Formulas] H. Hisil, K.K.H. Wong, G. Carter, E. Dawson, "Twisted~~curve E_{a,d} to points of the Weierstrass curve W_{a,b}, via function composition, where one uses the isomorphic mapping between twistedEdwards~~Curves Revisited", ASIACRYPT 2008, Lecture Notes in Computer Science, Vol. 5350, New York: Springer-Verlag, 2008. [Tibouchi] M. Tibouchi, "Elligator Squared -- Uniform Points on Elliptic Curves~~curves and Montgomery curvesof~~Prime Order as Uniform Random Strings", Financial Cryptography 2014, Lecture Notes in Computer Science, Vol. 8437, New York: Springer-Verlag, 2014. [Wei-Ladder] T. Izu, Ts. Takagi,, "A Fast Parallel Elliptic Curve Multiplication Resistant Against Side Channel Attacks", Centre for Applied Cryptographic Research, Corr 2002-03, 2002.~~Appendix~~A. Some (non-Binary) Elliptic Curves A.1. Curves in short-Weierstrass Form Let GF(q) denote~~D.1 and the one between Montgomery and Weierstrass curves of Appendix D.2. Obviously, one can use function composition (now usingthe~~finite field with q elements, where q is an odd prime power~~respective inverses - if these exist) to realize the inverse of this mapping. Appendix E. Curve25519and~~where q~~Cousins This section introduces curves related to Curve25519 and explains their relationships. E.1. Curve Definition and Alternative Representations The elliptic curve Curve25519is~~not divisible by three. Let W_{a,b} be~~the~~Weierstrass~~MontgomerycurveM_{A,B} defined over the prime field GF(p),with~~defining equation Y^2 = X^3 + a*X + b,~~p:=2^{255}-19,where~~a~~A:=486662and~~b are elements of GF(q)~~B:=1. This curve has order h*n, where h=8and where~~4*a^3 + 27*b^2~~nis~~nonzero.~~a prime number. For this curve, A^2-4 is not a square in GF(p), whereas A+2 is.The~~points of W_{a,b} are the ordered pairs (X, Y) whose coordinates are elements~~quadratic twistof~~GF(q)~~this curve has order h1*n1, where h1=4and~~that satisfy~~where n1 is a prime number. For this curve,the~~defining equation (the so-called affine points), together with~~base point isthe~~special~~point~~O (the so-called "point at infinity").~~(Gu, Gv), where Gu=9 and where Gv is an odd integer in the interval [0, p-1].This~~set forms a~~curve has the samegroup~~under addition, via~~structure as (is "isomorphic" to)the~~so-called "secant-and-tangent" rule, where~~twisted Edwards curve E_{a,d} defined over GF(p), with as base pointthe point~~at infinity serves~~(Gx, Gy), where parameters areas~~the identity element. See~~specified inAppendix~~C.1 for details of~~E.3. This curve is denoted as Edwards25519. For this curve, the parameter a is a square in GF(p), whereas d is not, sothe group~~operation. A.2. Montgomery Curves Let GF(q) denote the finite field with q elements, where q~~laws of Appendix C.3 apply. The curveis~~an odd prime power. Let M_{A,B} be~~also isomorphic tothe~~Montgomery~~ellipticcurveW_{a,b} in short- Weierstrass form defined over GF(p),with~~defining equation B*v^2 = u^3 + A*u^2 + u,~~as base point the point (GX, GY),where~~A and B~~parametersare~~elements of GF(q) and where A is unequal to (+/-)2 and where B~~as specified in Appendix E.3. This curveis~~nonzero. The points of M_{A,B} are the ordered pairs~~denoted as Wei25519. E.2. Switching between Alternative Representations Each affine point(u, v)~~whose coordinates are elements~~of~~GF(q) and that satisfy~~Curve25519 corresponds tothe~~defining equation (the so- called affine points), together with~~point (X, Y):=(u + A/3, v) of Wei25519, whilethe~~special~~point~~O (the so- called "point~~at~~infinity"). This set forms a group under addition, via the so-called "secant-and-tangent" rule, where~~infinity of Curve25519 corresponds tothe point at infinity~~serves as~~of Wei25519. (Here, we usedthe~~identity element. See Appendix C.2 for details~~mappingsofAppendix D.2 and that B=1.) Under this mapping,the~~group operation. A.3. Twisted Edwards Curves Let GF(q) denote~~base point (Gu, Gv) of Curve25519 corresponds tothe~~finite field with q elements, where q is an odd prime power. Let E_{a,d} be~~base point (GX, GY) of Wei25519. The inverse mapping mapsthe~~twisted Edwards curve with defining equation a*x^2 + y^2 = 1+ d*x^2*y^2, where a and d are distinct nonzero elements~~affine point (X, Y) of Wei25519 to (u, v):=(X - A/3, Y)of~~GF(q). The points~~Curve25519, while mapping the point at infinityof~~E_{a,d} are~~Wei25519 tothe~~ordered pairs (x, y) whose coordinates are elements~~point at infinityof~~GF(q) and~~Curve25519. Notethat~~satisfy~~this mapping involves a simple shift ofthe~~defining equation (the so-called affine points). It~~first coordinate andcan be~~shown that this set forms a group under addition if~~implemented via integer-only arithmetic asa~~is~~shift of (p+A)/3 for the isomorphic mapping anda~~square in GF(q), whereas d is not,~~shift of -(p+A)/3 for its inverse,wheredelta=(p+A)/3 isthe~~point O:=(0, 1) serves as the identity element. (Note that the identity~~element~~satisfies~~of GF(p) defined by delta 19298681539552699237261830834781317975544997444273427339909597 334652188435537 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaad2451). (Note that, depending onthe~~defining equation.) See Appendix C.3 for~~implementationdetails of the~~group operation. An Edwards curve~~field arithmetic, one may have to shift the result by +p or -p if this integeris~~a twisted Edwards curve with a=1. Appendix B. Elliptic Curve Nomenclature and Finite Fields B.1. Elliptic Curve Nomenclature Each curve defined~~notin~~Appendix A forms a commutative group under addition (denoted by '+'). In Appendix C we specify the group laws, which depend on~~theinterval [0,p-1].) Thecurve~~model in question. For completeness, we here include some common elliptic curve nomenclature and basic properties (primarily so as~~Edwards25519 is isomorphicto~~keep this document self-contained). These notions are mainly used in Appendix E and Appendix G and not essential for our exposition. This section can be skipped at first reading. Any~~the curve Curve25519, where the basepoint~~P~~(Gu, Gv)of~~a curve E is a generator~~Curve25519 corresponds to the base point (Gx,Gy)ofEdwards25519 and wherethe~~cyclic subgroup (P):={k*P | k = 0, 1, 2,...}~~point at infinity and the point (0,0) of order twoofCurve25519 correspond to, respectively,the~~curve. (Here, k*P denotes~~point (0, 1) andthe~~sum~~point (0, -1)of~~k copies~~order twoof~~P,~~Edwards25519 andwhere~~0*P is the identity element O~~each other point (u, v)ofCurve25519 corresponds tothe~~curve.) If (P) has cardinality l, then l~~point (c*u/v, (u-1)/(u+1)) of Edwards25519, where cis~~called~~the~~order~~elementof~~P. The order~~GF(p) defined by c sqrt(-(A+2)/B) 51042569399160536130206135233146329284152202253034631822681833788 666877215207 (=0x70d9120b 9f5ff944 2d84f723 fc03b081 3a5e2c2e b482e57d 3391fb55 00ba81e7). (Here, we used the mappingof~~curve E is~~Appendix D.1 and normalized this usingthe~~cardinality~~mappingofAppendix F.1 (wherethe~~set~~element sof~~its points, commonly denoted by |E|. A curve~~that appendixis~~cyclic if it~~set to c above).) The inverse mapping from Edwards25519 to Curve25519is~~generated~~definedby~~some~~mapping thepoint(0, 1) and the point (0, -1)of~~this curve. All curves of prime~~order~~are cyclic, while all curves~~twoof~~order h*n, where n is a large prime number~~Edwards25519 to, respectively, the point at infinityand~~where h is a small number (the so-called co-factor), have a large cyclic subgroup~~the point (0,0)of~~prime~~order~~n. In this case, a generator~~twoof~~order n is called a base point, commonly denoted by G. A~~Curve25519 and having each otherpoint(x, y)of~~order dividing h~~Edwards25519 correspond to the point ((1 + y)/(1 - y), c*(1 + y)/((1-y)*x)) of Curve25519. The curve Edwards25519is~~said~~isomorphicto~~be in~~the~~small subgroup. For curves~~Weierstrass curve Wei25519, where the base point (Gx, Gy)of~~prime order, this small subgroup is~~Edwards25519 corresponds tothe~~singleton set, consisting~~base point (GX,GY)of~~only~~Wei25519 and wherethe identity element~~O. If a point is not in~~(0,1) andthe~~small subgroup, it has order at least n. If R is a~~point(0,-1)oforder two of Edwards25519 correspond to, respectively,the~~curve that is also contained in (P), there is a unique integer k in the interval [0, l-1] so that R=k*P, where l is~~point at infinity O andthepoint (A/3, 0) ofordertwoof~~P. This number is called the discrete logarithm~~Wei25519 and where each other point (x, y)of~~R~~Edwards25519 correspondsto the~~base P.~~point (X, Y):=((1+y)/(1-y)+A/3, c*(1+y)/((1-y)*x)) of Wei25519, where c was defined before. (Here, we used the mapping of Appendix D.3.)The~~discrete logarithm problem~~inverse mapping from Wei25519 to Edwards25519isdefined by mappingthe~~problem of finding~~point at infinity O andthe~~discrete logarithm~~point (A/3, 0)of~~R to~~order two of Wei25519 to, respectively,the~~base P for any~~identity element (0,1) and the point (0,-1) of ordertwo~~points P~~of Edwards25519and~~R~~having each other point (X, Y)ofWei25519 correspond tothe~~curve,~~point (c*(X-A/3)/Y, (X-A/3-1)/(X-A/3+1)) of Edwards25519. Note that these mappings can be easily realizedif~~such a number exists. If P is~~points are represented in projective coordinates, usinga~~fixed base point G~~few field multiplications only, thus allowing switching between alternative curve representations with negligible relative incremental cost. E.3. Domain Parameters The parametersof the~~curve,~~Montgomery curve andthe~~pair (k, R:=k*G) is commonly called a public-private key pair,~~corresponding isomorphic curves in twisted Edwards curve and short-Weierstrass form are as indicated below. Here,the~~integer k~~domain parameters ofthe~~private key,~~Montgomery curve Curve25519andofthe~~point R~~twisted Edwards curve Edwards25519 are as specified in [RFC7748];the~~corresponding public key.~~domain parameters of Wei25519 are "new". General parameters (for all curve models): p 2^{255}-19 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffed) h 8 n 72370055773322622139731865630429942408571163593799076060019509382 85454250989 (=2^{252} + 0x14def9de a2f79cd6 5812631a 5cf5d3ed) h1 4 n1 14474011154664524427946373126085988481603263447650325797860494125 407373907997 (=2^{253} - 0x29bdf3bd 45ef39ac b024c634 b9eba7e3) Montgomery curve-specific parameters (for Curve25519): A 486662 (=0x076d06) B 1 (=0x01) Gu 9 (=0x09) Gv 14781619447589544791020593568409986887264606134616475288964881837 755586237401 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9) Twisted Edwards curve-specific parameters (for Edwards25519): a -1 (-0x01) d -121665/121666 = - (A-2)/(A+2) (=370957059346694393431380835087545651895421138798432190163887855 33085940283555) (=0x52036cee 2b6ffe73 8cc74079 7779e898 00700a4d 4141d8ab 75eb4dca 135978a3) Gx 15112221349535400772501151409588531511454012693041857206046113283 949847762202 (=0x216936d3 cd6e53fe c0a4e231 fdd6dc5c 692cc760 9525a7b2 c9562d60 8f25d51a) Gy 4/5 (=463168356949264781694283940034751631413079938662562256157830336 03165251855960) (=0x66666666 66666666 66666666 66666666 66666666 66666666 66666666 66666658) Weierstrass curve-specific parameters (for Wei25519): a 19298681539552699237261830834781317975544997444273427339909597334 573241639236 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaa98 4914a144) b 55751746669818908907645289078257140818241103727901012315294400837 956729358436 (=0x7b425ed0 97b425ed 097b425e d097b425 ed097b42 5ed097b4 260b5e9c 7710c864) GX 19298681539552699237261830834781317975544997444273427339909597334 652188435546 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaad245a) GY 14781619447589544791020593568409986887264606134616475288964881837 755586237401 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9) Appendix F. Further MappingsThe~~private key k can be represented~~non-binary curves specified in Appendix A are expressed in different curve models, viz.as~~an integer~~curvesin~~the interval [0,n-1], where G has order n.~~short-Weierstrass form, as Montgomery curves, or as twisted Edwards curves.In~~this document, a quadratic twist of a~~Appendix D we already described relationships between these variouscurve~~E defined over a field GF(q) is a~~models. Further mappings exist between elliptic curves within the samecurve~~E' related~~model. These can be exploitedto~~E, with cardinality |E'|, where |E|+|E'|=2*(q+1). If E is a curve in one~~force someof the~~curve models specified in this document,~~domain parameters to specific values that allow fora~~quadratic twist~~more efficient implementationof~~this curve~~the addition formulae. F.1. Isomorphic Mapping between Twisted Edwards Curves Onecan~~be expressed using~~map points ofthe~~same~~twisted Edwardscurve~~model, although (naturally) with its own~~E_{a,d} to points of the twisted Edwardscurve~~parameters. Two curves E~~E_{a',d'}, where a:=a'*s^2and~~E' defined over~~d:=d'*s^2 for some nonzero element s of GF(q). This definesa~~field GF(q) are said~~one-to-one correspondence, which - in fact - is an isomorphism between E_{a,d} and E_{a',d'}. The mapping from E_{a,d}to~~be isogenous if these have~~E_{a',d'} is defined by mappingthe~~same order and are said~~point (x,y) of E_{a,d}to~~be isomorphic if these have~~the~~same group structure. Note that isomorphic curves have necessarily~~point (x', y'):=(s*x, y) of E_{a',d'}. The inverse mapping from E_{a',d'} to E_{a,d} is defined by mappingthe~~same order and are, thus, a special type~~point (x', y')of~~isogenous curves. Further details are out~~E_{a',d'} to the point (x, y):=(x'/s, y')of~~scope. Weierstrass curves can have prime order, whereas Montgomery curves~~E_{a,d}. Implementations may take advantage of this mapping to carry out elliptic curve group operations originally defined for a twisted Edwards curve with generic domain parameters aandd on a corresponding isomorphictwisted Edwards~~curves always have an order~~curve with domain parameters a' and d'that~~is a multiple of four (and, thereby,~~havea~~small subgroup of cardinality four). An ordered pair (x, y) whose coordinates~~more special form and thatare~~elements~~known to allow for more efficient implementationsof~~GF(q)~~addition laws and translating the result back to the original curve. In particular, it is known that such efficiency improvements exist if a':=(+/-)1 (see [tEd-Formulas]). F.2. Isomorphic Mapping between Montgomery Curves Onecan~~be associated with any ordered triple~~map pointsof the~~form [x*z: y*z: z],~~Montgomery curve M_{A,B} to points of the Montgomery curve M_{A',B'},where~~z is a~~A:=A' and B:=B'*s^2 for somenonzero elementsof~~GF(q), and can be uniquely recovered from such~~GF(q). This definesa~~representation.~~one-to-one correspondence, which - in fact - is an isomorphism between M_{A,B} and M_{A',B'}.The~~latter representation~~mapping from M_{A,B} to M_{A',B'}is~~commonly called a representation in projective coordinates. Sometimes, yet other representations are useful (e.g., representation in Jacobian coordinates). Further details are out~~defined by mapping the point at infinity Oof~~scope. The group laws in Appendix C are mostly expressed in terms~~M_{A,B} to the point at infinity Oof~~affine points, but can also be expressed in terms~~M_{A',B'}, while mapping each other point (u,v)ofM_{A,B} tothe~~representation~~point (u', v'):=(u, s*v)of~~these points in projective coordinates, thereby allowing clearing~~M_{A',B'}. The inverse mapping from M_{A',B'} to M_{A,B} is defined by mapping the point at infinity Oof~~denominators. The group laws may also involve non-affine points (such as~~M_{A',B'} tothe point at infinity O of~~a Weierstrass curve or~~M_{A,B}, while mapping each other point (u',v')of~~a Montgomery curve). Those~~M_{A',B'} to the point (u,v):=(u',v'/s) of M_{A,B}. Onecan also~~be represented in projective coordinates. Further details are out~~map pointsof~~scope. B.2. Finite Fields The field GF(q), where q is an odd prime power, is defined as follows. If p is a prime number,~~the~~field GF(p) consists~~Montgomery curve M_{A,B} to pointsof the~~integers~~Montgomery curve M_{A',B'}, where A':=-A and B':=-B. This defines a one-to-one correspondence, which -in~~the interval [0,p-1]~~fact - is an isomorphism between M_{A,B}and~~two binary operations on~~M_{A',B'}. Inthis~~set: addition and multiplication modulo p. If q=p^m and m>0,~~case,the~~field GF(q)~~mapping from M_{A,B} to M_{A',B'}is defined~~in terms of an irreducible polynomial f(z) in z of degree m with coefficients in GF(p) (i.e., f(z) cannot be written as~~by mappingthe~~product of two polynomials in z of lower degree with coefficients in GF(p)): in this case, GF(q) consists~~point at infinity OofM_{A,B} tothe~~polynomials in z~~point at infinity Oof~~degree smaller than m with coefficients in GF(p) and two binary operations on this set: polynomial addition and polynomial multiplication modulo the irreducible polynomial f(z). By definition,~~M_{A',B'}, while mappingeach~~element x of GF(q) is a polynomial in z~~other point (u,v)of~~degree smaller than m and can, therefore, be uniquely represented as a vector (x_{m-1}, x_{m-2}, ..., x_1, x_0)~~M_{A,B} to the point (u',v'):=(-u,v)of~~length m with coefficients in GF(p), where x_i~~M_{A',B'}. The inverse mapping from M_{A',B'} to M_{A,B}isdefined by mappingthe~~coefficient of z^i~~point at infinity Oof~~polynomial x. Note that this representation depends on~~M_{A',B'} tothe~~irreducible polynomial f(z)~~point at infinity O of M_{A,B}, while mapping each other point (u',v')ofM_{A',B'} tothe~~field GF(p^m) in question (which is often fixed in practice). Note~~point (u,v):=(-u',v') of M_{A,B}. Implementations may take advantage of these mappings to carry out elliptic curve groups operations originally defined for a Montgomery curve with generic domain parameters A and B on a corresponding isomorphic Montgomery curve with domain parameters A' and B'that~~GF(q) contains the prime field GF(p) as~~havea~~subset. If m=1, we always pick f(z):=z, so~~more special form andthat~~the definitions~~are known to allow for more efficient implementationsof~~GF(p)~~addition lawsand~~GF(p^1) above coincide. If m>1, then GF(q) is called a (nontrivial) extension field over GF(p). The number p is called~~translatingthe~~characteristic of GF(q). A field element y is called a square in GF(q) if it can be expressed as y:=x^2 for some x in GF(q);~~result back to the original curve. In particular,it is~~called a non-square in GF(q) otherwise. If y is~~known that such efficiency improvements exist if B' assumesa~~square in GF(q), we denote by sqrt(y) one~~small absolute value, such as B':=(+/-)1. (see [Mont-Ladder]). F.3. Isomorphic Mapping between Weierstrass Curves One can map pointsof~~its square roots (the other one being -sqrt(y)). For methods for computing square roots and inverses in GF(q) - if these exist - see Appendix L.1~~the Weierstrass curve W_{a,b} to points of the Weierstrass curve W_{a',b'}, where a':=a*s^4and~~Appendix L.2, respectively. For methods~~b':=b*s^6for~~mapping a~~somenonzero~~field~~element~~that is not a square in GF(q) to a point~~sofGF(q). This definesa~~curve, see Appendix L.3. NOTE: The curves~~one-to-one correspondence, which -in~~Appendix E~~fact - is an isomorphism between W_{a,b}and~~Appendix G are all defined over a prime field GF(p), thereby reducing all operations to simple modular integer arithmetic. Strictly speaking we could, therefore, have refrained~~W_{a',b'}. The mappingfrom~~introducing extension fields. Nevertheless, we included the more general exposition, so as~~W_{a,b}to~~accommodate potential introduction of new curves that are~~W_{a',b'} isdefined~~over a (nontrivial) extension field~~by mapping the pointat~~some~~infinity O of W_{a,b} to thepoint~~in~~at infinity O of W_{a',b'}, while mapping each other point (X,Y) of W_{a,b} tothe~~future. This includes curves proposed for post-quantum isogeny-based schemes, which are defined over a quadratic extension field (i.e., where q:=p^2), and elliptic curves used with pairing-based cryptography.~~point (X',Y'):=(X*s^2, Y*s^3) of W_{a',b'}.The~~exposition in either case~~inverse mapping from W_{a',b'} to W_{a,b}is~~almost~~defined by mappingthe~~same and now automatically yields, e.g., data conversion routines for any finite field object (see Appendix J). Readers not interested in this, could simply view all fields as prime fields. Appendix C. Elliptic Curve Group Operations C.1. Group Law for Weierstrass Curves For each~~point~~P~~at infinity Oof~~the Weierstrass curve W_{a,b},~~W_{a',b'} tothe point at infinity O~~serves as identity element, i.e., P + O = O + P = P. For~~of W_{a,b}, while mappingeach~~affine point P:=(X, Y)~~other point (X', Y')ofW_{a',b'} tothepoint (X,Y):=(X'/s^2,Y'/s^3) of W_{a,b}. Implementations may take advantage of this mapping to carry out elliptic curve group operations originally defined for aWeierstrass curve~~W_{a,b}, the point -P is the point (X, -Y) and one has P + (-P) = O. Let P1:=(X1, Y1)~~with generic domain parameters aand~~P2:=(X2, Y2) be distinct affine points of the~~b on a corresponding isomorphicWeierstrass curve~~W_{a,b}~~with domain parameter a'and~~let Q:=P1 + P2, where Q is not the identity element. Then Q:=(x, y), where X + X1 + X2 = lambda^2~~b' that have a more special formand~~Y + Y1 = lambda*(X1 - X), where lambda:= (Y2 - Y1)/(X2 - X1). Let P:=(X1, Y1) be an affine point~~that are known to allow for more efficient implementationsof~~the Weierstrass curve W_{a,b}~~addition lawsand~~let Q:=2*P, where Q is not~~translatingthe~~identity element. Then Q:=(X, Y), where X + 2*X1 = lambda^2 and Y + Y1 = lambda*(X1 - X), where lambda:=(3*X1^2 + a)/(2*Y1). From~~result back tothe~~group laws above~~original curve. In particular,it~~follows~~is knownthatsuch efficiency improvements existif~~P=(X, Y), P1=k*P=(X1, Y1),~~a'=-3 (mod p), where p is the characteristic of GF(q),and~~P2=(k+1)*P=(X2, Y2)~~one uses so-called Jacobian coordinates with a particular projective version of the addition laws of Appendix C.1. While not all Weierstrass curves can be put into this form, all traditional NIST curves have domain parameter a=-3, while all Brainpool curves [RFC5639]are~~distinct affine points~~isomorphic to a Weierstrass curveofthis form via the above mapping. Note that implementations for elliptic curves with short-Weierstrass form that hard-code the domain parameter a to a= -3 cannot always be used this way, sincethe~~Weierstrass~~curve W_{a,b}~~and if Y is nonzero, then the Y-coordinate of P1 can~~cannot alwaysbe expressed in terms of~~the X-coordinates of P, P1, and P2, and the Y-coordinate of P, as Y1=((X*X1+a)*(X+X1)+2*b-X2*(X-X1)^2)/(2*Y). This property allows recovery of the Y-coordinate of~~a~~point P1=k*P that is computed~~Weierstrass curve with a'=-3via~~the so-called Montgomery ladder, where P~~a coordinate transformation: this only holds if a'/ais~~an affine point with nonzero Y-coordinate (i.e., it does not have order two). Further details are out of scope. C.2. Group Law for Montgomery Curves For each point P~~a fourth power in GF(q) (see Section 3.1.5of[GECC]). However, even in this case, one can still expressthe~~Montgomery~~curve~~M_{A,B}, the point at infinity O serves~~W_{a,b}as~~identity element, i.e., P + O = O + P = P. For each affine point P:=(u, v) of the Montgomery curve M_{A,B}, the point -P is the point (u, -v) and one has P + (-P) = O. Let P1:=(u1, v1) and P2:=(u2, v2) be distinct affine points of the Montgomery~~a Weierstrasscurve~~M_{A,B} and let Q:=P1 + P2, where Q is not the identity element. Then Q:=(u, v), where u + u1 + u2 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where lambda:=(v2 - v1)/(u2 - u1). Let P:=(u1, v1) be an affine point~~with a small domain parameter value a', thereby still allowing a more efficient implementation than with a general domain parameter value a. F.4. Isogenous Mapping between Weierstrass Curves One can still map pointsof the~~Montgomery~~Weierstrasscurve~~M_{A,B} and let Q:=2*P, where Q is not the identity element. Then Q:=(u, v), where u + 2*u1 = B*lambda^2 - A and v + v1 = lambda*(u1 - u), where lambda:=(3*u1^2 + 2*A*u1+1)/(2*B*v1). From the group laws above it follows that if P=(u, v), P1=k*P=(u1, v1), and P2=(k+1)*P=(u2, v2) are distinct affine~~W_{a,b} topoints of the~~Montgomery~~Weierstrasscurve~~M_{A,B}~~W_{a',b'}, where a':=-3 (mod p)and~~if v~~where pis~~nonzero, then~~the~~v-coordinate~~characteristicof~~P1 can be expressed~~GF(q), even if a'/a is not a fourth powerin~~terms of~~GF(q). In that case, this mappping cannot be an isomorphism (see Appendix F.3). Instead,the~~u-coordinates~~mapping is a so-called isogeny (or homomorphism). Since most elliptic curve operations process pointsof~~P, P1, and P2, and~~prime order or use so-called "co-factor multiplication", in practicethe~~v-coordinate of P,~~resulting mapping has similar propertiesas~~v1=((u*u1+1)*(u+u1+2*A)-2*A-u2*(u-u1)^2)/(2*B*v). This property allows recovery of the v-coordinate of a point P1=k*P that is computed via the so-called Montgomery ladder, where P is~~an~~affine point with nonzero v-coordinate (i.e., it does not have order~~isomorphism. In particular,one~~or two). Further details are out~~can still take advantageof~~scope. C.3. Group Law for Twisted Edwards Curves Note: The~~this mapping to carry out elliptic curvegroup~~laws below hold~~operations originally definedfor~~twisted Edwards curves E_{a,d} where~~a~~is~~Weierstrass curve with domain parametera~~square in GF(q), whereas d is not.~~unequal to -3 (mod p) on a corresponding isogenous Weierstrass curve with domain parameter a'=-3 (mod p) and translating the result back to the original curve.In this case, the~~addition formulae below are defined for each pair of points, without exceptions. Generalizations of this group law~~mapping from W_{a,b}to~~other twisted Edwards curves are out of scope. For each~~W_{a',b'} is defined by mapping thepoint~~P~~at infinity Oof~~the twisted Edwards curve E_{a,d},~~W_{a,b} tothe point~~O:=(0,1) serves as identity element, i.e., P + O =~~at infinityO~~+ P = P. For~~of W_{a',b'}, while mappingeachotherpoint~~P:=(x, y)~~(X,Y)of~~the twisted Edwards curve E_{a,d},~~W_{a,b} tothe point~~-P is~~(X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3) of W_{a',b'}. Here, u(X), v(X), and w(X) are polynomials in X that depend onthe~~point (-x, y)~~isogeny in question, as do domain parameters a'and~~one has P + (-P) = O. Let P1:=(x1, y1)~~b'. The inverse mapping from W_{a',b'} to W_{a,b} is again an isogeny (called the dual isogeny)and~~P2:=(x2, y2) be points~~defined by mapping the point at infinity OofW_{a',b'} tothe~~twisted Edwards curve E_{a,d} and let Q:=P1 + P2. Then Q:=(x, y), where x = (x1*y2 + x2*y1)/(1 + d*x1*x2*y1*y2) and y = (y1*y2 - a*x1*x2)/(1 - d*x1*x2*y1*y2). Let P:=(x1, y1) be a~~pointat infinity O of W_{a,b}, while mapping each other point (X', Y')ofW_{a',b'} tothe~~twisted Edwards curve E_{a,d} and let Q:=2*P. Then Q:=(x, y),~~point (X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3) of W_{a,b},where~~x = (2*x1*y1)/(1 + d*x1^2*y1^2)~~-- again -- u'(X'), v'(X'),and~~y = (y1^2 - a*x1^2)/(1 - d*x1^2*y1^2). Note~~w'(X') are polynomials in X'that~~one can use~~depend onthe~~formulae for point addition for point doubling, taking inverses, and adding~~isogeny in question. These mappings have the property that their composition is notthe identity~~element as well (i.e., the point addition formulae are uniform and complete (subject to our Note above)). From~~mapping (as wasthe~~group laws above (subject to our Note above) it follows that if P=(x, y), P1=k*P=(x1, y1), and P2=(k+1)*P=(x2, y2) are affine points of~~case withthe~~twisted Edwards curve E_{a,d} and~~isomorphic mappings discussed in Appendix F.3), but rather a fixed multiple hereof:if~~x~~this multipleis~~nonzero,~~lthen the~~x-coordinate of P1 can be expressed in terms of the y-coordinates~~isogeny is called an isogenyof~~P, P1,~~degree l (or l-isogeny)and~~P2,~~u, v,and~~the x-coordinate~~w (and, similarly, u', v', and w') are polynomialsof~~P, as x1=(y*y1-y2)/(x*(a-d*y*y1*y2)). This property allows recovery~~degrees l, 3*(l-1)/2, and (l-1)/2, respectively. Note that an isomorphism is simply an isogenyof~~the x-coordinate~~degree l=1. Detailsof~~a point P1=k*P~~how to determine isogenies are out of scope of this document. The above formulas assumethat~~is computed via~~the~~so-called Montgomery ladder, where P is an affine point with nonzero x-coordinate~~isogeny has odd degree(i.e.,~~it does not have order one or two). Further details~~l is odd); detailed formulas for even- degree isogeniesaresimilar, butout of scope.Implementations may take advantage of this mapping to carry out elliptic curve group operations originally defined for a Weierstrass curve with a generic domain parameter a on a corresponding isogenous Weierstrass curve with domain parameter a'=-3 (mod p), where one can use so-called Jacobian coordinates with a particular projective version of the addition laws ofAppendix~~D. Relationship Between Curve Models The non-binary~~C.1. Since all traditional NIST curves have domain parameter a=-3, while all Brainpoolcurves~~specified in Appendix A~~[RFC5639]are~~expressed in different~~isomorphic to a Weierstrasscurve~~models, viz. as curves in short-Weierstrass~~of thisform,~~as Montgomery curves, or as twisted Edwards curves. These curve models are related, as follows. D.1. Mapping between Twisted Edwards Curves and Montgomery Curves One can map points~~this allows taking advantageof~~the Montgomery~~existing implementations for these curves that may have a hardcoded a=-3 (mod p) domain parameter, provided one switches back and forth to thiscurve~~M_{A,B}~~form using the isogenous mapping in question. Note that isogenous mappings can be easily realized using representations in projective coordinates and involves roughly 3*l finite field multiplications, thus allowing switching between alternative representations at relatively low incremental cost comparedto~~points~~thatof~~the twisted Edwards~~ellipticcurve~~E_{a,d}, where a:=(A+2)/B and d:=(A-2)/B and, conversely, map points~~scalar multiplications (provided the isogeny has low degree l). Note, however, that this does require storageof the~~twisted Edwards curve E_{a,d} to points~~polynomial coefficientsof the~~Montgomery curve M_{A,B}, where A:=2(a+d)/(a-d)~~isogenyand~~where B:=4/(a-d). For twisted Edwards curves~~dual isogeny involved. This illustrates that low-degree isogenies are to be preferred, since an l-isogeny (usually) requires storing roughly 6*l elements of GF(q). While there are many isogenies,wetherefore onlyconsider~~(i.e.,~~those~~where a is a square in GF(q), whereas d is not), this defines a one- to-one correspondence, which - in fact -~~with the desired property with lowest possible degree. Appendix G. Further Cousins of Curve25519 This section introduces some further curves related to Curve25519 and explains their relationships. G.1. Further Alternative Representations The Weierstrass curve Wei25519is~~an isomorphism between M_{A,B}~~isomorphic to the Weierstrass curve Wei25519.2 defined over GF(p), with as base point the pair (G2X,G2Y),and~~E_{a,d}, thereby showing that, e.g.,~~isogenous tothe~~discrete logarithm problem in either~~Weierstrasscurve~~model is equally hard. For~~Wei25519.-3 defined over GF(p), with as base pointthe~~Montgomery curves~~pair (G3X, G3Y), where parameters are as specified in Appendix G.3and~~twisted Edwards curves we consider,~~wherethe~~mapping from M_{A,B}~~related mappings are as specified in Appendix G.2. G.2. Further Switching Each affine point (X, Y) of Wei25519 correspondsto~~E_{a,d}~~the point (X', Y'):=(X*s^2,Y*s^3) of Wei25519.2, where sisthe element of GF(p)defined by~~mapping~~s 20343593038935618591794247374137143598394058341193943326473831977 39407761440 (=0x047f6814 6d568b44 7e4552ea a5ed633d 02d62964 a2b0a120 5e7941e9 375de020), whilethe point at infinity~~O and~~of Wei25519 corresponds tothe point~~(0, 0)~~at infinityof~~order two~~Wei25519.2. (Here, we used the mappingof~~M_{A,B} to, respectively,~~Appendix F.3.) Under this mapping,thebasepoint~~(0, 1) and~~(GX, GY) of Wei25519 corresponds tothebasepoint~~(0, -1)~~(G2X,G2Y)of~~order two~~Wei25519.2. The inverse mapping maps the affine point (X', Y')of~~E_{a,d},~~Wei25519.2 to (X,Y):=(X'/s^2,Y'/s^3) of Wei25519,while mapping~~each other~~thepoint~~(u, v)~~at infinity Oof~~M_{A,B}~~Wei25519.2to the point~~(x,y):=(u/v,(u-1)/(u+1))~~at infinity Oof~~E_{a,d}. The inverse~~Wei25519. Note that thismapping~~from E_{a,d}~~(and its inverse) involves a modular multiplication of both coordinates with fixed constants s^2 and s^3 (respectively, 1/s^2 and 1/s^3), which can be precomputed. Each affine point (X,Y) of Wei25519 correspondsto~~M_{A,B}~~the point (X',Y'):=(X1*t^2,Y1*t^3) of Wei25519.-3, where (X1,Y1)=(u(X)/w(X)^2,Y*v(X)/w(X)^3), where u, v, and w are the polynomials with coefficients in GF(p) as defined in Appendix G.4.1 and where tisthe element of GF(p)defined by~~mapping the point (0, 1) and~~t 35728133398289175649586938605660542688691615699169662967154525084 644181596229 (=0x4efd6829 88ff8526 e189f712 5999550c e9ef729b ed1a7015 73b1bab8 8bfcd845), whilethe point~~(0, -1) of order two~~at infinityof~~E_{a,d} to, respectively,~~Wei25519 corresponds tothe point at infinity~~O and the point (0, 0)~~of~~order two~~Wei25519.-3. (Here, we used the isogenous mappingof~~M_{A,B}, while each other~~Appendix F.4.) Under this isogenous mapping, the basepoint~~(x, y)~~(GX,GY)of~~E_{a,d} is mapped~~Wei25519 correspondsto thebasepoint~~(u,v):=((1+y)/(1-y),(1+y)/((1-y)*x)) of M_{A,B}. Implementations may take advantage~~(G3X,G3Y)of~~this mapping to carry out elliptic curve group operations originally defined for a twisted Edwards curve on the corresponding Montgomery curve, or vice-versa, and translating the result back to~~Wei25519.-3. The dual isogeny mapsthe~~original curve, thereby potentially allowing code reuse. D.2. Mapping between Montgomery Curves and Weierstrass Curves One can map points~~affine point (X',Y')of~~the Montgomery curve M_{A,B}~~Wei25519.-3to~~points of~~the~~Weierstrass curve W_{a,b},~~affine point (X,Y):=(u'(X1)/w'(X1)^2,Y1*v'(X1)/w'(X1)^3) of Wei25519,where~~a:=(3-A^2)/(3*B^2)~~(X1,Y1)=(X'/t^2,Y'/t^3)and~~b:=(2*A^3-9*A)/(27*B^3). This defines a one-to-one correspondence, which - in fact - is an isomorphism between M_{A,B}~~where u', v',and~~W_{a,b}, thereby showing that, e.g.,~~w' arethe~~discrete logarithm problem~~polynomials with coefficientsin~~either curve model is equally hard. The mapping from M_{A,B} to W_{a,b} is~~GF(p) asdefined~~by~~in Appendix G.4.2, whilemapping the point at infinity O of~~M_{A,B}~~Wei25519.-3to the point at infinity O of~~W_{a,b}, while mapping each other~~Wei25519. Under this dual isogenous mapping, the basepoint~~(u,v)~~(G3X, G3Y)of~~M_{A,B}~~Wei25519.-3 correspondstoa multiple of the base point (GX, GY) of Wei25519, where this multiple is l=47 (the degree of the isogeny; see the description in Appendix F.4). Note that this isogenous map (and its dual) primarily involvesthe~~point (X,Y):=((u+A/3)/B,v/B)~~evaluationof~~W_{a,b}. Note that not all Weierstrass curves can be injectively mapped~~three fixed polynomials involving the x-coordinate, which takes roughly 140 modular multiplications (or less than 5-10% relative incremental cost comparedto~~Montgomery curves, since~~the~~latter have a point~~cost of an elliptic curve scalar multiplication). G.3. Further Domain Parameters The parametersof~~order two and~~the~~former may not. In particular, if a~~Weierstrass curve~~has prime order, such as~~with a=2 thatis~~the case~~isomorphicwithWei25519 andthe~~so-called "NIST curves", this inverse mapping is not defined. If~~parameters ofthe Weierstrass curve~~W_{a,b} has a~~with a=-3 that is isogenous with Wei25519 are as indicated below. Both domain parameter sets can be exploited directly to derive more efficientpoint~~(alpha,0)~~addition formulae, should an implementation facilitate this. General parameters: same as for Wei25519 (see Appendix E.3) Weierstrass curve-specific parameters (for Wei25519.2, i.e., with a=2): a 2 (=0x02) b 12102640281269758552371076649779977768474709596484288167752775713 178787220689 (=0x1ac1da05 b55bc146 33bd39e4 7f94302e f19843dc f669916f 6a5dfd01 65538cd1) G2X 10770553138368400518417020196796161136792368198326337823149502681 097436401658 (=0x17cfeac3 78aed661 318e8634 582275b6 d9ad4def 072ea193 5ee3c4e8 7a940ffa) G2Y 54430575861508405653098668984457528616807103332502577521161439773 88639873869 (=0x0c08a952 c55dfad6 2c4f13f1 a8f68dca dc5c331d 297a37b6 f0d7fdcc 51e16b4d) Weierstrass curve-specific parameters (for Wei25519.-3, i.e., with a=-3): a -3 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffea) b 29689592517550930188872794512874050362622433571298029721775200646 451501277098 (=0x41a3b6bf c668778e be2954a4 b1df36d1 485ecef1 ea614295 796e1022 40891faa) G3X 53837179229940872434942723257480777370451127212339198133697207846 219400243292 (=0x7706c37b 5a84128a 3884a5d7 1811f1b5 5da3230f fb17a8ab 0b32e48d 31a6685c) G3Y 69548073091100184414402055529279970392514867422855141773070804184 60388229929 (=0x0f60480c 7a5c0e11 40340adc 79d6a2bf 0cb57ad0 49d025dc 38d80c77 985f0329) G.4. Isogeny Details The isogeny and dual isogeny are both isogenies with degree l=47. Both are specified by a triple of polynomials u, v, and w (resp. u', v', and w')of~~order two~~degree 47, 69,and~~c:=a+3*(alpha)^2 is a square~~23, respectively, with coefficientsin~~GF(q), one can map points~~GF(p). The coeffientsof~~this curve to points~~eachofthese polynomials are specified in Appendix G.4.1 (forthe~~Montgomery curve M_{A,B}, where A:=3*alpha/ gamma and B:=1/gamma~~isogeny)and~~where gamma is any square root of c. In this case,~~in Appendix G.4.2 (forthe~~mapping from W_{a,b} to M_{A,B} is defined by mapping~~dual isogeny). For each polynomial in variable x,the~~point at infinity O~~coefficients are tabulated as sequence of coefficients of x^0, x^1, x^2, ..., in hexadecimal format. G.4.1. Isogeny Parameters G.4.1.1. Coefficients of u(x) 0 0x670ed14828b6f1791ceb3a9cc0edfe127dee8729c5a72ddf77bb1abaebbba1e8 1 0x1135ca8bd5383cb3545402c8bce2ced14b45c29b241e4751b035f27524a9f932 2 0x3223806ff5f669c430efd74df8389f058d180e2fcffa5cdef3eacecdd2c34771 3 0x31b8fecf3f17a819c228517f6cd9814466c8c8bea2efccc47a29bfc14c364266 4 0x2541305c958c5a326f44efad2bec284e7abee840fadb08f2d994cd382fd8ce42 5 0x6e6f9c5792f3ff497f860f44a9c469cec42bd711526b733e10915be5b2dbd8c6 6 0x3e9ad2e5f594b9ce6b06d4565891d28a1be8790000b396ef0bf59215d6cabfde 7 0x278448895d236403bbc161347d19c913e7df5f372732a823ed807ee1d30206be 8 0x42f9d171ea8dc2f4a14ea46cc0ee54967175ecfe83a975137b753cb127c35060 9 0x128e40efa2d3ccb51567e73bae91e7c31eac45700fa13ce5781cbe5ddc985648 10 0x450e5086c065430b496d88952dd2d5f2c5102bc27074d4d1e98bfa47413e0645 11 0x487ef93da70dfd44a4db8cb41542e33d1aa32237bdca3a59b3ce1c59585f253d 12 0x33d209270026b1d2db96efb36cc2fa0a49be1307f49689022eab1892b010b785 13 0x4732b5996a20ebc4d5c5e2375d3b6c4b700c681bd9904343a14a0555ef0ecd48 14 0x64dc9e8272b9f5c6ad3470db543238386f42b18cb1c592cc6caf7893141b2107 15 0x52bbacd1f85c61ef7eafd8da27260fa2821f7a961867ed449b283036508ac5c5 16 0x320447ed91210985e2c401cfe1a93db1379424cf748f92fd61ab5cc356bc89a2 17 0x23d23a49bbcdf8cf4c4ce8a4ff7dd87d1ad1970317686254d5b4d2ec050d019f 18 0x1601fca063f0bbbf15f198b3c20e474c2170294fa981f73365732d2372b40cd4 19 0x7bf3f93840035e9688cfff402cee204a17c0de9779fc33503537dd78021bf4c4 20 0x311998ce59fb7e1cd6af591ece3e84dfcb1c330cbcf28c0349e37b9581452853 21 0x7ae5e41acfd28a9add2216dfed34756575a19b16984c1f3847b694326dad7f99 22 0x704957e279244a5b107a6c57bd0ab9afe5227b7c0be2052cd3513772a40efee7 23 0x56b918b5a0c583cb763550f8f71481e57c13bdcef2e5cfc8091d0821266f233b 24 0x677073fed43ab291e496f798fbcf217bac3f014e35d0c2fa07f041ae746a04d7 25 0x22225388e76f9688c7d4053b50ba41d0d8b71a2f21da8353d98472243ef50170 26 0x66930b3dffdd3995a2502cef790d78b091c875192d8074bb5d5639f736400555 27 0x79eb677c5e36971e8d64d56ebc0dedb4e9b7dd2d7b01343ebbd4d358d376e490 28 0x48a204c2ca6d8636e9994842605bd648b91b637844e38d6c7dd707edce8256e2 29 0x0fb3529b0d4b9ce2d70760f33e8ce997a58999718e9277caf48623d27ae6a788 30 0x4352604bffd0c7d7a9ed898a2c6e7cf2512ffb89407271ba1f2c2d0ead8cc5aa 31 0x6667697b29785fb6f0bd5e04d828991a5fe525370216f347ec767a26e7aac936 32 0x09fc950b083c56dbd989badf9887255e203c879f123a7cb28901e50aea6d64dc 33 0x41e51b51b5caadd1c15436bbf37596a1d7288a5f495d6b5b1ae66f8b2942b31d 34 0x073b59fec709aa1cabd429e981c6284822a8b7b07620c831ab41fd31d5cf7430 35 0x67e9b88e9a1bfbc2554107d67d814986f1b09c3107a060cba21c019a2d5dc848 36 0x6881494a1066ca176c5e174713786040affb4268b19d2abf28ef4293429f89c1 37 0x5f4d30502ff1e1ccd624e6f506569454ab771869d7483e26afc09dea0c5ccd3d 38 0x02a814cfc5859bca51e539c159955cbe729a58978b52329575d09bc6c3bf97ad 39 0x1313c8aaae20d6f4397f0d8b19e52cfcdf8d8e10fba144aec1778fd10ddf4e9c 40 0x7008d38f434b98953a996d4cc79fcbef9502411dcdf92005f725cea7ce82ad47 41 0x5a74d1296aaaa245ffb848f434531fa3ba9e5cb9098a7091d36c2777d4cf5a13 42 0x4bd3b700606397083f8038177bdaa1ac6edbba0447537582723cae0fd29341a9 43 0x573453fb2b093016f3368356c786519d54ed05f5372c01723b4da520597ec217 44 0x77f5c605bdb3a30d7d9c8840fce38650910d4418eed707a212c8927f41c2c812 45 0x16d6b9f7ff57ca32350057de1204cc6d69d4ef1b255dfef8080118e2fef6ace3 46 0x34e8595832a4021f8b5744014c6b4f7da7df0d0329e8b6b4d44c8fadad6513b7 47 0x01 G.4.1.2. Coefficients of v(x) 0 0x0f9f5eb7134e6f8dafa30c45afa58d7bfc6d4e3ccbb5de87b562fd77403972b2 1 0x36c2dcd9e88f0d2d517a15fc453a098bbbb5a05eb6e8da906fae418a4e1a13f7 2 0x0b40078302c24fa394a834880d5bf46732ca1b4894172fb7f775821276f558b3 3 0x53dd8e2234573f7f3f7df11e90a7bdd7b75d807f9712f521d4fb18af59aa5f26 4 0x6d4d7bb08de9061988a8cf6ff3beb10e933d4d2fbb8872d256a38c74c8c2ceda 5 0x71bfe5831b30e28cd0fbe1e9916ab2291c6beacc5af08e2c9165c632e61dd2f5 6 0x7c524f4d17ff2ee88463da012fc12a5b67d7fb5bd0ab59f4bbf162d76be1c89c 7 0x758183d5e07878d3364e3fd4c863a5dc1fe723f48c4ab4273fc034f5454d59a4 8 0x1eb41ef2479444ecdccbc200f64bde53f434a02b6c3f485d32f14da6aa7700e1 9 0x1490f3851f016cc3cf8a1e3c16a53317253d232ed425297531b560d70770315c 10 0x09bc43131964e46d905c3489c9d465c3abbd26eab9371c10e429b36d4b86469c 11 0x5f27c173d94c7a413a288348d3fc88daa0bcf5af8f436a47262050f240e9be3b 12 0x1d20010ec741aaa393cd19f0133b35f067adab0d105babe75fe45c8ba2732ceb 13 0x01b3c669ae49b86be2f0c946a9ff6c48e44740d7d9804146915747c3c025996a 14 0x24c6090f79ec13e3ae454d8f0f98e0c30a8938180595f79602f2ba013b3c10db 15 0x4650c5b5648c6c43ac75a2042048c699e44437929268661726e7182a31b1532f 16 0x0957a835fb8bac3360b5008790e4c1f3389589ba74c8e8bf648b856ba7f22ba5 17 0x1cd1300bc534880f95c7885d8df04a82bd54ed3e904b0749e0e3f8cb3240c7c7 18 0x760b486e0d3c6ee0833b34b64b7ebc846055d4d1e0beeb6aedd5132399ada0ea 19 0x1c666846c63965ef7edf519d6ada738f2b676ae38ff1f4621533373931b3220e 20 0x365055118b38d4bc0df86648044affea2ef33e9a392ad336444e7d15e45585d1 21 0x736487bde4b555abfccd3ea7ddcda98eda0d7c879664117dee906a88bc551194 22 0x70de05ab9520222a37c7a84c61eedff71cb50c5f6647fc2a5d6e0ff2305cea37 23 0x59053f6cdf6517ab3fe4bd9c9271d1892f8cf353d8041b98409e1e341a01f8b5 24 0x375db54ed12fe8df9a198ea40200e812c2660b7022681d7932d89fafe7c6e88d 25 0x2a070c31d1c1a064daf56c79a044bd1cd6d13f1ddb0ff039b03a6469aaa9ed77 26 0x41482351e7f69a756a5a2c0b3fa0681c03c550341d0ca0f76c5b394db9d2de8d 27 0x747ac1109c9e9368d94a302cb5a1d23fcc7f0fd8a574efb7ddcaa738297c407a 28 0x45682f1f2aab6358247e364834e2181ad0448bb815c587675fb2fee5a2119064 29 0x148c5bf44870dfd307317f0a0e4a8c163940bee1d2f01455a2e658aa92c13620 30 0x6add1361e56ffa2d2fbbddba284b35be5845aec8069fc28af009d53290a705ce 31 0x6631614c617400dc00f2c55357f67a94268e7b5369b02e55d5db46c935be3af5 32 0x17cffb496c64bb89d91c8c082f4c288c3c87feabd6b08591fe5a92216c094637 33 0x648ff88155969f54c955a1834ad227b93062bb191170dd8c4d759f79ad5da250 34 0x73e50900b89e5f295052b97f9d0c9edb0fc7d97b7fa5e3cfeefe33dd6a9cb223 35 0x6afcb2f2ffe6c08508477aa4956cbd3dc864257f5059685adf2c68d4f2338f00 36 0x372fd49701954c1b8f00926a8cb4b157d4165b75d53fa0476716554bf101b74c 37 0x0334ed41325f3724ff8becbf2b3443fea6d30fa543d1ca13188aceb2bdaf5f4e 38 0x70e629c95a94e8e1b3974acb25e18ba42f8d5991786f0931f650c283adfe82fd 39 0x738a625f4c62d3d645f1274e09ab344e72d441f3c0e82989d3e21e19212f23f3 40 0x7093737294b29f21522f5664a9941c9b476f75d443b647bd2c777040bcd12a6a 41 0x0a996bad5863d821ccb8b89fa329ddbe5317a46bcb32552db396bea933765436 42 0x2da237e3741b75dd0264836e7ef634fc0bc36ab187ebc790591a77c257b06f53 43 0x1902f3daa86fa4f430b57212924fdc9e40f09e809f3991a0b3a10ab186c50ee5 44 0x12baffec1bf20c921afd3cdf67a7f1d87c00d5326a3e5c83841593c214dadcb1 45 0x6460f5a68123cb9e7bc1289cd5023c0c9ccd2d98eea24484fb3825b59dcd09aa 46 0x2c7d63a868ffc9f0fd034f821d84736c5bc33325ce98aba5f0d95fef6f230ec8 47 0x756e0063349a702db7406984c285a9b6bfba48177950d4361d8efa77408dc860 48 0x037f3e30032b21e0279738e0a2b689625447831a2ccf15c638672da9aa7255ae 49 0x1107c0dbe15d6ca9e790768317a40bcf23c80f1841f03ca79dd3e3ef4ea1ae30 50 0x61ff7f25721d6206041c59a788316b09e05135a2aad94d539c65daa68b302cc2 51 0x5dbfe346cbd0d61b9a3b5c42ec0518d3ae81cabcc32245060d7b0cd982b8d071 52 0x4b6595e8501e9ec3e75f46107d2fd76511764efca179f69196eb45c0aa6fade3 53 0x72d17a5aa7bd8a2540aa9b02d9605f2a714f44abfb4c35d518b7abc39b477870 54 0x658d8c134bac37729ec40d27d50b637201abbf1ab4157316358953548c49cf22 55 0x36ac53b9118581ace574d5a08f9647e6a916f92dda684a4dbc405e2646b0243f 56 0x1917a98f387d1e323e84a0f02d53307b1dd949e1a27b0de14514f89d9c0ef4b6 57 0x21573434fde7ce56e8777c79539479441942dba535ade8ecb77763f7eb05d797 58 0x0e0bf482dc40884719bea5503422b603f3a8edb582f52838caa6eaab6eeac7ef 59 0x3b0471eb53bd83e14fbc13928fe1691820349a963be8f7e9815848a53d03f5eb 60 0x1e92cb067b24a729c42d3abb7a1179c577970f0ab3e6b0ce8d66c5b8f7001262 61 0x74ea885c1ebed6f74964262402432ef184c42884fceb2f8dba3a9d67a1344dd7 62 0x433ebce2ce9b0dc314425cfc2b234614d3c34f2c9da9fff4fdddd1ce242d035b 63 0x33ac69e6be858dde7b83a9ff6f11de443128b39cec6e410e8d3b570e405ff896 64 0x0dab71e2ae94e6530a501ed8cf3df26731dd1d41cd81578341e12dca3cb71aa3 65 0x537f58d52d18ce5b1d5a6bd3a420e796e64173491ad43dd4d1083a7dcc7dd201 66 0x49c2f6afa93fdcc4e0f8128a8b06da4c75049be14edf3e103821ab604c60f8ae 67 0x10a333eabd6135aeaa3f5f5f7e73d102e4fd7e4bf0902fc55b00da235fa1ad08 68 0x0f5c86044bf6032f5102e601f2a0f73c7bce9384bedd120f3e72d78484179d9c 69 0x01 G.4.1.3. Coefficientsof~~W_{a,b} to the point at infinity O~~w(x) 0 0x3da24d42421264f30939ff00203880f2b017eb3fecf8933ae61e18df8c8ba116 1 0x0457f20bc393cdc9a66848ce174e2fa41d77e6dbae05a317a1fb6e3ae78760f8 2 0x7f608a2285c480d5c9592c435431fae94695beef79d770bb6d029c1d10a53295 3 0x3832accc520a485100a0a1695792465142a5572bed1b2e50e1f8f662ac7289bb 4 0x2df1b0559e31b328eb34beedd5e537c3f4d7b9befb0749f75d6d0d866d26fbaa 5 0x25396820381d04015a9f655ddd41c74303ded05d54a7750e2f58006659adda28 6 0x6fa070a70ca2bc6d4d0795fb28d4990b2cc80cd72d48b603a8ac8c8268bef6a6 7 0x27f488578357388b20fbc7503328e1d10de602b082b3c7b8ceb33c29fea7a0d2 8 0x15776851a7cabcfe84c632118306915c0c15c75068a47021968c7438d46076e6 9 0x101565b08a9af015c172fb194b940a4df25c4fb1d85f72d153efc79131d45e8f 10 0x196b0ffbf92f3229fea1dac0d74591b905ccaab6b83f905ee813ee8449f8a62c 11 0x01f55784691719f765f04ee9051ec95d5deb42ae45405a9d87833855a6d95a94 12 0x628858f79cca86305739d084d365d5a9e56e51a4485d253ae3f2e4a379fa8aff 13 0x4a842dcd943a80d1e6e1dab3622a8c4d390da1592d1e56d1c14c4d3f72dd01a5 14 0x0f3bfc9cb17a1125f94766a4097d0f1018963bc11cb7bc0c7a1d94d65e282477 15 0x1c4bd70488c4882846500691fa7543b7ef694446d9c3e3b4707ea2c99383e53c 16 0x2d7017e47b24b89b0528932c4ade43f09091b91db0072e6ebdc5e777cb215e35 17 0x781d69243b6c86f59416f91f7decaca93eab9cdc36a184191810c56ed85e0fdc 18 0x5f20526f4177357da40a18da054731d442ad2a5a4727322ba8ed10d32eca24fb 19 0x33e4cab64ed8a00d8012104fe8f928e6173c428eff95bbbe569ea46126a4f3cd 20 0x050555b6f07e308d33776922b6566829d122e19b25b7bbacbb0a4b1a7dc40192 21 0x533fa4bf1e2a2aae2f979065fdbb5b667ede2f85543fddbba146aa3a4ef2d281 22 0x5a742cac1952010fc5aba200a635a7bed3ef868194f45b5a6a2647d6d6b289d2 23 0x01 G.4.2. Dual Isogeny Parameters G.4.2.1. Coefficientsof~~M_{A,B}, while mapping each other point (X,Y)~~u'(x) 0 0x0f0eddb584a20aaac8f1419efdd02a5cca77b21e4cfae78c49b5127d98bc5882 1 0x7115e60d44a58630417df33dd45b8a546fa00b79fea3b2bdc449694bade87c0a 2 0x0b3f3a6f3c445c7dc1f91121275414e88c32ff3f367ba0edad4d75b7e7b94b65 3 0x1eb31bb333d7048b87f2b3d4ec76d69035927b41c30274368649c87c52e1ab30 4 0x552c886c2044153e280832264066cce2a7da1127dc9720e2a380e9d37049ac64 5 0x4504f27908db2e1f5840b74ae42445298755d9493141f5417c02f04d47797dda 6 0x082c242cce1eb19698a4fa30b5affe64e5051c04ae8b52cb68d89ee85222e628 7 0x480473406add76cf1d77661b3ff506c038d9cdd5ad6e1ea41969430bb876d223 8 0x25f47bb506fba80c79d1763365fa9076d4c4cb6644f73ed37918074397e88588 9 0x10f13ed36eab593fa20817f6bb70cac292e18d300498f6642e35cbdf772f0855 10 0x7d28329d695fb3305620f83a58df1531e89a43c7b3151d16f3b60a8246c36ade 11 0x02c5ec8c42b16dc6409bdd2c7b4ffe9d65d7209e886badbd5f865dec35e4ab4a 12 0x7f4f33cd50255537e6cde15a4a327a5790c37e081802654b56c956434354e133 13 0x7d30431a121d9240c761998cf83d228237e80c3ef5c7191ec9617208e0ab8cec 14 0x4d2a7d6609610c1deed56425a4615b92f70a507e1079b2681d96a2b874cf0630 15 0x74676df60a9906901d1dc316c639ff6ae0fcdb02b5571d4b83fc2eedcd2936a8 16 0x22f8212219aca01410f06eb234ed53bd5b8fbe7c08652b8002bcd1ea3cdae387 17 0x7edb04449565d7c566b934a87fadade5515f23bda1ce25daa19fff0c6a5ccc2f 18 0x106ef71aa3aa34e8ecf4c07a67d03f0949d7d015ef2c1e32eb698dd3bec5a18c 19 0x0017913eb705db126ac3172447bcd811a62744d505ad0eea94cfcfdde5ca7428 20 0x2cc793e6d3b592dcf5472057a991ff1a5ab43b4680bb34c0f5faffc5307827c1 21 0x6dafcc0b16f98300cddb5e0a7d7ff04a0e73ca558c54461781d5a5ccb1ea0122 22 0x7e418891cf222c021b0ae5f5232b9c0dc8270d4925a13174a0f0ac5e7a4c8045 23 0x76553bd26fecb019ead31142684789fea7754c2dc9ab9197c623f45d60749058 24 0x693efb3f81086043656d81840902b6f3a9a4b0e8f2a5a5edf5ce1c7f50a3898e 25 0x46c630eac2b86d36f18a061882b756917718a359f44752a5caf41be506788921 26 0x01dcfa01773628753bc6f448ac11be8a3bffa0011b9284967629b827e064f614 27 0x08430b5b97d49b0938d1f66ecb9d2043025c6eec624f8f02042b9621b2b5cb19 28 0x66f66a6669272d47d3ec1efea36ee01d4a54ed50e9ec84475f668a5a9850f9be 29 0x539128823b5ef3e87e901ab22f06d518a9bad15f5d375b49fe1e893ab38b1345 30 0x2bd01c49d6fff22c213a8688924c10bf29269388a69a08d7f326695b3c213931 31 0x3f7bea1baeccea3980201dc40d67c26db0e3b15b5a19b6cdac6de477aa717ac1 32 0x6e0a72d94867807f7150fcb1233062f911b46e2ad11a3eac3c6c4c91e0f4a3fa 33 0x5963f3cc262253f56fc103e50217e7e5b823ae8e1617f9e11f4c9c595fbb5bf6 34 0x41440b6fe787777bc7b63afac9f4a38ddadcebc3d72f8fc73835247ba05f3a1d 35 0x66d185401c1d2d0b84fcf6758a6a985bf9695651271c08f4b69ce89175fb7b34 36 0x2673fb8c65bc4fe41905381093429a2601c46a309c03077ca229bac7d6ccf239 37 0x1ce4d895ee601918a080de353633c82b75a3f61e8247763767d146554dd2f862 38 0x18efa6c72fa908347547a89028a44f79f22542baa588601f2b3ed25a5e56d27c 39 0x53de362e2f8ff220f8921620a71e8faa1aa57f8886fcbb6808fa3a5560570543 40 0x0dc29a73b97f08aa8774911474e651130ed364e8d8cffd4a80dee633aacecc47 41 0x4e7eb8584ae4de525389d1e9300fc4480b3d9c8a5a45ecfbe33311029d8f6b99 42 0x6c3cba4aa9229550fa82e1cfaee4b02f2c0cb86f79e0d412b8e32b00b7959d80 43 0x5a9d104ae585b94af68eeb16b1349776b601f97b7ce716701645b1a75b68dcf3 44 0x754e014b5e87af035b3d5fe6fb49f4631e32549f6341c6693c5172a6388e273e 45 0x6710d8265118e22eaceba09566c86f642ab42da58c435083a353eaa12d866c39 46 0x6e88ac659ce146c369f8b24c3a49f8dca547827250cf7963a455851cfc4f8d22 47 0x0971eb5f253356cd1fde9fb21f4a4902aa5b8d804a2b57ba775dc130181ae2e8 G.4.2.2. Coefficientsof~~W_{a,b} to the point (u,v):=((X-alpha)/gamma,Y/gamma)~~v'(x) 0 0x043c9b67cc5b16e167b55f190db61e44d48d813a7112910f10e3fd8da85d61d3 1 0x72046db07e0e7882ff3f0f38b54b45ca84153be47a7fd1dd8f6402e17c47966f 2 0x1593d97b65a070b6b3f879fe3dc4d1ef03c0e781c997111d5c1748f956f1ffc0 3 0x54e5fec076b8779338432bdc5a449e36823a0a7c905fd37f232330b026a143a0 4 0x46328dd9bc336e0873abd453db472468393333fbf2010c6ac283933216e98038 5 0x25d0c64de1dfe1c6d5f5f2d98ab637d8b39bcf0d886a23dabac18c80d7eb03ce 6 0x3a175c46b2cd8e2b313dde2d5f3097b78114a6295f283cf58a33844b0c8d8b34 7 0x5cf4e6f745bdd61181a7d1b4db31dc4c30c84957f63cdf163bee5e466a7a8d38 8 0x639071c39b723eea51cfd870478331d60396b31f39a593ebdd9b1eb543875283 9 0x7ea8f895dcd85fc6cb2b58793789bd9246e62fa7a8c7116936876f4d8dff869b 10 0x503818acb535bcaacf8ad44a83c213a9ce83af7c937dc9b3e5b6efedc0a7428c 11 0x0e815373920ec3cbf3f8cae20d4389d367dc4398e01691244af90edc3e6d42b8 12 0x7e4b23e1e0b739087f77910cc635a92a3dc184a791400cbceae056c19c853815 13 0x145322201db4b5ec0a643229e07c0ab7c36e4274745689be2c19cfa8a702129d 14 0x0fde79514935d9b40f52e33429621a200acc092f6e5dec14b49e73f2f59c780d 15 0x37517ac5c04dc48145a9d6e14803b8ce9cb6a5d01c6f0ad1b04ff3353d02d815 16 0x58ae96b8eefe9e80f24d3b886932fe3c27aaea810fa189c702f93987c8c97854 17 0x6f6402c90fa379096d5f436035bebc9d29302126e9b117887abfa7d4b3c5709a 18 0x01dbdf2b9ec09a8defeb485cc16ea98d0d45c5b9877ff16bd04c0110d2f64961 19 0x53c51706af523ab5b32291de6c6b1ee7c5cbd0a5b317218f917b12ff38421452 20 0x1b1051c7aec7d37a349208e3950b679d14e39f979db4fcd7b50d7d27dc918650 21 0x1547e8d36262d5434cfb029cdd29385353124c3c35b1423c6cca1f87910b305b 22 0x198efe984efc817835e28f704d41e4583a1e2398f7ce14045c4575d0445c6ce7 23 0x492276dfe9588ee5cd9f553d990f377935d721822ecd0333ce2eb1d4324d539c 24 0x77bad5319bacd5ed99e1905ce2ae89294efa7ee1f74314e4095c618a4e580c9b 25 0x2cb3d532b8eac41c61b683f7b02feb9c2761f8b4286a54c3c4b60dd8081a312e 26 0x37d189ea60443e2fee9b7ba8a34ed79ff3883dcefc06592836d2a9dd2ee3656e 27 0x79a80f9a0e6b8ded17a3d6ccf71eb565e3704c3543b77d70bca854345e880aba 28 0x47718530ef8e8c75f069acb2d9925c5537908e220b28c8a2859b856f46d5f8db 29 0x7dc518f82b55a36b4fa084b05bf21e3efce481d278a9f5c6a49701e56dac01ec 30 0x340a318dad4b8d348a0838659672792a0f00b7105881e6080a340f708a9c7f94 31 0x55f04d9d8891636d4e9c808a1fa95ad0dae7a8492257b20448023aad3203278e 32 0x39dc465d58259f9f70bb430d27e2f0ab384a550e1259655443e14bdecba85530 33 0x757385464cff265379a1adfadfd6f6a03fa8a2278761d4889ab097eff4d1ac28 34 0x4d575654dbe39778857f4e688cc657416ce524d54864ebe8995ba766efa7ca2b 35 0x47adb6aecc1949f2dc9f01206cc23eb4a0c29585d475dd24dc463c5087809298 36 0x30d39e8b0c451a8fcf3d2abab4b86ffa374265abbe77c5903db4c1be8cec7672 37 0x28cf47b39112297f0daeaa621f8e777875adc26f35dec0ba475c2ee148562b41 38 0x36199723cc59867e2e309fe9941cd33722c807bb2d0a06eeb41de93f1b93f2f5 39 0x5cdeb1f2ee1c7d694bdd884cb1c5c22de206684e1cafb8d3adb9a33cb85e19a2 40 0x0f6e6b3fc54c2d25871011b1499bb0ef015c6d0da802ae7eccf1d8c3fb73856c 41 0x0c1422c98b672414344a9c05492b926f473f05033b9f85b8788b4bb9a080053c 42 0x19a8527de35d4faacb00184e0423962247319703a815eecf355f143c2c18f17f 43 0x7812dc3313e6cf093da4617f06062e8e8969d648dfe6b5c331bccd58eb428383 44 0x61e537180c84c79e1fd2d4f9d386e1c4f0442247605b8d8904d122ee7ef9f7be 45 0x544d8621d05540576cfc9b58a3dab19145332b88eb0b86f4c15567c37205adf9 46 0x11be3ef96e6e07556356b51e2479436d9966b7b083892b390caec22a117aa48e 47 0x205cda31289cf75ab0759c14c43cb30f7287969ea3dc0d5286a3853a4d403187 48 0x048d8fc6934f4f0a99f0f2cc59010389e2a0b20d6909bfcf8d7d0249f360acdc 49 0x42cecc6d9bdca6d382e97fcea46a79c3eda2853091a8f399a2252115bf9a1454 50 0x0117d41b24f2f69cb3270b359c181607931f62c56d070bbd14dc9e3f9ab1432e 51 0x7c51564c66f68e2ad4ce6ea0d68f920fafa375376709c606c88a0ed44207aa1e 52 0x48f25191fc8ac7d9f21adf6df23b76ccbca9cb02b815acdbebfa3f4eddc71b34 53 0x4fc21a62c4688de70e28ad3d5956633fc9833bc7be09dc7bc500b7fae1e1c9a8 54 0x1f23f25be0912173c3ef98e1c9990205a69d0bf2303d201d27a5499247f06789 55 0x3131495618a0ac4cb11a702f3f8bab66c4fa1066d0a741af3c92d5c246edd579 56 0x0d93fe40faa53913638e497328a1b47603cb062c7afc9e96278603f29fd11fd4 57 0x6b348bc59e984c91d696d1e3c3cfae44021f06f74798c787c355437fb696093d 58 0x65af00e73043edcb479620c8b48098b89809d577a4071c8e33e8678829138b8a 59 0x5e62ffb032b2ddb06591f86a46a18effd5d6ecf3f129bb2bacfd51a3739a98b6 60 0x62c974ef3593fc86f7d78883b8727a2f7359a282cbc0196948e7a793e60ce1a1 61 0x204d708e3f500aad64283f753e7d9bab976aa42a4ca1ce5e9d2264639e8b1110 62 0x0a90f0059da81a012e9d0a756809fab2ce61cb45965d4d1513a06227783ee4ea 63 0x39fa55971c9e833f61139c39e243d40869fd7e8a1417ee4e7719dd2dd242766f 64 0x22677c1e659caa324f0c74a013921facf62d0d78f273563145cc1ddccfcc4421 65 0x3468cf6df7e93f7ff1fe1dd7e180a89dec3ed4f72843b4ea8a8d780011a245b2 66 0x68f75a0e2210f52a90704ed5f511918d1f6bcfcd26b462cc4975252369db6e9d 67 0x6220c0699696e9bcab0fe3a80d437519bd2bdf3caef665e106b2dd47585ddd9f 68 0x553ad47b129fb347992b576479b0a89f8d71f1196f83e5eaab5f533a1dd6f6d7 69 0x239aef387e116ec8730fa15af053485ca707650d9f8917a75f22acf6213197df G.4.2.3. Coefficientsof~~M_{A,B}. As before, this defines a one-to-one correspondence, which - in fact - is an isomorphism between W_{a,b} and M_{A,B}. It is easy to see that the mapping from W_{a,b} to M_{A,B} and that from M_{A,B} to W_{a,b} (if defined) are each other's inverse. This mapping can be used to implement elliptic curve group operations originally defined for a twisted Edwards curve or for~~w'(x) 0 0x6bd7f1fc5dd51b7d832848c180f019bcbdb101d4b3435230a79cc4f95c35e15e 1 0x17413bb3ee505184a504e14419b8d7c8517a0d268f65b0d7f5b0ba68d6166dd0 2 0x47f4471beed06e5e2b6d5569c20e30346bdba2921d9676603c58e55431572f90 3 0x2af7eaafd04f6910a5b01cdb0c27dca09487f1cd1116b38db34563e7b0b414eb 4 0x57f0a593459732eef11d2e2f7085bf9adf534879ba56f7afd17c4a40d3d3477b 5 0x4da04e912f145c8d1e5957e0a9e44cca83e74345b38583b70840bdfdbd0288ed 6 0x7cc9c3a51a3767d9d37c6652c349adc09bfe477d99f249a2a7bc803c1c5f39ed 7 0x425d7e58b8adf87eebf445b424ba308ee7880228921651995a7eab548180ad49 8 0x48156db5c99248234c09f43fedf509005943d3d5f5d7422621617467b06d314f 9 0x0d837dbbd1af32d04e2699cb026399c1928472aa1a7f0a1d3afd24bc9923456a 10 0x5b8806e0f924e67c1f207464a9d025758c078b43ddc0ea9afe9993641e5650be 11 0x29c91284e5d14939a6c9bc848908bd9df1f8346c259bbd40f3ed65182f3a2f39 12 0x25550b0f3bceef18a6bf4a46c45bf1b92f22a76d456bfdf19d07398c80b0f946 13 0x495d289b1db16229d7d4630cb65d52500256547401f121a9b09fb8e82cf01953 14 0x718c8c610ea7048a370eabfd9888c633ee31dd70f8bcc58361962bb08619963e 15 0x55d8a5ceef588ab52a07fa6047d6045550a5c52c91cc8b6b82eeb033c8ca557d 16 0x620b5a4974cc3395f96b2a0fa9e6454202ef2c00d82b0e6c534b3b1d20f9a572 17 0x4991b763929b00241a1a9a68e00e90c5df087f90b3352c0f4d8094a51429524e 18 0x18b6b49c5650fb82e36e25fd4eb6decfdd40b46c37425e6597c7444a1b6afb4e 19 0x6868305b4f40654460aad63af3cb9151ab67c775eaac5e5df90d3aea58dee141 20 0x16bc90219a36063a22889db810730a8b719c267d538cd28fa7c0d04f124c8580 21 0x3628f9cf1fbe3eb559854e3b1c06a4cd6a26906b4e2d2e70616a493bba2dc574 22 0x64abcc6759f1ce1ab57d41e17c2633f717064e35a7233a6682f8cf8e9538afec 23 0x01 Appendix H. Point Compression Point compression allowsa~~Montgomery~~shorter representation of affine points of an ellipticcurve~~using group operations~~by exploiting algebraic relationships between the coordinate values basedon the~~corresponding elliptic~~defining equation of thecurve in~~short-Weierstrass form~~question. Point decompression refers to the reverse process, where one triesand~~translating~~recover an affine point from its compressed representation and information onthe~~result back to~~domain parameters ofthe~~original curve, thereby potentially allowing code reuse. Note that implementations~~curve. Consequently, point compression followed by point decompression is the identity map. The description below makes use of an auxiliary function (the parity function), which we first definefor~~elliptic curves~~prime fields GF(p),with~~short-Weierstrass form that hard-code the domain parameter a~~p odd, and then extendto~~a= -3 (which value~~all fields GF(q), where qis~~known~~an odd prime power. We assume each finite fieldto~~allow more efficient implementations) cannot always~~be~~used this way, since~~unambiguously defined and known from context. Let y be a nonzero element of GF(q). If q:=p is an odd prime number, y and p-y can be uniquely represented as integers inthe~~curve W_{a,b} resulting~~interval [1,p-1] and have odd sum p. Consequently, one can distinguish yfrom-y via the parity of this representation, i.e., via par(y):=y (mod 2). If q:=p^m, where p isan~~isomorphic mapping cannot always~~odd prime number and where m>0, both y and -y canbe~~expressed~~uniquely representedas~~a Weierstrass curve~~vectors of length m, with coefficients in GF(p) (see Appendix B.2). In this case, the leftmost nonzero coordinate values of y and -y are in the same position and have representations in [1,p-1]with~~a=-3 via~~different parity. Asa~~coordinate transformation. For more details, see Appendix F. D.3. Mapping between Twisted Edwards Curves and Weierstrass Curves One~~result, onecan~~map points~~distinguish y from -y via the parityof the~~twisted Edwards curve E_{a,d} to points~~representation of this coordinate value. This extends the definitionof the~~Weierstrass curve W_{a,b}, via~~parityfunction~~composition,~~to any odd-size field GF(q),where one~~uses the isomorphic mapping between twisted Edwards curves and Montgomery curves~~defines par(0):=0. H.1. Point Compression for Weierstrass Curves If P:=(X, Y) is an affine pointof~~Appendix D.1 and~~theWeierstrass curve W_{a,b} defined over the field GF(q), then so is -P:=(X, -Y). Since the defining equation Y^2=X^2+a*X+b has at most two solutions with fixed X-value,one~~between Montgomery~~can represent P by its X-coordinateand~~Weierstrass curves~~one bitof~~Appendix D.2. Obviously,~~information that allows one to distinguish P from -P, i.e.,one can~~use function composition (now using~~represent P asthe~~respective inverses - if these exist) to realize~~ordered pair compr(P):=(X, par(Y)). If P is a point of order two, one can uniquely represent P by its X-coordinate alone, since Y=0 and has fixed parity. Conversely, giventhe~~inverse~~ordered pair (X, t), where X is an elementof~~this mapping. Appendix E. Curve25519~~GF(q)and~~Cousins E.1. Curve Definition~~where t=0 or t=1,and~~Alternative Representations The elliptic curve Curve25519 is~~the~~Montgomery~~domain parameters of thecurve~~M_{A,B} defined over~~W_{a,b}, one can use the defining equation ofthe~~prime field GF(p), with p:=2^{255}-19, where A:=486662 and B:=1. This~~curve~~has order h*n, where h=8~~to tryanddetermine candidate values for the Y-coordinate given X, by solving the quadratic equation Y^2:=alpha,where~~n~~alpha:=X^3+a*X+b. If alphaisnota~~prime number. For~~square in GF(q),this~~curve, A^2-4 is~~equation doesnothavea~~square~~solutionin~~GF(p), whereas A+2 is. The quadratic twist~~GF(q) and the ordered pair (X, t) does not correspond to a pointof this~~curve has order h1*n1, where h1=4~~curve. Otherwise, there are two solutions, viz. Y=sqrt(alpha)and~~where n1~~-Y. If alphais a~~prime number. For this curve,~~nonzero element of GF(q), one can uniquely recover the Y-coordinate for which par(Y):=t and, thereby,the~~base~~pointP:=(X, Y). Thisisalsothe~~point (Gu, Gv), where Gu=9~~case if alpha=0and~~where Gv is an odd integer~~t=0,in~~the interval [0, p-1]. This curve has the same group structure as (is "isomorphic" to) the twisted Edwards curve E_{a,d} defined over GF(p), with as base point~~which case Y=0 andthe point~~(Gx, Gy), where parameters are as specified in Appendix E.3. This curve is denoted as Edwards25519. For this curve,~~P has order two. However, if alpha=0 and t=1,the~~parameter a is a square in GF(p), whereas d is not, so~~ordered pair (X, t) does not correspond tothe~~group laws~~outcomeof~~Appendix C.3 apply. The curve is also isomorphic to~~the~~elliptic curve W_{a,b} in short- Weierstrass form defined over GF(p), with as base~~pointcompression function. We extendthe~~point (GX, GY), where parameters are as specified in Appendix E.3. This curve is denoted as Wei25519. E.2. Switching between Alternative Representations Each affine point (u, v)~~definitionof~~Curve25519 corresponds to~~the point~~(X, Y):=(u + A/3, v)~~compression function to all pointsof~~Wei25519, while~~thecurve W_{a,b}, by associating the (non-affine)point at infinityO with any ordered pair compr(O):=(X,0), where X is any elementof~~Curve25519 corresponds to~~GF(q) for which alpha:=X^3+a*X+b is not a square in GF(q), and recover this point accordingly. In this case,the point at infinityO can be represented by any ordered pair (X,0)of~~Wei25519. (Here, we used the mappings~~elementsof~~Appendix D.2 and~~GF(q) for which X^3+a*X+b is not a square in GF(q). Notethat~~B=1.) Under~~this~~mapping,~~ordered pair does not satisfythe~~base point (Gu, Gv)~~defining equationof~~Curve25519 corresponds to~~the~~base point (GX, GY)~~curve in question. An application may fix a specific suitable valueof~~Wei25519. The inverse mapping maps the~~X or choose multiple such values and use this to encode additonal information. Further details are out of scope. H.2. Point Compression for Montgomery Curves If P:=(u, v) is anaffine point~~(X, Y) of Wei25519 to (u, v):=(X - A/3, Y)~~of~~Curve25519, while mapping~~the~~point~~Montgomery curve M_{A,B} defined over the field GF(q), then so is -P:=(u, -v). Since the defining equation B*v^2=u^3+A*u^2+u hasat~~infinity~~most two solutions with fixed u-value, one can represent P by its u-coordinate and one bitof~~Wei25519~~information that allows onetodistinguish P from -P, i.e., one can represent P astheordered pair compr(P):=(u, par(v)). If P is apoint~~at infinity~~of~~Curve25519. Note that this mapping involves a simple shift~~order two, one can uniquely represent P by its u-coordinate alone, since v=0 and has fixed parity. Conversely, given the ordered pair (u, t), where u is an element of GF(q) and where t=0 or t=1, and the domain parametersof the~~first coordinate and~~curve M_{A,B}, onecan~~be implemented via integer-only arithmetic as a shift~~use the defining equationof~~(p+A)/3 for~~the~~isomorphic mapping~~curve to tryand~~a shift of -(p+A)/3~~determine candidate valuesfor~~its inverse,~~the v-coordinate given u, by solving the quadratic equation v^2:=alpha,where~~delta=(p+A)/3~~alpha:=(u^3+A*u^2+u)/B. If alphaisnot a square in GF(q), this equation does not have a solution in GF(q) andtheordered pair (u, t) does not correspond to a point of this curve. Otherwise, there are two solutions, viz. v=sqrt(alpha) and -v. If alpha is a nonzeroelement of~~GF(p) defined by delta 19298681539552699237261830834781317975544997444273427339909597 334652188435537 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaad2451). (Note that, depending on~~GF(q), one can uniquely recoverthe~~implementation details of~~v-coordinate for which par(v):=t and, thereby,the~~field arithmetic, one may have to shift~~affine point P:=(u, v). This is alsothe~~result by +p or -p~~caseif~~this integer is not~~alpha=0 and t=0,inwhich case v=0 andthe~~interval [0,p-1].) The curve Edwards25519 is isomorphic~~point P has order two. However, if alpha=0 and t=1, the ordered pair (u, t) does not correspondto the~~curve Curve25519, where~~outcome ofthe~~base~~point~~(Gu, Gv)~~compression function. We extend the definitionof~~Curve25519 corresponds to~~the~~base~~point~~(Gx,Gy)~~compression function to all pointsof~~Edwards25519 and where~~thecurve M_{A,B}, by associating the (non-affine)point at infinityO with the ordered pair compr(O):=(0,1)andrecover this point accordingly. (Note that this corresponds tothecase alpha=0 and t=1 above.) Thepoint~~(0,0) of order two of Curve25519 correspond to, respectively,~~at infinity O can be represented bythe~~point~~ordered pair(0, 1)~~and~~of elements of GF(q). Note that this ordered pair does not satisfy the defining equation ofthecurve in question. H.3. Point Compression for Twisted Edwards Curves If P:=(x, y) is an affinepoint~~(0, -1)~~of~~order~~the twisted Edwards curve E_{a,d} defined over the field GF(q), then so is -P:=(-x, y). Since the defining equation a*x^2+y^2=1+d*x^2*y^2 has at mosttwo~~of Edwards25519~~solutions with fixed y-value, one can represent P by its y-coordinateand~~where each other point (u, v)~~one bitof~~Curve25519 corresponds~~information that allows onetodistinguish P from -P, i.e., one can represent P astheordered pair compr(P):=(par(x), y). If P is apoint~~(c*u/v, (u-1)/(u+1))~~of~~Edwards25519,~~order one or two, one can uniquely represent P by its y-coordinate alone, since x=0 and has fixed parity. Conversely, given the ordered pair (t, y),where~~c~~yis~~the~~anelement of~~GF(p) defined by c sqrt(-(A+2)/B) 51042569399160536130206135233146329284152202253034631822681833788 666877215207 (=0x70d9120b 9f5ff944 2d84f723 fc03b081 3a5e2c2e b482e57d 3391fb55 00ba81e7). (Here, we used the mapping of Appendix D.1~~GF(q) and where t=0 or t=1,and~~normalized this using~~the~~mapping~~domain parametersof~~Appendix F.1 (where~~the~~element s~~curve E_{a,d}, one can use the defining equationof~~that appendix is set to c above).) The inverse mapping from Edwards25519~~the curveto~~Curve25519 is defined~~try and determine candidate values for the x-coordinate given y,by~~mapping~~solving the quadratic equation x^2:=alpha, where alpha:=(1-y^2)/(a-d*y^2). (Here, observe thatthedenominator is nonzero for anypoint~~(0, 1)~~of E_{a,d}.) If alpha is not a square in GF(q), this equation does not have a solution in GF(q)and theordered pair (t, y) does not correspond to apoint~~(0, -1)~~of~~order~~this curve. Otherwise, there aretwosolutions, viz. x=sqrt(alpha) and -x. If alpha is a nonzero elementof~~Edwards25519 to, respectively,~~GF(q), one can uniquely recover the x-coordinate for which par(x):=t and, thereby,theaffinepoint~~at infinity~~P:=(x, y). This is also the case if alpha=0 and t=0, in which case x=0and the point~~(0,0) of~~P hasorder~~two of Curve25519~~one or two. However, if alpha=0and~~having each other point (x,~~t=1, the ordered pair (t,y)~~of Edwards25519~~does notcorrespond to the~~point ((1 + y)/(1 - y), c*(1 + y)/((1-y)*x))~~outcomeof~~Curve25519. The curve Edwards25519~~the point compression function. Note that the point compression functionis~~isomorphic to~~defined for all points ofthe~~Weierstrass~~twisted Edwardscurve~~Wei25519, where~~E_{a,d}. Here,the~~base~~identity element O:=(0,1) is associated with the compressedpoint~~(Gx, Gy) of Edwards25519~~compr(O):=(0,1). (Note that thiscorresponds to the~~base point (GX,GY) of Wei25519~~case alpha=0and~~where~~t=0 above.) We extendthe~~identity~~definition of the compression function further, to also include a special markerelement~~(0,1)~~'btm', by associating this marker element with the ordered pair compr(btm):=(1,1)andrecover this marker element accordingly. (Note that this corresponds tothe~~point (0,-1)~~case alpha=0 and t=1 above.) The marker element 'btm' can be represented by the ordered pair (1,1)of~~order two~~elements of GF(q). Note that this ordered pair does not satisfy the defining equation of the curve in question. Appendix I. Data Conversions The string over some alphabet S consisting of the symbols x_{l-1}, x_{l-2}, ..., x_1, x_0 (each in S), in this order, is denoted by str(x_{l-1}, x_{l-2}, ..., x_1, x_0). The lengthof~~Edwards25519 correspond to, respectively,~~this string (over S) isthe~~point at infinity O and~~number of symbols it contains (here: l). The empty string isthe~~point (A/3, 0)~~(unique) stringof~~order two~~length l=0. The right-concatenationof~~Wei25519~~two strings Xand~~where each other point (x, y) of Edwards25519 corresponds to~~Y (defined overthe~~point (X, Y):=((1+y)/(1-y)+A/3, c*(1+y)/((1-y)*x))~~same alphabet) is the string Z consistingof~~Wei25519, where c was defined before. (Here, we used~~the~~mapping~~symbolsof~~Appendix D.3.) The inverse mapping from Wei25519 to Edwards25519 is defined by mapping~~X (inthe~~point at infinity O and~~same order) followed bythe~~point (A/3, 0)~~symbolsof~~order two~~Y (in the same order). The lengthof~~Wei25519 to, respectively,~~the~~identity element (0,1) and~~resulting string Z isthe~~point (0,-1)~~sumof~~order two~~the lengthsof~~Edwards25519~~Xand~~having each other point (X, Y)~~Y. This string operation is denoted by Z:=X||Y. The string X is called a prefixof~~Wei25519 correspond to~~Z;the~~point (c*(3*X-A)/(3*Y), (3*X-A-3)/(3*X-A+3)) of Edwards25519. Note that these mappings can be easily realized if points are represented in projective coordinates, using~~string Ya~~few field multiplications only, thus allowing switching between alternative curve representations with negligible relative incremental cost. E.3. Domain Parameters~~postfix.The~~parameters~~t-prefixofa string Z of length l is its unique prefix X of length t;the~~Montgomery curve and the corresponding isomorphic curves~~t-postfix its unique postfix Y of length t (wherein~~twisted Edwards curve and short-Weierstrass form are~~both cases t is an integer in the interval [0,l]). One can define these notionsas~~indicated below. Here,~~well if t is outsidethe~~domain parameters of~~interval [0,l] by stipulating that a t-prefix or t-postfix isthe~~Montgomery curve Curve25519~~empty string if t is negativeand~~of the twisted Edwards curve Edwards25519 are as specified in [RFC7748];~~that it isthe~~domain parameters~~entire string Z if t is larger than l. Sometimes, a t-prefixof~~Wei25519 are "new". General parameters (for all curve models): p 2^{255}-19 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffed) h 8 n 72370055773322622139731865630429942408571163593799076060019509382 85454250989 (=2^{252} + 0x14def9de a2f79cd6 5812631a 5cf5d3ed) h1 4 n1 14474011154664524427946373126085988481603263447650325797860494125 407373907997 (=2^{253} - 0x29bdf3bd 45ef39ac b024c634 b9eba7e3) Montgomery curve-specific parameters (for Curve25519):~~a string Z is denoted by trunc-left(Z,t); a t-postfix by trunc- right(Z,t).A~~486662 (=0x076d06) B 1 (=0x01) Gu 9 (=0x09) Gv 14781619447589544791020593568409986887264606134616475288964881837 755586237401 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9) Twisted Edwards curve-specific parameters (for Edwards25519):~~string X is calleda~~-1 (-0x01) d -121665/121666 = - (A-2)/(A+2) (=370957059346694393431380835087545651895421138798432190163887855 33085940283555) (=0x52036cee 2b6ffe73 8cc74079 7779e898 00700a4d 4141d8ab 75eb4dca 135978a3) Gx 15112221349535400772501151409588531511454012693041857206046113283 949847762202 (=0x216936d3 cd6e53fe c0a4e231 fdd6dc5c 692cc760 9525a7b2 c9562d60 8f25d51a) Gy 4/5 (=463168356949264781694283940034751631413079938662562256157830336 03165251855960) (=0x66666666 66666666 66666666 66666666 66666666 66666666 66666666 66666658) Weierstrass curve-specific parameters (for Wei25519):~~substring of Z if it isa~~19298681539552699237261830834781317975544997444273427339909597334 573241639236 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaa98 4914a144) b 55751746669818908907645289078257140818241103727901012315294400837 956729358436 (=0x7b425ed0 97b425ed 097b425e d097b425 ed097b42 5ed097b4 260b5e9c 7710c864) GX 19298681539552699237261830834781317975544997444273427339909597334 652188435546 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaad245a) GY 14781619447589544791020593568409986887264606134616475288964881837 755586237401 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9) Appendix F. Further Mappings~~prefix of some postfix of Z.The~~non-binary curves specified~~string resulting from prepending the string Y with X is the string X||Y. An octet is an integerin~~Appendix~~the interval [0,256). An octet string is a string, where the alphabet is the set of all octets.A~~are expressed~~binary string (or bit string, for short) is a string, where the alphabet is the set {0,1}. Note that the length of a string is definedin~~different curve models, viz.~~terms of the underlying alphabet,as~~curves~~are the operationsin~~short-Weierstrass form, as Montgomery curves, or as twisted Edwards curves. In Appendix D we already described relationships~~the previous paragraph. I.1. Conversionbetween~~these various curve models. Further mappings exist~~Bit Strings and Integers (BS2I, I2BS) There is a 1-1 correspondencebetween~~elliptic curves within~~bit strings of length l and integers inthe~~same curve model. These can be exploited~~interval [0, 2^l), where the bit string X:=str(x_{l-1}, x_{l-2}, ..., x_1, x_0) correspondsto~~force some of~~the~~domain parameters~~integer x:=x_{l-1}*2^{l-1} + x_{l-2}*2^{l-2} + ... + x_1*2 + x_0*1. (If l=0, the empty bit string correspondsto~~specific values that allow for a more efficient implementation of~~the~~addition formulae. F.1. Isomorphic Mapping between Twisted Edwards Curves One can map points of~~integer zero.) Note that whilethe~~twisted Edwards curve E_{a,d}~~mapping from bit stringsto~~points of~~integers is uniquely defined,the~~twisted Edwards curve E_{a',d'}, where a:=a'*s^2 and d:=d'*s^2 for some nonzero element s~~inverse mapping from integers to bit strings is not, since any non-negative integer smaller than 2^t can be represented as a bit stringof~~GF(q).~~length at least t (due to leading zero coefficients in base 2 representation). The latter representation is called tight if the bit string representation has minimal length.This defines~~a one-to-one correspondence, which - in fact - is an isomorphism between E_{a,d} and E_{a',d'}. The~~themappingBS2Ifrom~~E_{a,d} to E_{a',d'} is defined by mapping the point (x,y) of E_{a,d}~~bit stringstointegers andthe~~point (x', y'):=(s*x, y) of E_{a',d'}. The inverse~~mappingI2BS(x,l)from~~E_{a',d'}~~non-negative integers smaller than 2^lto~~E_{a,d}~~bit strings of length l. I.2. Conversion between Octet Strings and Integers (OS2I, I2OS) Thereis~~defined by mapping the point (x', y')~~a 1-1 correspondence between octet stringsof~~E_{a',d'}~~length l and integers in the interval [0, 256^l), where the octet string X:=str(X_{l-1}, X_{l-2}, ..., X_1, X_0) correspondsto the~~point (x, y):=(x'/s, y') of E_{a,d}. Implementations may take advantage of this mapping~~integer x:=X_{l-1}*256^{l-1} + X^{l-2}*256^{l-2} + ... + X_1*256 + X_0*1. (If l=0, the empty string correspondsto~~carry out elliptic curve group operations originally defined for a twisted Edwards curve with generic domain parameters a and d on a corresponding isomorphic twisted Edwards curve with domain parameters a' and d'~~the integer zero.) Notethat~~have a more special form, which are known~~while the mapping from octet stringsto~~allow for more efficient implementations of addition laws. In particular, it~~integersis~~known that such efficiency improvements exist if a':=-1 (see [tEd-Formulas]). F.2. Isomorphic Mapping between Montgomery Curves One can map points of~~uniquely defined,the~~Montgomery curve M_{A,B}~~inverse mapping from integersto~~points of the Montgomery curve M_{A',B'}, where A:=A' and B:=B'*s^2 for some nonzero element s~~octet strings is not, since any non-negative integer smaller than 256^t can be represented as an octet stringof~~GF(q). This defines a one-to-one correspondence, which -~~length at least t (due to leading zero coefficientsin~~fact -~~base 256 representation). The latter representationis~~an isomorphism between M_{A,B}~~called tight if the octet string representation has minimal length. This defines the mapping OS2I from octet strings to integersand~~M_{A',B'}. The~~themappingI2OS(x,l)from~~M_{A,B}~~non-negative integers smaller than 256^lto~~M_{A',B'}~~octet strings of length l. I.3. Conversion between Octet Strings and Bit Strings (OS2BS, BS2OS) Thereis~~defined by mapping the point at infinity O~~a 1-1 correspondence between octet stringsof~~M_{A,B}~~length l and bit strings of length 8*l, where the octet string X:=str(X_{l-1}, X_{l-2}, ..., X_1, X_0) correspondsto the~~point at infinity O~~right-concatenationof~~M_{A',B'}, while mapping~~the 8-bit strings x_{l-1}, x_{l-2}, ..., x_1, x_0, whereeach~~other point (u,v) of M_{A,B}~~octet X_i correspondsto the~~point (u', v'):=(u, s*v)~~8-bit string x_i according to the mappingof~~M_{A',B'}. The inverse~~Appendix I.1 above. Note that themapping from~~M_{A',B'}~~octet stringsto~~M_{A,B}~~bit stringsisuniquelydefined~~by mapping the point at infinity O of M_{A',B'} to~~and so isthe~~point at infinity O of M_{A,B}, while~~inversemapping~~each other point (u',v') of M_{A',B'}~~from bit stringstooctet strings, if one prepends each bit string withthe~~point (u,v):=(u',v'/s) of M_{A,B}. One can also map points~~smallest numberof~~the Montgomery curve M_{A,B}~~0 bits so asto~~points~~result in a bit stringof~~the Montgomery curve M_{A',B'}, where A':=-A and B':=-B.~~length divisible by eight (i.e., one uses pre-padding).This defines~~a one-to-one correspondence, which - in fact - is an isomorphism between M_{A,B}~~the mapping OS2BS from octet strings to bit stringsand~~M_{A',B'}. In this case,~~thecorrespondingmappingBS2OSfrom~~M_{A,B}~~bit stringsto~~M_{A',B'}~~octet strings. I.4. Conversion between Field Elements and Octet Strings (FE2OS, OS2FE) Thereis~~defined by mapping the point at infinity O~~a 1-1 correspondence between elementsof~~M_{A,B} to~~the~~point at infinity O~~fixed finite field GF(q), where q:=p^m, where p is a prime number and where m>0, and vectorsof~~M_{A',B'}, while mapping~~length m, with coefficients in GF(p), whereeach~~other point (u,v)~~element xof~~M_{A,B}~~GF(q) is a vector (x_{m-1}, x_{m-2}, ..., x_1, x_0) accordingto the~~point (u',v'):=(-u,v)~~conventionsof~~M_{A',B'}. The inverse mapping from M_{A',B'} to M_{A,B} is defined~~Appendix B.2. In this case, this field element can be uniquely representedby~~mapping~~the~~point at infinity O~~right-concatenationof~~M_{A',B'} to~~the~~point at infinity O of M_{A,B}, while mapping~~octet strings X_{m-1}, X_{m-2}, ..., X_1, X_0, whereeach~~other point (u',v') of M_{A',B'}~~octet string X_i correspondsto the~~point (u,v):=(-u',v') of M_{A,B}. Implementations may take advantage of this mapping to carry out elliptic curve groups operations originally defined for a Montgomery curve with generic domain parameters A and B on a corresponding isomorphic Montgomery curve with domain parameters A' and B' that have a more special form, which is known~~integer x_i in the interval [0,p-1] accordingto~~allow for more efficient implementations~~the mappingof~~addition laws. In particular, it is known~~Appendix I.2 above. Notethat~~such efficiency improvements exist if B' assumes a small absolute value, such as B':=(+/-)1. (see [Mont-Ladder]). F.3. Isomorphic Mapping between Weierstrass Curves One can map points of~~both the mapping from field elements to octet strings andthe~~Weierstrass curve W_{a,b}~~inverse mapping from octet stringsto~~points of~~field elements are only uniquely defined if each octet string X_i hasthe~~Weierstrass curve W_{a',b'}, where a':=a*s^4~~same fixed size (e.g., the smallest integer l so that 256^l >= p)and~~b':=b*s^6 for some nonzero element s of GF(q).~~if all integers are reduced modulo p. If so, the latter representation is called tight if l is minimal so that 256^l >= p.This defines~~a one-to-one correspondence, which - in fact - is an isomorphism between W_{a,b}~~the mapping FE2OS(x,l) from field elements to octet stringsand~~W_{a',b'}. The~~themappingOS2FE(X,l)from~~W_{a,b}~~octet stringsto~~W_{a',b'}~~field elements, where the underlying field is implicit and assumed to be known from context. In this case, the octet string has length l*m. (Observe that with tight representations, the parameter lisuniquelydefined by~~mapping~~the~~point at infinity O~~characteristic pof~~W_{a,b} to~~the~~point at infinity O~~field GF(q) in question.) I.5. Conversion between Elementsof~~W_{a',b'}, while mapping each other point (X,Y)~~Z mod n and Octet Strings (ZnE2OS, OS2ZnE) There is a 1-1 correspondence between elementsof~~W_{a,b} to~~the~~point (X',Y'):=(X*s^2, Y*s^3)~~set Z_nof~~W_{a',b'}. The inverse mapping from W_{a',b'} to W_{a,b}~~integers modulo n and integers in the interval [0,n), where each element x of Z_nis~~defined~~uniquely representedby~~mapping~~the~~point at infinity O of W_{a',b'}~~integer x mod n. In this case, x mod n can be uniquely represented by the octet string X accordingto the~~point at infinity O~~mappingof~~W_{a,b}, while~~Appendix I.2 above. Note that both themapping~~each other point (X', Y')~~from elementsof~~W_{a',b'}~~Z_ntooctet strings andthe~~point (X,Y):=(X'/s^2,Y'/s^3) of W_{a,b}. Implementations may take advantage of this~~inversemappingfrom octet stringsto~~carry out elliptic curve group operations originally~~elements of Z_n are only uniquelydefined~~for a Weierstrass curve with generic domain parameters a and b on~~if the octet string hasa~~corresponding isomorphic Weierstrass curve with domain parameter a' and b'~~fixed size (e.g., the smallest integer l sothat~~have a more special form, which is known to allow for more efficient implementations of addition laws,~~256^l >= n)and~~translating the result back to~~if all integers are first reduced modulo n. If so,the~~original curve. In particular, it~~latter representationis~~known that such efficiency improvements exist~~called tightif~~a'=-3 (mod p), where p~~lisminimal so that 256^l >= n. This definesthe~~characteristic~~mapping ZnE2OS(x,l) from elementsof~~GF(q),~~Z_n to octet stringsand~~one uses so-called Jacobian coordinates with a particular projective version of~~the~~addition laws of Appendix C.1. While not all Weierstrass curves can be put into this form, all traditional NIST curves have domain parameter a=-3, while all Brainpool curves [RFC5639] are isomorphic~~mapping OS2ZnE(X,l) from octet stringsto~~a Weierstrass curve~~elementsofZ_n, where the underlying modulus n is implicit and assumed to be known from context. Inthis~~form. Note~~case, the octet string has length l. (Observethat~~implementations for elliptic curves~~with~~short-Weierstrass form~~tight representations, the parameter l is uniquely defined by the parameter n in question.) Notethat~~hard-code~~if n is a prime number p, the conversions ZnE2OS and FE2OS are consistent, as are OS2ZnE and OS2FE. This is, however, no longerthe~~domain parameter~~case if n isa~~to a= -3 cannot always be used this way, since the curve W_{a,b} cannot always~~strict prime power. The conversion rules for composite n values maybe~~expressed in terms~~useful, e.g., when encoding RSA parameters (or elementsofany other non-prime size set Z_n, for that matter). I.6. Ordering Conventions One can consider various representation functions, depending on bit- ordering and octet-ordering conventions. The description below makes use of an auxiliary function (the reversion function), which we define both for bit strings and octet strings. Fora~~Weierstrass curve with a'=-3 via a coordinate transformation: this only holds if a'/a~~bit string [octet string] X:=str(x_{l-1}, x_{l-2}, ..., x_1, x_0), its reverseis~~a fourth power~~the bit string [octet string] X':=rev(X):=str(x_0, x_1, ..., x_{l-2}, x_{l-1}). We now describe representationsin~~GF(q) (see Section 3.1.5 of [GECC]). However, even~~most-significant-bit first (msb) or least-significant-bit first (lsb) order and thosein~~this case, one can still express~~most- significant-byte first (MSB) or least-significant-byte first (LSB) order. One distinguishesthe~~curve W_{a,b}~~following octet-string representations of integers and field elements: 1. MSB, msb: represent field elements and integersas~~a Weierstrass curve with a small domain parameter value a', thereby still allowing a more efficient implementation than with a general domain parameter value a. F.4. Isogenous Mapping between Weierstrass Curves One can still map points~~above, yielding the octet string str(X_{l-1}, X_{l-2}, ..., X_1, X_0). 2. MSB, lsb: reverse the bit-orderofeach octet, viewed as 8-bit string, yielding the octet string str((rev(X_{l-1}), rev(X_{l-2}), ..., rev(X_1), rev(X_0)). 3. LSB, lsb: reversethe~~Weierstrass curve W_{a,b} to points~~octet string and bit-orderofeach octet, yieldingthe~~Weierstrass curve W_{a',b'}, where a':=-3 (mod p)~~octet string str(rev(X_{0}), rev(X_{1}), ..., rev(X_{l-2}), rev(X_{l-1})). 4. LSB, msb: reverse the octet string, yielding the octet string str(X_{0}, X_{1}, ..., X_{l-2}, X_{l-1}). Thus, the 2-octet string "07e3" represents the integer 2019 (=0x07e3) in MSB/msb order, the integer 57,543 (0xe0c7) in MSB/lsb order, the integer 51,168 (0xc7e0) in LSB/lsb order,and~~where p is~~the~~characteristic of GF(q), even if a'/a is not a fourth power~~integer 58,119 (=0xe307)in~~GF(q). In that case, this mappping cannot be an isomorphism (see Appendix F.3). Instead,~~LSB/msb order. Note that, withthe~~mapping~~above data conversions, thereisstill some ambiguity as to how to represent an integer ora~~so-called isogeny (or homomorphism). Since most elliptic curve operations process points of prime order~~field element as a bit stringor~~use so-called "co-factor multiplication",~~octet string (due to leading zeros). However, tight representations (as defined above) are non-ambiguous. (Note,in~~practice the resulting mapping has similar properties as an isomorphism. In~~particular,~~one can still take advantage~~that tightness implies that elements of GF(q) are always uniquely represented.) Note that elementsof~~this mapping to carry out elliptic curve group operations originally defined for~~a~~Weierstrass curve with domain parameter~~prime field GF(p), where p isa~~unequal to -3 (mod p) on~~255-bit prime number, havea~~corresponding isogenous Weierstrass curve with domain parameter a'=-3 (mod p) and translating the result back to the original curve. In this case, the mapping from W_{a,b}~~tight representation as a 32-byte string, where a fixed bit position is always setto~~W_{a',b'}~~zero. (Thisis~~defined by mapping~~the~~point at infinity O~~leftmost bit positionof~~W_{a,b} to~~this octet string if one followsthe~~point at infinity O~~MSB/msb representation conventions.) This allows the parity bitof~~W_{a',b'}, while mapping each other~~a compressedpoint~~(X,Y) of W_{a,b}~~(see Appendix H)to~~the~~be encoded in this bit position and, thereby, allows a compressedpoint~~(X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3) of W_{a',b'}. Here, u(X), v(X),~~and~~w(X) are polynomials in X that depend on the isogeny in question. The inverse mapping from W_{a',b'}~~a field element of GF(p)to~~W_{a,b} is again an isogeny and defined~~be representedby~~mapping the point at infinity O~~an octet stringof~~W_{a',b'} to~~thesame length. This is called the squeezedpoint~~at infinity O of W_{a,b}, while mapping each~~representation. Obviously,other~~point (X', Y')~~representations (e.g., thoseof~~W_{a',b'} to the point (X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3)~~elementsof~~W_{a,b}, where -- again -- u'(X'), v'(X'), and w'(X') are polynomials in X' that depend on the isogeny in question. These mappings~~Z_n) may alsohave~~the property that their composition is not the identity mapping (as was the case with the isomorphic mappings discussed in Appendix F.3), but rather a~~fixed~~multiple hereof: if this multiple is l then the isogeny is called an isogeny of degree l (or l-isogeny) and u, v, and w (and, similarly, u', v', and w') are polynomials of degrees l, 3*(l-1)/2, and (l-1)/2, respectively. Note that an isomorphism is simply an isogeny of degree l=1. Details of how~~bit values in certain positions, which can be usedto~~determine isogenies~~squeeze-in additional information. Further detailsare out of~~scope~~scope. Appendix J. Representation Examples Curve25519 Family Members We present some examplesofcomputations using the curves introduced inthis document.~~Implementations may take advantage~~In each case, we indicate the valuesof~~this mapping to carry out elliptic curve group operations originally defined for a Weierstrass curve with a generic domain parameter a on a corresponding isogenous Weierstrass curve with domain parameter a'=-3 (mod p),~~P, k*P, and (k+1)*P,where~~one can use so-called Jacobian coordinates with~~P isa~~particular projective version~~fixed multiple (here: 2019)of the~~addition laws~~base pointof~~Appendix C.1. Since all traditional NIST curves have domain parameter a=-3, while all Brainpool curves [RFC5639] are isomorphic to a Weierstrass~~thecurvein question and where the private key k is the integer k 45467544759954639344191351164156560595299236761702065033670739677 691372543056 (=0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50). J.1. Example with Curve25519 Pm=(u, v), k*Pm=(u1, v1), and (k+1)*Pm=(u2, v2) with Curve25519: u 53025657538808013645618620393754461319535915376830819974982289332 088255623750 (=0x753b7566 df35d574 4734142c 9abf931c ea290160 aa75853c 7f972467 b7f13246). v 53327798092436462013048370302019946300826511459161905709144645521 233690313086 (=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e). u1 42039618818474335439333192910143029294450651736166602435248528442 691717668056 (=0x5cf194be f0bdd6d6 be58e18a 8f16740a ec25f4b0 67f7980a 23bb6468 88bb9cd8). v1 76981661982917351630937517222412729130882368858134322156485762195 67913357634 (=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd f5771306 479ad142). u2 34175116482377882355440137752573651838273760818624557524643126101 82464621878 (=0x078e3e38 41c3e0d0 373e5454 ecffae33 2798b10a 55c72117 62629f97 f1394d36). v2 43046985853631671610553834968785204191967171967937842531656254539 962663994648 (=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e fbc17f7f 7fda8518). As suggested in Appendix C.2, the v-coordinateof~~this form, this allows taking advantage~~k*Pm can be indirectly computed from the u-coordinatesof~~existing implementations for these curves that may have a hardcoded a=-3 (mod p) domain parameter, provided one switches back~~Pm, k*Pm, and (k+1)*Pm,and~~forth to this curve form~~the v-coordinate of Pm, which allows computation of the entire point k*Pm (and not just its u-coordinate) if k*Pm is computedusing the~~isogenous mapping in question. Note~~Montgomery ladder (as, e.g., [RFC7748] recommends), sincethat~~isogenous mappings can~~algorithm computes both u1 and u2 and the v-coordinate of the point Pm maybe~~easily realized using representations in projective coordinates~~available from context. The representation of kand~~involves roughly 3*l finite field multiplications, thus allowing switching between alternative~~the compressedrepresentations~~at relatively low incremental cost compared to that~~of~~elliptic curve scalar multiplications (provided~~Pm and k*Pm in tight LSB/msb-order are given by repr(k) 0x509ce215 bd5a8dc0 c3328c77 5dc6f59c 4d4915f9 e4bf5d0d c2e583cd e6b78564 repr(Pm) 0x4632f1b7 6724977f 3c8575aa 600129ea 1c93bf9a 2c143447 74d535df 66753b75; repr(k*Pm) 0xd89cbb88 6864bb23 0a98f767 b0f425ec 0a74168f 8ae158be d6d6bdf0 be94f15c, wherethe~~isogeny has low degree l). Note, however, that this does require storage~~leftmost bitof the~~polynomial coefficients~~rightmost octet indicates the parityof the~~isogeny and dual isogeny involved. This illustrates that low-degree isogenies are to be preferred, since an l-isogeny (usually) requires storing roughly 6*l elements~~v-coordinateof~~GF(q). While there are many isogenies, we therefore only consider those with~~the~~desired property with lowest possible degree. Appendix G. Further Cousins~~pointof Curve25519~~G.1. Further Alternative Representations~~in question (which, in this case, are both zero, since v and v1 are even). See Appendix H.2 and Appendix I for further detail on (squeezed) point compression.The~~Weierstrass curve Wei25519~~scalar representation and (squeezed) point representation illustrated above are consistent with the representations specified in [RFC7748], except that in [RFC7748] only an affine point's u-coordinateis~~isomorphic to~~represented (i.e.,the~~Weierstrass curve Wei25519.2 defined over GF(p), with as base~~v-coordinate of anypoint~~the pair (G2X,G2Y), and isogenous~~is always implicitly assumedtohave an even value) and that the representation ofthe~~Weierstrass curve Wei25519.-3 defined over GF(p), with as base~~pointat infinity is not specified. Another difference is that [RFC7748] allows non-unique representations of some elements of GF(p), whereas our representation conventions do not (since tight). A randomized representation (t1, t2) ofthe~~pair (G3X, G3Y),~~point k*Pm in tight LSB/ msb order is given by t1 409531317901122685707535715924445398426503483189854716584 37762538294289253464 (=0x5844b232 8c4586dc 62f593c5 599c2a8c e61ba893 bb052de6 77510a42 b3a68a5a) t2 451856098332889407421278004628150814449259902023388533929 08848927625430980881 (=0x11598452 e65138dc ce948d7e d8f46a18 b640722c 8e170957 751b7729 1b26e663),where~~parameters are as specified~~this representation is definedin Appendix~~G.3~~K.5 and uses the mapping of Appendix K.3.2 with the default square root function. J.2. Example with Edwards25519 Pe=(x, y), k*Pe=(x1, y1), and (k+1)*Pe=(x2, y2) with Edwards25519: x 25301662348702136092602268236183361085863932475593120475382959053 365387223252 (=0x37f03bc0 1070ed12 d3218f8b ba1abb74 fd6b94eb 62033d09 83851e21 d6a460d4). y 54434749145175762798550436656748568411099702168121592090608501578 942019473360 (=0x7858f9e7 6774ed8e 23d614d2 36715fc7 56813b02 9aa13c18 960705c5 b3a30fd0). x1 42966967796585460733861724865699548279978730460766025087444502812 416557284873 (=0x5efe7124 465b5bdb b364bb3e e4f106e2 18d59b36 48f4fe83 c11afc91 785d7e09). y1 46006463385134057167371782068441558951541960707376246310705917936 352255317084 (=0x65b6bc49 985badaf bc5fdd96 fb189502 35d5effd 540b439d 60508827 80bc945c). x2 42629294840915692510487991904657367226900127896202625319538173473 104931719808 (=0x5e3f536a 3be2364a 1fa775a3 5f8f65ae 93f4a89d 81a04a2e 87783748 00120a80). y2 29739282897206659585364020239089516293417836047563355347155817358 737209129078 (=0x41bfd66e 64bdd801 c581a720 f48172a8 187445fa 350924a2 c92c791e 38d57876). The representation of k and the compressed representations of Peandk*Pe in tight LSB/lsb-order are given by repr(k) =0x0a3947a8 bd5ab103 c34c31ee ba63af39 b292a89f 27fdbab0 43a7c1b3 67eda126; repr(Pe) =0x0bf0c5cd a3a0e069 183c8559 40dc816a e3fa8e6c 4b286bc4 71b72ee6 e79f1a1e; repr(k*Pe) =0x3a293d01 e4110a06 b9c2d02a bff7abac 40a918df 69bbfa3d f5b5da19 923d6da7,where the~~related mappings are as specified in Appendix G.2. G.2. Further Switching Each affine point (X, Y)~~rightmost bitof~~Wei25519 corresponds to~~the~~point (X', Y'):=(X*s^2,Y*s^3) of Wei25519.2, where s is~~rightmost octet indicatesthe~~element~~parityof~~GF(p) defined by s 20343593038935618591794247374137143598394058341193943326473831977 39407761440 (=0x047f6814 6d568b44 7e4552ea a5ed633d 02d62964 a2b0a120 5e7941e9 375de020), while~~the~~point at infinity~~x-coordinateof~~Wei25519 corresponds to~~the point~~at infinity of Wei25519.2. (Here, we used the mapping~~of~~Appendix F.3.) Under~~Edwards25519 in question (which, inthis~~mapping, the base point (GX, GY) of Wei25519 corresponds to the base~~case, are zero and one, respectively, since x is even and x1 is odd). See Appendix H.3 and Appendix I for further detail on (squeezed)point~~(G2X,G2Y) of Wei25519.2.~~compression.The~~inverse mapping maps the affine~~scalar representation and (squeezed)point~~(X', Y') of Wei25519.2 to (X,Y):=(X'/s^2,Y'/s^3) of Wei25519, while mapping~~representation illustrated above are fully consistent withthe~~point at infinity O of Wei25519.2~~representations specified in [RFC8032]. Note that, contraryto~~the point at infinity O~~[RFC7748], [RFC8032] requires unique representationsof~~Wei25519. Note that this mapping (and its inverse) involves a modular multiplication~~all elementsof~~both coordinates with fixed constants s^2 and s^3 (respectively, 1/s^2 and 1/s^3), which can be precomputed. Each affine point (X,Y)~~GF(p). A randomized representation (t1, t2)of~~Wei25519 corresponds to~~the point~~(X',Y'):=(X1*t^2,Y1*t^3) of Wei25519.-3, where (X1,Y1)=(u(X)/w(X)^2,Y*v(X)/w(X)^3), where u, v, and w are the polynomials with coefficients~~k*Pein~~GF(p) as~~tight LSB/ lsb order is given by t1 577913017083163641949634219017190182170288776648725395935 97750427519399254040 (=0x181a32c5 10e06dbc ea321882 f3519055 535e289e 8faac654 82e26f61 aded23fe) t2 454881407940919718426608573125377401686255068210624245884 05479716220480287974 (=0x672e36c5 ae353073 cdfac343 e8297b05 1b010d0f 5b1016db dd4baf54 28068926), where this representation isdefined in Appendix~~H.1~~K.5and~~where t is the element of GF(p) defined by t 35728133398289175649586938605660542688691615699169662967154525084 644181596229 (=0x4efd6829 88ff8526 e189f712 5999550c e9ef729b ed1a7015 73b1bab8 8bfcd845), while the point at infinity of Wei25519 corresponds to the point at infinity of Wei25519.-3. (Here, we used~~usesthe~~isogenous~~mapping of Appendix~~F.4.) Under this isogenous mapping,~~K.3.3 withthe~~base point (GX,GY)~~default square root function and underlying isomorphic mapping between Edwards25519 and Curve25519ofAppendix E.2. J.3. Example withWei25519~~corresponds to the base point (G3X,G3Y) of Wei25519.-3.~~Pw=(X, Y), k*Pw=(X1, Y1), and (k+1)*Pw=(X2, Y2) with Wei25519: X 14428294459702615171094958724191825368445920488283965295163094662 783879239338 (=0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa). Y 53327798092436462013048370302019946300826511459161905709144645521 233690313086 (=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e). X1 34422557393689369648095312405803933433606568476197477554293337733 87341283644 (=0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 ce660f13 3368c13c). Y1 76981661982917351630937517222412729130882368858134322156485762195 67913357634 (=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd f5771306 479ad142). X2 22716193187790487472805844610038683159372373526135883092373909944 834653057415 (=0x3238e8e2 ec6e8b7a e1e8feff 97aa58dd d2435bb5 0071cbc2 0d0d4a42 9be67187). Y2 43046985853631671610553834968785204191967171967937842531656254539 962663994648 (=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e fbc17f7f 7fda8518).The~~dual isogeny maps the affine point (X',Y')~~representationof~~Wei25519.-3 to~~k andthe~~affine point (X,Y):=(u'(X1)/w'(X1)^2,Y1*v'(X1)/w'(X1)^3)~~compressed representationsof~~Wei25519, where (X1,Y1)=(X'/t^2,Y'/t^3) and where u', v',~~Pwand~~w' are the polynomials with coefficients in GF(p) as defined~~k*Pwin~~Appendix H.2, while mapping the point at infinity O of Wei25519.-3 to the point at infinity O of Wei25519. Under this dual isogenous mapping, the base point (G3X, G3Y) of Wei25519.-3 corresponds to a multiple of the base point (GX, GY) of Wei25519,~~tight MSB/msb-order are given by repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50; repr(Pw) =0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa; repr(k*Pw) =0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 ce660f13 3368c13c,where~~this multiple is l=47 (the degree of the isogeny; see the description in Appendix F.4). Note that this isogenous map (and its dual) primarily involves~~the~~evaluation~~leftmost bitof~~three fixed polynomials involving~~the~~x-coordinate, which takes roughly 140 modular multiplications (or less than 5-10% relative incremental cost compared to~~leftmost octet indicatesthe~~cost of an elliptic curve scalar multiplication). G.3. Further Domain Parameters The parameters~~parityof the~~Weierstrass curve with a=2 that is isomorphic with Wei25519 and the parameters~~Y-coordinateof the~~Weierstrass curve with a=-3 that is isogenous with Wei25519 are as indicated below. Both domain parameter sets can be exploited directly to derive more efficient~~point~~addition formulae, should an implementation facilitate this. General parameters: same as for~~ofWei25519~~(see Appendix E.3) Weierstrass curve-specific parameters (for Wei25519.2, i.e., with a=2): a 2 (=0x02) b 12102640281269758552371076649779977768474709596484288167752775713 178787220689 (=0x1ac1da05 b55bc146 33bd39e4 7f94302e f19843dc f669916f 6a5dfd01 65538cd1) G2X 10770553138368400518417020196796161136792368198326337823149502681 097436401658 (=0x17cfeac3 78aed661 318e8634 582275b6 d9ad4def 072ea193 5ee3c4e8 7a940ffa) G2Y 54430575861508405653098668984457528616807103332502577521161439773 88639873869 (=0x0c08a952 c55dfad6 2c4f13f1 a8f68dca dc5c331d 297a37b6 f0d7fdcc 51e16b4d) Weierstrass curve-specific parameters (for Wei25519.-3, i.e., with a=-3): a -3 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffea) b 29689592517550930188872794512874050362622433571298029721775200646 451501277098 (=0x41a3b6bf c668778e be2954a4 b1df36d1 485ecef1 ea614295 796e1022 40891faa) G3X 53837179229940872434942723257480777370451127212339198133697207846 219400243292 (=0x7706c37b 5a84128a 3884a5d7 1811f1b5 5da3230f fb17a8ab 0b32e48d 31a6685c) G3Y 69548073091100184414402055529279970392514867422855141773070804184 60388229929 (=0x0f60480c 7a5c0e11 40340adc 79d6a2bf 0cb57ad0 49d025dc 38d80c77 985f0329) Appendix H. Isogeny Details The isogeny and dual isogeny~~in question (which, in this case,are both~~isogenies~~zero, since Y and Y1 are even). See Appendix H.1 and Appendix I for further detail on (squeezed) point compression. The scalar representation is consistentwith~~degree l=47. Both are~~the representationsspecified~~by~~in [SEC1]; the (squeezed) point representation illustrated above is "new". For completeness, we includea~~triple~~SEC1-consistent representationof~~polynomials u, v, and w (resp. u', v',~~the point Pw in affine formatand~~w')~~in compressed format below. The SEC1-compliant affine representationof~~degree 47, 69, and 23, respectively, with coefficients~~the point Pwin~~GF(p).~~tight MSB/msb-order is given by aff(Pw) =0x04 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa 75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e, whereas the SEC1-compliant compressed representation of the point Pw in tight MSB/msb-order is given by compr(Pw) =0x02 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa;The~~coeffients~~SEC1-compliant uncompressed format aff(Pw)of~~each~~an affine point Pw corresponds to the right-concatenationof~~these polynomials are specified~~its X- and Y-coordinates, eachin~~Appendix H.1 (for~~tight MSB/msb-order, prepended by the string 0x04, where the reverse procedure is uniquely defined, since elements of GF(p) have a unique fixed-size representation. The (squeezed) compressed format repr(Pw) corresponds to the SEC1-compliant compressed format by extracting the parity bit t from the leftmost bit of the leftmost octet of repr(Pw), replacing the bit position by the value zero, and prepending the octet string with 0x02 or 0x03, depending on whether t=0 or t=1, respectively, where the reverse procedure is uniquely defined, since GF(p) is a 255-bit prime field. For further details, see [SEC1]. Note that, due to the bit-size of the prime p, the squeezed compressed format repr(Pw) is one octet shorter than the SEC1-compliant compressed format compr(Pw). A randomized representation (t1, t2) ofthe~~isogeny) and~~point k*Pwin~~Appendix H.2 (for the dual isogeny). For each polynomial~~tight MSB/ msb order is given by t1 446363445988889734093446280484122107283059206243307955388 84223152228795899590 (=0x62af4697 4dd469ac 96c64809 c16c8517 b6a0cee5 40ba0e2e 6dd2b36a fcc75ec6) t2 213890166610228613105792710708385961712211281744756216061 11930888059603107561 (=0x2f49c121 8fed7912 031157ee ae066507 a972320b 6180e267 4025b006 2e67bee9), where this representation is definedin~~variable x,~~Appendix K.5 and usesthe~~coefficients are tabulated as sequence of coefficients of x^0, x^1, x^2, ..., in hexadecimal format. H.1. Isogeny Parameters H.1.1. Coefficients~~mappingof~~u(x) 0 0x670ed14828b6f1791ceb3a9cc0edfe127dee8729c5a72ddf77bb1abaebbba1e8 1 0x1135ca8bd5383cb3545402c8bce2ced14b45c29b241e4751b035f27524a9f932 2 0x3223806ff5f669c430efd74df8389f058d180e2fcffa5cdef3eacecdd2c34771 3 0x31b8fecf3f17a819c228517f6cd9814466c8c8bea2efccc47a29bfc14c364266 4 0x2541305c958c5a326f44efad2bec284e7abee840fadb08f2d994cd382fd8ce42 5 0x6e6f9c5792f3ff497f860f44a9c469cec42bd711526b733e10915be5b2dbd8c6 6 0x3e9ad2e5f594b9ce6b06d4565891d28a1be8790000b396ef0bf59215d6cabfde 7 0x278448895d236403bbc161347d19c913e7df5f372732a823ed807ee1d30206be 8 0x42f9d171ea8dc2f4a14ea46cc0ee54967175ecfe83a975137b753cb127c35060 9 0x128e40efa2d3ccb51567e73bae91e7c31eac45700fa13ce5781cbe5ddc985648 10 0x450e5086c065430b496d88952dd2d5f2c5102bc27074d4d1e98bfa47413e0645 11 0x487ef93da70dfd44a4db8cb41542e33d1aa32237bdca3a59b3ce1c59585f253d 12 0x33d209270026b1d2db96efb36cc2fa0a49be1307f49689022eab1892b010b785 13 0x4732b5996a20ebc4d5c5e2375d3b6c4b700c681bd9904343a14a0555ef0ecd48 14 0x64dc9e8272b9f5c6ad3470db543238386f42b18cb1c592cc6caf7893141b2107 15 0x52bbacd1f85c61ef7eafd8da27260fa2821f7a961867ed449b283036508ac5c5 16 0x320447ed91210985e2c401cfe1a93db1379424cf748f92fd61ab5cc356bc89a2 17 0x23d23a49bbcdf8cf4c4ce8a4ff7dd87d1ad1970317686254d5b4d2ec050d019f 18 0x1601fca063f0bbbf15f198b3c20e474c2170294fa981f73365732d2372b40cd4 19 0x7bf3f93840035e9688cfff402cee204a17c0de9779fc33503537dd78021bf4c4 20 0x311998ce59fb7e1cd6af591ece3e84dfcb1c330cbcf28c0349e37b9581452853 21 0x7ae5e41acfd28a9add2216dfed34756575a19b16984c1f3847b694326dad7f99 22 0x704957e279244a5b107a6c57bd0ab9afe5227b7c0be2052cd3513772a40efee7 23 0x56b918b5a0c583cb763550f8f71481e57c13bdcef2e5cfc8091d0821266f233b 24 0x677073fed43ab291e496f798fbcf217bac3f014e35d0c2fa07f041ae746a04d7 25 0x22225388e76f9688c7d4053b50ba41d0d8b71a2f21da8353d98472243ef50170 26 0x66930b3dffdd3995a2502cef790d78b091c875192d8074bb5d5639f736400555 27 0x79eb677c5e36971e8d64d56ebc0dedb4e9b7dd2d7b01343ebbd4d358d376e490 28 0x48a204c2ca6d8636e9994842605bd648b91b637844e38d6c7dd707edce8256e2 29 0x0fb3529b0d4b9ce2d70760f33e8ce997a58999718e9277caf48623d27ae6a788 30 0x4352604bffd0c7d7a9ed898a2c6e7cf2512ffb89407271ba1f2c2d0ead8cc5aa 31 0x6667697b29785fb6f0bd5e04d828991a5fe525370216f347ec767a26e7aac936 32 0x09fc950b083c56dbd989badf9887255e203c879f123a7cb28901e50aea6d64dc 33 0x41e51b51b5caadd1c15436bbf37596a1d7288a5f495d6b5b1ae66f8b2942b31d 34 0x073b59fec709aa1cabd429e981c6284822a8b7b07620c831ab41fd31d5cf7430 35 0x67e9b88e9a1bfbc2554107d67d814986f1b09c3107a060cba21c019a2d5dc848 36 0x6881494a1066ca176c5e174713786040affb4268b19d2abf28ef4293429f89c1 37 0x5f4d30502ff1e1ccd624e6f506569454ab771869d7483e26afc09dea0c5ccd3d 38 0x02a814cfc5859bca51e539c159955cbe729a58978b52329575d09bc6c3bf97ad 39 0x1313c8aaae20d6f4397f0d8b19e52cfcdf8d8e10fba144aec1778fd10ddf4e9c 40 0x7008d38f434b98953a996d4cc79fcbef9502411dcdf92005f725cea7ce82ad47 41 0x5a74d1296aaaa245ffb848f434531fa3ba9e5cb9098a7091d36c2777d4cf5a13 42 0x4bd3b700606397083f8038177bdaa1ac6edbba0447537582723cae0fd29341a9 43 0x573453fb2b093016f3368356c786519d54ed05f5372c01723b4da520597ec217 44 0x77f5c605bdb3a30d7d9c8840fce38650910d4418eed707a212c8927f41c2c812 45 0x16d6b9f7ff57ca32350057de1204cc6d69d4ef1b255dfef8080118e2fef6ace3 46 0x34e8595832a4021f8b5744014c6b4f7da7df0d0329e8b6b4d44c8fadad6513b7 47 0x01 H.1.2. Coefficients~~Appendix K.3.1 with the default square root function. J.4. Example with Wei25519.2 Pw2=(X, Y), k*Pw2=(X1, Y1), and (k+1)*Pw2=(X2, Y2) with Wei25519.2: X 17830493209951148331008014701079988862634531394137235438571836389 227198459763 (=0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c f21c8672 d1ecaf73). Y 21064492012933896105338241940477778461866060481408222122979836206 137075789640 (=0x2e921479 5ad47af7 784831de 572ed8e9 7e20e137 cc67378c 184ca19f f9136f48). X1 65470988951686461979789632362377759464688342154017353834939203791 39281908968 (=0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 e242192d 3b87f4e8). Y1 51489590494292183562535790579480033229043271539297275888817125227 35262330110 (=0x0b623521 c1ff84bc 1522ff26 3376796d be77fcad 1fcabc28 98f1be85 d7576cfe). X2 83741788501517200942826153677682120998854086551751663061374935388 3494226693 (=0x01d9f633 b2ac2606 9e6e93f7 6917446c 2b27c16f 729121d7 709c0a58 00ef9b05). Y2 42567334190622848157611574766896093933050043101247319937794684825 168161540336 (=0x5e1c41e1 fb74e41b 3a19ce50 e1b2caf7 7cabcbb3 0c1c1474 a4fd13e6 6c4c08f0). The representationof~~v(x) 0 0x0f9f5eb7134e6f8dafa30c45afa58d7bfc6d4e3ccbb5de87b562fd77403972b2 1 0x36c2dcd9e88f0d2d517a15fc453a098bbbb5a05eb6e8da906fae418a4e1a13f7 2 0x0b40078302c24fa394a834880d5bf46732ca1b4894172fb7f775821276f558b3 3 0x53dd8e2234573f7f3f7df11e90a7bdd7b75d807f9712f521d4fb18af59aa5f26 4 0x6d4d7bb08de9061988a8cf6ff3beb10e933d4d2fbb8872d256a38c74c8c2ceda 5 0x71bfe5831b30e28cd0fbe1e9916ab2291c6beacc5af08e2c9165c632e61dd2f5 6 0x7c524f4d17ff2ee88463da012fc12a5b67d7fb5bd0ab59f4bbf162d76be1c89c 7 0x758183d5e07878d3364e3fd4c863a5dc1fe723f48c4ab4273fc034f5454d59a4 8 0x1eb41ef2479444ecdccbc200f64bde53f434a02b6c3f485d32f14da6aa7700e1 9 0x1490f3851f016cc3cf8a1e3c16a53317253d232ed425297531b560d70770315c 10 0x09bc43131964e46d905c3489c9d465c3abbd26eab9371c10e429b36d4b86469c 11 0x5f27c173d94c7a413a288348d3fc88daa0bcf5af8f436a47262050f240e9be3b 12 0x1d20010ec741aaa393cd19f0133b35f067adab0d105babe75fe45c8ba2732ceb 13 0x01b3c669ae49b86be2f0c946a9ff6c48e44740d7d9804146915747c3c025996a 14 0x24c6090f79ec13e3ae454d8f0f98e0c30a8938180595f79602f2ba013b3c10db 15 0x4650c5b5648c6c43ac75a2042048c699e44437929268661726e7182a31b1532f 16 0x0957a835fb8bac3360b5008790e4c1f3389589ba74c8e8bf648b856ba7f22ba5 17 0x1cd1300bc534880f95c7885d8df04a82bd54ed3e904b0749e0e3f8cb3240c7c7 18 0x760b486e0d3c6ee0833b34b64b7ebc846055d4d1e0beeb6aedd5132399ada0ea 19 0x1c666846c63965ef7edf519d6ada738f2b676ae38ff1f4621533373931b3220e 20 0x365055118b38d4bc0df86648044affea2ef33e9a392ad336444e7d15e45585d1 21 0x736487bde4b555abfccd3ea7ddcda98eda0d7c879664117dee906a88bc551194 22 0x70de05ab9520222a37c7a84c61eedff71cb50c5f6647fc2a5d6e0ff2305cea37 23 0x59053f6cdf6517ab3fe4bd9c9271d1892f8cf353d8041b98409e1e341a01f8b5 24 0x375db54ed12fe8df9a198ea40200e812c2660b7022681d7932d89fafe7c6e88d 25 0x2a070c31d1c1a064daf56c79a044bd1cd6d13f1ddb0ff039b03a6469aaa9ed77 26 0x41482351e7f69a756a5a2c0b3fa0681c03c550341d0ca0f76c5b394db9d2de8d 27 0x747ac1109c9e9368d94a302cb5a1d23fcc7f0fd8a574efb7ddcaa738297c407a 28 0x45682f1f2aab6358247e364834e2181ad0448bb815c587675fb2fee5a2119064 29 0x148c5bf44870dfd307317f0a0e4a8c163940bee1d2f01455a2e658aa92c13620 30 0x6add1361e56ffa2d2fbbddba284b35be5845aec8069fc28af009d53290a705ce 31 0x6631614c617400dc00f2c55357f67a94268e7b5369b02e55d5db46c935be3af5 32 0x17cffb496c64bb89d91c8c082f4c288c3c87feabd6b08591fe5a92216c094637 33 0x648ff88155969f54c955a1834ad227b93062bb191170dd8c4d759f79ad5da250 34 0x73e50900b89e5f295052b97f9d0c9edb0fc7d97b7fa5e3cfeefe33dd6a9cb223 35 0x6afcb2f2ffe6c08508477aa4956cbd3dc864257f5059685adf2c68d4f2338f00 36 0x372fd49701954c1b8f00926a8cb4b157d4165b75d53fa0476716554bf101b74c 37 0x0334ed41325f3724ff8becbf2b3443fea6d30fa543d1ca13188aceb2bdaf5f4e 38 0x70e629c95a94e8e1b3974acb25e18ba42f8d5991786f0931f650c283adfe82fd 39 0x738a625f4c62d3d645f1274e09ab344e72d441f3c0e82989d3e21e19212f23f3 40 0x7093737294b29f21522f5664a9941c9b476f75d443b647bd2c777040bcd12a6a 41 0x0a996bad5863d821ccb8b89fa329ddbe5317a46bcb32552db396bea933765436 42 0x2da237e3741b75dd0264836e7ef634fc0bc36ab187ebc790591a77c257b06f53 43 0x1902f3daa86fa4f430b57212924fdc9e40f09e809f3991a0b3a10ab186c50ee5 44 0x12baffec1bf20c921afd3cdf67a7f1d87c00d5326a3e5c83841593c214dadcb1 45 0x6460f5a68123cb9e7bc1289cd5023c0c9ccd2d98eea24484fb3825b59dcd09aa 46 0x2c7d63a868ffc9f0fd034f821d84736c5bc33325ce98aba5f0d95fef6f230ec8 47 0x756e0063349a702db7406984c285a9b6bfba48177950d4361d8efa77408dc860 48 0x037f3e30032b21e0279738e0a2b689625447831a2ccf15c638672da9aa7255ae 49 0x1107c0dbe15d6ca9e790768317a40bcf23c80f1841f03ca79dd3e3ef4ea1ae30 50 0x61ff7f25721d6206041c59a788316b09e05135a2aad94d539c65daa68b302cc2 51 0x5dbfe346cbd0d61b9a3b5c42ec0518d3ae81cabcc32245060d7b0cd982b8d071 52 0x4b6595e8501e9ec3e75f46107d2fd76511764efca179f69196eb45c0aa6fade3 53 0x72d17a5aa7bd8a2540aa9b02d9605f2a714f44abfb4c35d518b7abc39b477870 54 0x658d8c134bac37729ec40d27d50b637201abbf1ab4157316358953548c49cf22 55 0x36ac53b9118581ace574d5a08f9647e6a916f92dda684a4dbc405e2646b0243f 56 0x1917a98f387d1e323e84a0f02d53307b1dd949e1a27b0de14514f89d9c0ef4b6 57 0x21573434fde7ce56e8777c79539479441942dba535ade8ecb77763f7eb05d797 58 0x0e0bf482dc40884719bea5503422b603f3a8edb582f52838caa6eaab6eeac7ef 59 0x3b0471eb53bd83e14fbc13928fe1691820349a963be8f7e9815848a53d03f5eb 60 0x1e92cb067b24a729c42d3abb7a1179c577970f0ab3e6b0ce8d66c5b8f7001262 61 0x74ea885c1ebed6f74964262402432ef184c42884fceb2f8dba3a9d67a1344dd7 62 0x433ebce2ce9b0dc314425cfc2b234614d3c34f2c9da9fff4fdddd1ce242d035b 63 0x33ac69e6be858dde7b83a9ff6f11de443128b39cec6e410e8d3b570e405ff896 64 0x0dab71e2ae94e6530a501ed8cf3df26731dd1d41cd81578341e12dca3cb71aa3 65 0x537f58d52d18ce5b1d5a6bd3a420e796e64173491ad43dd4d1083a7dcc7dd201 66 0x49c2f6afa93fdcc4e0f8128a8b06da4c75049be14edf3e103821ab604c60f8ae 67 0x10a333eabd6135aeaa3f5f5f7e73d102e4fd7e4bf0902fc55b00da235fa1ad08 68 0x0f5c86044bf6032f5102e601f2a0f73c7bce9384bedd120f3e72d78484179d9c 69 0x01 H.1.3. Coefficients~~k and the compressed representationsof~~w(x) 0 0x3da24d42421264f30939ff00203880f2b017eb3fecf8933ae61e18df8c8ba116 1 0x0457f20bc393cdc9a66848ce174e2fa41d77e6dbae05a317a1fb6e3ae78760f8 2 0x7f608a2285c480d5c9592c435431fae94695beef79d770bb6d029c1d10a53295 3 0x3832accc520a485100a0a1695792465142a5572bed1b2e50e1f8f662ac7289bb 4 0x2df1b0559e31b328eb34beedd5e537c3f4d7b9befb0749f75d6d0d866d26fbaa 5 0x25396820381d04015a9f655ddd41c74303ded05d54a7750e2f58006659adda28 6 0x6fa070a70ca2bc6d4d0795fb28d4990b2cc80cd72d48b603a8ac8c8268bef6a6 7 0x27f488578357388b20fbc7503328e1d10de602b082b3c7b8ceb33c29fea7a0d2 8 0x15776851a7cabcfe84c632118306915c0c15c75068a47021968c7438d46076e6 9 0x101565b08a9af015c172fb194b940a4df25c4fb1d85f72d153efc79131d45e8f 10 0x196b0ffbf92f3229fea1dac0d74591b905ccaab6b83f905ee813ee8449f8a62c 11 0x01f55784691719f765f04ee9051ec95d5deb42ae45405a9d87833855a6d95a94 12 0x628858f79cca86305739d084d365d5a9e56e51a4485d253ae3f2e4a379fa8aff 13 0x4a842dcd943a80d1e6e1dab3622a8c4d390da1592d1e56d1c14c4d3f72dd01a5 14 0x0f3bfc9cb17a1125f94766a4097d0f1018963bc11cb7bc0c7a1d94d65e282477 15 0x1c4bd70488c4882846500691fa7543b7ef694446d9c3e3b4707ea2c99383e53c 16 0x2d7017e47b24b89b0528932c4ade43f09091b91db0072e6ebdc5e777cb215e35 17 0x781d69243b6c86f59416f91f7decaca93eab9cdc36a184191810c56ed85e0fdc 18 0x5f20526f4177357da40a18da054731d442ad2a5a4727322ba8ed10d32eca24fb 19 0x33e4cab64ed8a00d8012104fe8f928e6173c428eff95bbbe569ea46126a4f3cd 20 0x050555b6f07e308d33776922b6566829d122e19b25b7bbacbb0a4b1a7dc40192 21 0x533fa4bf1e2a2aae2f979065fdbb5b667ede2f85543fddbba146aa3a4ef2d281 22 0x5a742cac1952010fc5aba200a635a7bed3ef868194f45b5a6a2647d6d6b289d2 23 0x01 H.2. Dual Isogeny Parameters H.2.1. Coefficients~~Pw2 and k*Pw2 in tight MSB/msb-order are given by repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50; repr(Pw2) =0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c f21c8672 d1ecaf73; repr(k*Pw2) =0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 e242192d 3b87f4e8, where the leftmost bit of the leftmost octet indicates the parityof~~u'(x) 0 0x0f0eddb584a20aaac8f1419efdd02a5cca77b21e4cfae78c49b5127d98bc5882 1 0x7115e60d44a58630417df33dd45b8a546fa00b79fea3b2bdc449694bade87c0a 2 0x0b3f3a6f3c445c7dc1f91121275414e88c32ff3f367ba0edad4d75b7e7b94b65 3 0x1eb31bb333d7048b87f2b3d4ec76d69035927b41c30274368649c87c52e1ab30 4 0x552c886c2044153e280832264066cce2a7da1127dc9720e2a380e9d37049ac64 5 0x4504f27908db2e1f5840b74ae42445298755d9493141f5417c02f04d47797dda 6 0x082c242cce1eb19698a4fa30b5affe64e5051c04ae8b52cb68d89ee85222e628 7 0x480473406add76cf1d77661b3ff506c038d9cdd5ad6e1ea41969430bb876d223 8 0x25f47bb506fba80c79d1763365fa9076d4c4cb6644f73ed37918074397e88588 9 0x10f13ed36eab593fa20817f6bb70cac292e18d300498f6642e35cbdf772f0855 10 0x7d28329d695fb3305620f83a58df1531e89a43c7b3151d16f3b60a8246c36ade 11 0x02c5ec8c42b16dc6409bdd2c7b4ffe9d65d7209e886badbd5f865dec35e4ab4a 12 0x7f4f33cd50255537e6cde15a4a327a5790c37e081802654b56c956434354e133 13 0x7d30431a121d9240c761998cf83d228237e80c3ef5c7191ec9617208e0ab8cec 14 0x4d2a7d6609610c1deed56425a4615b92f70a507e1079b2681d96a2b874cf0630 15 0x74676df60a9906901d1dc316c639ff6ae0fcdb02b5571d4b83fc2eedcd2936a8 16 0x22f8212219aca01410f06eb234ed53bd5b8fbe7c08652b8002bcd1ea3cdae387 17 0x7edb04449565d7c566b934a87fadade5515f23bda1ce25daa19fff0c6a5ccc2f 18 0x106ef71aa3aa34e8ecf4c07a67d03f0949d7d015ef2c1e32eb698dd3bec5a18c 19 0x0017913eb705db126ac3172447bcd811a62744d505ad0eea94cfcfdde5ca7428 20 0x2cc793e6d3b592dcf5472057a991ff1a5ab43b4680bb34c0f5faffc5307827c1 21 0x6dafcc0b16f98300cddb5e0a7d7ff04a0e73ca558c54461781d5a5ccb1ea0122 22 0x7e418891cf222c021b0ae5f5232b9c0dc8270d4925a13174a0f0ac5e7a4c8045 23 0x76553bd26fecb019ead31142684789fea7754c2dc9ab9197c623f45d60749058 24 0x693efb3f81086043656d81840902b6f3a9a4b0e8f2a5a5edf5ce1c7f50a3898e 25 0x46c630eac2b86d36f18a061882b756917718a359f44752a5caf41be506788921 26 0x01dcfa01773628753bc6f448ac11be8a3bffa0011b9284967629b827e064f614 27 0x08430b5b97d49b0938d1f66ecb9d2043025c6eec624f8f02042b9621b2b5cb19 28 0x66f66a6669272d47d3ec1efea36ee01d4a54ed50e9ec84475f668a5a9850f9be 29 0x539128823b5ef3e87e901ab22f06d518a9bad15f5d375b49fe1e893ab38b1345 30 0x2bd01c49d6fff22c213a8688924c10bf29269388a69a08d7f326695b3c213931 31 0x3f7bea1baeccea3980201dc40d67c26db0e3b15b5a19b6cdac6de477aa717ac1 32 0x6e0a72d94867807f7150fcb1233062f911b46e2ad11a3eac3c6c4c91e0f4a3fa 33 0x5963f3cc262253f56fc103e50217e7e5b823ae8e1617f9e11f4c9c595fbb5bf6 34 0x41440b6fe787777bc7b63afac9f4a38ddadcebc3d72f8fc73835247ba05f3a1d 35 0x66d185401c1d2d0b84fcf6758a6a985bf9695651271c08f4b69ce89175fb7b34 36 0x2673fb8c65bc4fe41905381093429a2601c46a309c03077ca229bac7d6ccf239 37 0x1ce4d895ee601918a080de353633c82b75a3f61e8247763767d146554dd2f862 38 0x18efa6c72fa908347547a89028a44f79f22542baa588601f2b3ed25a5e56d27c 39 0x53de362e2f8ff220f8921620a71e8faa1aa57f8886fcbb6808fa3a5560570543 40 0x0dc29a73b97f08aa8774911474e651130ed364e8d8cffd4a80dee633aacecc47 41 0x4e7eb8584ae4de525389d1e9300fc4480b3d9c8a5a45ecfbe33311029d8f6b99 42 0x6c3cba4aa9229550fa82e1cfaee4b02f2c0cb86f79e0d412b8e32b00b7959d80 43 0x5a9d104ae585b94af68eeb16b1349776b601f97b7ce716701645b1a75b68dcf3 44 0x754e014b5e87af035b3d5fe6fb49f4631e32549f6341c6693c5172a6388e273e 45 0x6710d8265118e22eaceba09566c86f642ab42da58c435083a353eaa12d866c39 46 0x6e88ac659ce146c369f8b24c3a49f8dca547827250cf7963a455851cfc4f8d22 47 0x0971eb5f253356cd1fde9fb21f4a4902aa5b8d804a2b57ba775dc130181ae2e8 H.2.2. Coefficients~~the Y-coordinateof~~v'(x) 0 0x043c9b67cc5b16e167b55f190db61e44d48d813a7112910f10e3fd8da85d61d3 1 0x72046db07e0e7882ff3f0f38b54b45ca84153be47a7fd1dd8f6402e17c47966f 2 0x1593d97b65a070b6b3f879fe3dc4d1ef03c0e781c997111d5c1748f956f1ffc0 3 0x54e5fec076b8779338432bdc5a449e36823a0a7c905fd37f232330b026a143a0 4 0x46328dd9bc336e0873abd453db472468393333fbf2010c6ac283933216e98038 5 0x25d0c64de1dfe1c6d5f5f2d98ab637d8b39bcf0d886a23dabac18c80d7eb03ce 6 0x3a175c46b2cd8e2b313dde2d5f3097b78114a6295f283cf58a33844b0c8d8b34 7 0x5cf4e6f745bdd61181a7d1b4db31dc4c30c84957f63cdf163bee5e466a7a8d38 8 0x639071c39b723eea51cfd870478331d60396b31f39a593ebdd9b1eb543875283 9 0x7ea8f895dcd85fc6cb2b58793789bd9246e62fa7a8c7116936876f4d8dff869b 10 0x503818acb535bcaacf8ad44a83c213a9ce83af7c937dc9b3e5b6efedc0a7428c 11 0x0e815373920ec3cbf3f8cae20d4389d367dc4398e01691244af90edc3e6d42b8 12 0x7e4b23e1e0b739087f77910cc635a92a3dc184a791400cbceae056c19c853815 13 0x145322201db4b5ec0a643229e07c0ab7c36e4274745689be2c19cfa8a702129d 14 0x0fde79514935d9b40f52e33429621a200acc092f6e5dec14b49e73f2f59c780d 15 0x37517ac5c04dc48145a9d6e14803b8ce9cb6a5d01c6f0ad1b04ff3353d02d815 16 0x58ae96b8eefe9e80f24d3b886932fe3c27aaea810fa189c702f93987c8c97854 17 0x6f6402c90fa379096d5f436035bebc9d29302126e9b117887abfa7d4b3c5709a 18 0x01dbdf2b9ec09a8defeb485cc16ea98d0d45c5b9877ff16bd04c0110d2f64961 19 0x53c51706af523ab5b32291de6c6b1ee7c5cbd0a5b317218f917b12ff38421452 20 0x1b1051c7aec7d37a349208e3950b679d14e39f979db4fcd7b50d7d27dc918650 21 0x1547e8d36262d5434cfb029cdd29385353124c3c35b1423c6cca1f87910b305b 22 0x198efe984efc817835e28f704d41e4583a1e2398f7ce14045c4575d0445c6ce7 23 0x492276dfe9588ee5cd9f553d990f377935d721822ecd0333ce2eb1d4324d539c 24 0x77bad5319bacd5ed99e1905ce2ae89294efa7ee1f74314e4095c618a4e580c9b 25 0x2cb3d532b8eac41c61b683f7b02feb9c2761f8b4286a54c3c4b60dd8081a312e 26 0x37d189ea60443e2fee9b7ba8a34ed79ff3883dcefc06592836d2a9dd2ee3656e 27 0x79a80f9a0e6b8ded17a3d6ccf71eb565e3704c3543b77d70bca854345e880aba 28 0x47718530ef8e8c75f069acb2d9925c5537908e220b28c8a2859b856f46d5f8db 29 0x7dc518f82b55a36b4fa084b05bf21e3efce481d278a9f5c6a49701e56dac01ec 30 0x340a318dad4b8d348a0838659672792a0f00b7105881e6080a340f708a9c7f94 31 0x55f04d9d8891636d4e9c808a1fa95ad0dae7a8492257b20448023aad3203278e 32 0x39dc465d58259f9f70bb430d27e2f0ab384a550e1259655443e14bdecba85530 33 0x757385464cff265379a1adfadfd6f6a03fa8a2278761d4889ab097eff4d1ac28 34 0x4d575654dbe39778857f4e688cc657416ce524d54864ebe8995ba766efa7ca2b 35 0x47adb6aecc1949f2dc9f01206cc23eb4a0c29585d475dd24dc463c5087809298 36 0x30d39e8b0c451a8fcf3d2abab4b86ffa374265abbe77c5903db4c1be8cec7672 37 0x28cf47b39112297f0daeaa621f8e777875adc26f35dec0ba475c2ee148562b41 38 0x36199723cc59867e2e309fe9941cd33722c807bb2d0a06eeb41de93f1b93f2f5 39 0x5cdeb1f2ee1c7d694bdd884cb1c5c22de206684e1cafb8d3adb9a33cb85e19a2 40 0x0f6e6b3fc54c2d25871011b1499bb0ef015c6d0da802ae7eccf1d8c3fb73856c 41 0x0c1422c98b672414344a9c05492b926f473f05033b9f85b8788b4bb9a080053c 42 0x19a8527de35d4faacb00184e0423962247319703a815eecf355f143c2c18f17f 43 0x7812dc3313e6cf093da4617f06062e8e8969d648dfe6b5c331bccd58eb428383 44 0x61e537180c84c79e1fd2d4f9d386e1c4f0442247605b8d8904d122ee7ef9f7be 45 0x544d8621d05540576cfc9b58a3dab19145332b88eb0b86f4c15567c37205adf9 46 0x11be3ef96e6e07556356b51e2479436d9966b7b083892b390caec22a117aa48e 47 0x205cda31289cf75ab0759c14c43cb30f7287969ea3dc0d5286a3853a4d403187 48 0x048d8fc6934f4f0a99f0f2cc59010389e2a0b20d6909bfcf8d7d0249f360acdc 49 0x42cecc6d9bdca6d382e97fcea46a79c3eda2853091a8f399a2252115bf9a1454 50 0x0117d41b24f2f69cb3270b359c181607931f62c56d070bbd14dc9e3f9ab1432e 51 0x7c51564c66f68e2ad4ce6ea0d68f920fafa375376709c606c88a0ed44207aa1e 52 0x48f25191fc8ac7d9f21adf6df23b76ccbca9cb02b815acdbebfa3f4eddc71b34 53 0x4fc21a62c4688de70e28ad3d5956633fc9833bc7be09dc7bc500b7fae1e1c9a8 54 0x1f23f25be0912173c3ef98e1c9990205a69d0bf2303d201d27a5499247f06789 55 0x3131495618a0ac4cb11a702f3f8bab66c4fa1066d0a741af3c92d5c246edd579 56 0x0d93fe40faa53913638e497328a1b47603cb062c7afc9e96278603f29fd11fd4 57 0x6b348bc59e984c91d696d1e3c3cfae44021f06f74798c787c355437fb696093d 58 0x65af00e73043edcb479620c8b48098b89809d577a4071c8e33e8678829138b8a 59 0x5e62ffb032b2ddb06591f86a46a18effd5d6ecf3f129bb2bacfd51a3739a98b6 60 0x62c974ef3593fc86f7d78883b8727a2f7359a282cbc0196948e7a793e60ce1a1 61 0x204d708e3f500aad64283f753e7d9bab976aa42a4ca1ce5e9d2264639e8b1110 62 0x0a90f0059da81a012e9d0a756809fab2ce61cb45965d4d1513a06227783ee4ea 63 0x39fa55971c9e833f61139c39e243d40869fd7e8a1417ee4e7719dd2dd242766f 64 0x22677c1e659caa324f0c74a013921facf62d0d78f273563145cc1ddccfcc4421 65 0x3468cf6df7e93f7ff1fe1dd7e180a89dec3ed4f72843b4ea8a8d780011a245b2 66 0x68f75a0e2210f52a90704ed5f511918d1f6bcfcd26b462cc4975252369db6e9d 67 0x6220c0699696e9bcab0fe3a80d437519bd2bdf3caef665e106b2dd47585ddd9f 68 0x553ad47b129fb347992b576479b0a89f8d71f1196f83e5eaab5f533a1dd6f6d7 69 0x239aef387e116ec8730fa15af053485ca707650d9f8917a75f22acf6213197df H.2.3. Coefficients~~the point of Wei25519.2 in question (which, in this case, are both zero, since Y and Y1 are even). See Appendix Appendix H.1 and Appendix I for further detail on (squeezed) point compression. A randomized representation (t1, t2)of~~w'(x) 0 0x6bd7f1fc5dd51b7d832848c180f019bcbdb101d4b3435230a79cc4f95c35e15e 1 0x17413bb3ee505184a504e14419b8d7c8517a0d268f65b0d7f5b0ba68d6166dd0 2 0x47f4471beed06e5e2b6d5569c20e30346bdba2921d9676603c58e55431572f90 3 0x2af7eaafd04f6910a5b01cdb0c27dca09487f1cd1116b38db34563e7b0b414eb 4 0x57f0a593459732eef11d2e2f7085bf9adf534879ba56f7afd17c4a40d3d3477b 5 0x4da04e912f145c8d1e5957e0a9e44cca83e74345b38583b70840bdfdbd0288ed 6 0x7cc9c3a51a3767d9d37c6652c349adc09bfe477d99f249a2a7bc803c1c5f39ed 7 0x425d7e58b8adf87eebf445b424ba308ee7880228921651995a7eab548180ad49 8 0x48156db5c99248234c09f43fedf509005943d3d5f5d7422621617467b06d314f 9 0x0d837dbbd1af32d04e2699cb026399c1928472aa1a7f0a1d3afd24bc9923456a 10 0x5b8806e0f924e67c1f207464a9d025758c078b43ddc0ea9afe9993641e5650be 11 0x29c91284e5d14939a6c9bc848908bd9df1f8346c259bbd40f3ed65182f3a2f39 12 0x25550b0f3bceef18a6bf4a46c45bf1b92f22a76d456bfdf19d07398c80b0f946 13 0x495d289b1db16229d7d4630cb65d52500256547401f121a9b09fb8e82cf01953 14 0x718c8c610ea7048a370eabfd9888c633ee31dd70f8bcc58361962bb08619963e 15 0x55d8a5ceef588ab52a07fa6047d6045550a5c52c91cc8b6b82eeb033c8ca557d 16 0x620b5a4974cc3395f96b2a0fa9e6454202ef2c00d82b0e6c534b3b1d20f9a572 17 0x4991b763929b00241a1a9a68e00e90c5df087f90b3352c0f4d8094a51429524e 18 0x18b6b49c5650fb82e36e25fd4eb6decfdd40b46c37425e6597c7444a1b6afb4e 19 0x6868305b4f40654460aad63af3cb9151ab67c775eaac5e5df90d3aea58dee141 20 0x16bc90219a36063a22889db810730a8b719c267d538cd28fa7c0d04f124c8580 21 0x3628f9cf1fbe3eb559854e3b1c06a4cd6a26906b4e2d2e70616a493bba2dc574 22 0x64abcc6759f1ce1ab57d41e17c2633f717064e35a7233a6682f8cf8e9538afec 23 0x01~~the point k*Pw2 in tight MSB/ msb order is given by t1 416669672354928148679758598803660112405431159793278161879 36189858804289581274 (=0x5c1eaaef 80f9d4af 33c119fc c99acd58 f81e7d69 999c7048 e4043a77 87a930da) t2 361115271162391608083096560179337391059615651279123199921 18531180247832114098 (=0x4fd66668 e7174775 de44c852 92df8cfe b9832ef8 2570b3b8 fe5ec21a b2d4b3b2), where this representation is defined inAppendix~~I. Point Compression Point compression allows a shorter~~K.5 and uses the mapping of Appendix K.3.1 with the default square root function. J.5. Example with Wei25519.-3 Pw3=(X, Y), k*Pw3=(X1, Y1), and (k+1)*Pw3=(X2, Y2) with Wei25519.-3: X 14780197759513083469009623947734627174363231692126610860256057394 455099634096 (=0x20ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 eb4c9272 03ca71b0). Y 45596733430378470319805536538617129933663237960146030424392249401 952949482817 (=0x64ced628 e982648e 4bfcf30c 71c4d267 ba48b0ce fee20062 b43ef4c9 73f7b541). X1 47362979975244556396292400751828272600887612546997532158738958926 60745725532 (=0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 63b8455e 2e04e65c). Y1 30318112837157047703426636957515037640997356617656007157255559136 153389790354 (=0x4307719a 20d08741 58d5889e 8c8ec27e 246b0342 55f8fd62 dbc9ca09 e79c7492). X2 23778942085873786433506063022059853212880296499622328201295446580 293591664363 (=0x3492677e 6ae9d1c3 e08f908b 61033f3d 4e8322c9 fba6da81 2c95b067 9b1486eb). Y2 44846366394651736248316749170687053272682847823018287439056537991 969511150494 (=0x632624d4 ab94c83a 796511c0 5f5412a3 876e56d2 ed18eca3 21b95bef 7bf9939e). Therepresentation of~~affine points~~k and the compressed representations of Pw3 and k*Pw3 in tight MSB/msb-order are given by repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50; repr(Pw3) =0xa0ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 eb4c9272 03ca71b0; repr(k*Pw3) =0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 63b8455e 2e04e65c, where the leftmost bit of the leftmost octet indicates the parity of the Y-coordinateof~~an elliptic curve by exploiting algebraic relationships between~~the~~coordinate values based~~point of Wei25519.-3 in question (which, in this case, are one and zero, respectively, since Y is odd and Y1 is even). See Appendix H.1 and Appendix I for further detailon(squeezed) point compression. A randomized representation (t1, t2) ofthe~~defining equation~~point k*Pw3 in tight MSB/ msb order is given by t1 573714937613596601525680684642155667097217474964816246889 88981227297409008259 (=0x7ed71d5f 566d2259 99bdb404 bfb9d6cf d2e86ccb 1894d4a6 c75e3c69 e5eb0283) t2 269945781324580189815142015663892935722419453863927287235 57891665397640090729 (=0x3bae63c8 70f60de0 c2e35f94 d24220f1 bb6efd00 37625869 f84923de ff4c5469), where this representation is defined in Appendix K.5 and uses the mappingofAppendix K.3.1 withthedefault square root function. Appendix K. Auxiliary Functions This section illustrates how one could implement common routines, such as taking square roots and inverses in finite fields, and how to map field elements to curve points and tocurvepoints that avoid some outliers. K.1. Square Roots in GF(q) Square roots are easy to compute in GF(q) if q = 3 (mod 4) (see Appendix K.1.1) or if q = 5 (mod 8) (see Appendix K.1.2). Details on how to compute square roots for other values of q are out of scope. If square roots are easy to compute in GF(q), then so are these in GF(q^2). K.1.1. Square Roots in GF(q), where q = 3 (mod 4) If y is a nonzero element of GF(q) and z:=y^{(q-3)/4}, then y is a square in GF(q) only if y*z^2=1. If y*z^2=1, z is a square root of 1/y and y*z is a square root of y in GF(q). K.1.2. Square Rootsin~~question. Point decompression refers to the reverse process,~~GF(q),where~~one tries~~q = 5 (mod 8) If y is a nonzero element of GF(q)and~~recover the affine point from its compressed representation~~z:=y^{(q-5)/8}, then y is a square in GF(q) only if y^2*z^4=1. a. If y*z^2=+1, z is a square root of 1/yand~~information on the domain parameters~~y*z is a square rootof~~the curve. Consequently, point compression followed by point decompression~~y in GF(q); b. If y*z^2=-1, i*zis~~the identity map. The description below makes use~~a square rootof~~an auxiliary function (the parity function), which we first define for prime fields GF(p)~~1/yand~~then extend to all fields GF(q), where q~~i*y*z is a square root of y in GF(q). Here, iis an~~odd prime power. We assume each finite~~element of GF(q) for which i^2=-1 (e.g., i:=2^{(q-1)/4}). Thisfield~~to~~element canbe~~unambiguously defined. Let~~precomputed. K.2. Inversion Ify~~be~~is an integer and gcd(y,n)=1, one can efficiently compute 1/y (mod n) via the extended Euclidean Algorithm (see Section 2.2.5 of [GECC]). One can use this algorithm as well to compute the inverse ofa nonzero elementyof~~GF(q). If q:=p is an odd~~aprime~~number,~~field GF(p), since gcd(y,p)=1. The inverse of a nonzero elementy~~and p-y~~of GF(q)can be~~uniquely represented~~computedas~~integers~~1/y:=y^{q-2} (since y^{q-1}=1). If inverses are easy to computein~~the interval [1,p-1]~~GF(q), then so are these in GF(q^2). Further details are out of scope. The inverses of two nonzero elements y1and~~have odd sum p. Consequently, one can distinguish y from -y via~~y2 of GF(q) can be computed by first computingthe~~parity~~inverse zof~~this representation, i.e., via par(y):=y (mod 2). If q:=p^m, where p is an odd prime number~~y1*y2and~~where m>0, both y~~by subsequently computing y2*z=:1/y1and~~-y~~y1*z=:1/y2. K.3. Mappings to Curve Points Onecan~~be uniquely represented as vectors~~map elementsof~~length m, with coefficients~~GF(q) that are not a squarein~~GF(p)~~GF(q) to points of a Weierstrass curve(see Appendix~~B.2). In this case, the leftmost nonzero coordinate values~~K.3.1), to pointsof~~y and -y are in the same position and have representations in [1,p-1] with different parity. As~~a~~result, one can distinguish y from -y via the parity of the representation~~Montgomery curve (see Appendix K.3.2), or to pointsof~~this coordinate value. This extends~~a twisted Edwards curve (see Appendix K.3.3), under some mild conditions onthe~~definition~~domain parameters. Full details on mappings that apply if these conditions are not satisfied are outof~~the parity function~~scope. K.3.1. Mappingto~~any odd-size field GF(q), where one defines par(0):=0. I.1. Point Compression for~~Points ofWeierstrass~~Curves If P:=(X, Y) is an affine point~~Curve The description below assumes that the domain parameters a and bof the Weierstrass curve W_{a,b}~~defined over the field GF(q), then so is -P:=(X, -Y). Since the defining equation Y^2=X^2+a*X+b has at most two solutions with fixed X-value, one can represent P by its X-coordinate and one bit~~are nonzero. For easeof~~information~~exposition, we define f(z):=z^3+a*z+b. (Notethat~~allows one to distinguish P from -P, i.e., one can represent P as the ordered pair compr(P):=(X, par(Y)). If P is a~~for an affinepoint(X,Y)of~~order two,~~W_{a,b}one~~can uniquely represent P by its X-coordinate alone, since Y=0 and~~has~~fixed parity. Conversely, given the ordered pair (X, t), where X~~Y^2=f(X).) If tis an element of GF(q)that is not a square in GF(q)and~~where t=0 or t=1, and the domain parameters of~~that is unequal to -1, thenthe~~curve, one can use~~element X:=(-b/a)*(1+1/(t+t^2)) isthe~~defining equation~~unique solutionof the~~curve to try~~equation f(t*X)=t^3*f(X)and~~determine candidate values for~~is nonzero. Consequently, either X or X':=t*X isthe~~Y-coordinate given X, by solving~~x-coordinate of an affine point of W{a,b}, depending on whether f(X) is a square in GF(q). a. If f(X) is a square in GF(q) and Y:=sqrt(f(X)), then t is mapped tothe~~quadratic equation Y^2:=alpha, where alpha:=X^3+a*X+b.~~point P(t):=(X, Y); b.If~~alpha~~f(X)is not a square in~~GF(q),~~GF(q) and Y':=sqrt(f(X')), then t is mapped to the point P(t):=(X', -Y'). Formally,this~~equation does~~mapping isnot~~have~~properly defined, sincea~~solution~~nonzero square y:=x^2in GF(q)has two solutions, viz. xand-x; it is properly defined, however, if one designates for each element in GF(q) that is a square in GF(q) precisely one square root as "the" square root of this element. Note that always pickingthe~~ordered pair (X, t) does~~square root with zero parity (see Appendix H) satisfies this condition (henceforth called the default square root function). If -1 isnot~~correspond to~~asquare in GF(q), this element is mapped to the point at infinity O of W_{a,b}. The set of points of W_{a,b} that arises this way has size roughly 3/8 of the order of the curve and each suchpointarises as imageof~~this curve. Otherwise, there are~~one ortwo~~solutions, viz. Y=sqrt(alpha) and -Y.~~t values. Further details are out of scope. NOTE 1:If~~alpha~~-1isnota~~nonzero element of~~square inGF(q),~~one can uniquely recover~~the~~Y-coordinate for which par(Y):=t and, thereby,~~mapping above yieldsthe point~~P:=(X, Y). This is also~~at infinity for t=-1. One can modify this mapping to always yield an affine point, by mappingthe~~case if alpha=0 and t=0, in which case Y=0 and~~element -1 to, e.g.,thebasepoint~~P has order two. However, if alpha=0~~G of W_{a,b}and~~t=1, the ordered pair (X, t) does not correspond to~~leavingthe~~outcome~~remainderof the~~point compression function. We extend~~mappingthe~~definition~~same. Suitability of such a modification is application-specific. Details are outofscope. NOTE 2: The description above assumes thatthe~~point compression function to all points~~domain parameters a and bof theWeierstrasscurve~~W_{a,b}, by associating the (non-affine) point at infinity O with any ordered pair compr(O):=(X,0), where X~~are nonzero. If thisis~~any element of GF(q)~~not the case, one can often find an isogenous curve W_{a',b'}for which~~alpha:=X^3+a*X+b is~~the domain parameters a' and b' are nonzero. If so, one can map elements of GF(q) that arenot a square in~~GF(q), and recover this point accordingly. In this case,~~GF(q) to points of W_{a,b} via function composition, where one usesthe~~point~~mapping above to arriveat~~infinity O can be represented by any ordered pair (X,0)~~a pointof~~elements~~W_{a',b'} and where one subsequently uses the dual isogeny from W_{a',b'} to W_{a,b} to arrive at a pointof~~GF(q) for which X^3+a*X+b~~W_{a,b}. As an example, one can show that if a is zero and if -4*bis~~not~~a~~square~~cubein~~GF(q). Note that this ordered pair does not satisfy~~GF(q) (such as isthe~~defining equation of~~case with, e.g.,the"BitCoin"curve~~in question. An application may fix a specific suitable value of X or choose multiple such values and use~~secp256k1 [SEC2]),thiscurve is 3-isogenousto~~encode additonal information.~~a curve with this property and the strategy above applies (for an example with secp256k1, see Appendix L).Further details are out of scope.~~I.2. Point Compression for~~K.3.2. Mapping to Points ofMontgomery~~Curves If P:=(u, v) is an affine point~~Curve The description below assumes that the domain parameter Aof the Montgomery curve M_{A,B}~~defined over the field GF(q), then so~~is~~-P:=(u, -v). Since the defining equation B*v^2=u^3+A*u^2+u has at most two solutions with fixed u-value, one can represent P by its u-coordinate and one bit~~nonzero. For easeof~~information~~exposition, we define f(z):=z^3+A*z^2+z. (Notethat~~allows one to distinguish P from -P, i.e., one can represent P as the ordered pair compr(P):=(u, par(v)). If P is a~~for an affinepoint(u,v)of~~order two,~~M_{A,B}one~~can uniquely represent P by its u-coordinate alone, since v=0 and~~has~~fixed parity. Conversely, given the ordered pair (u, t), where u~~B*v^2=f(u).) If tis an element of GF(q)that is not a square in GF(q)and~~where t=0 or t=1, and the domain parameters of the curve, one can use the defining equation of the curve~~that is unequalto~~try and determine candidate values for~~-1, thenthe~~v-coordinate given u, by solving~~element u:=-(1+1/t)/A is the unique nonzero solution ofthe~~quadratic~~equation~~v^2:=alpha, where alpha:=(u^3+A*u^2+u)/B. If alpha~~f(t*u)=t^3*f(u). Consequently, either u or u':=t*u is the u-coordinate of an affine point of M{A,B}, depending on whether f(u)/Bis~~not~~a square in~~GF(q), this equation does not have~~GF(q). a. If f(u)/B isa~~solution~~squarein GF(q) andv:=sqrt(f(u)/B), then t is mapped tothe~~ordered pair (u, t) does~~point P(t):=(u, v); b. If f(u)/B is anot~~correspond to~~asquare in GF(q) and v':=sqrt(f(u')/B), then t is mapped to thepoint~~of~~P(t):=(u', -v'). As before, formally,this~~curve. Otherwise, there are~~mapping is not properly defined, since a nonzero square y:=x^2 in GF(q) hastwo solutions, viz.~~v=sqrt(alpha)~~xand~~-v. If alpha~~-x; itis~~a nonzero element of GF(q),~~properly defined, however, ifone~~can uniquely recover the v-coordinate~~designatesfor~~which par(v):=t and, thereby, the affine point P:=(u, v). This~~each element in GF(q) thatis~~also the case if alpha=0 and t=0,~~a squarein~~which case v=0 and the point P has order two. However, if alpha=0 and t=1, the ordered pair (u, t) does not correspond to the outcome of the point compression function. We extend the definition of the point compression function to all points~~GF(q) precisely one square root as "the" square rootof~~the curve M_{A,B}, by associating the (non-affine) point at infinity O with the ordered pair compr(O):=(0,1) and recover~~this~~point accordingly. (Note~~element. Notethatalways picking the square root with zero parity (see Appendix H) satisfiesthis~~corresponds to~~condition (henceforth called the default square root function). If -1 is not a square in GF(q), this element is mapped tothe~~case alpha=0 and t=1 above.) The~~point at infinity O~~can be represented by the ordered pair (0, 1)~~of~~elements~~M_{A,B}. The setof~~GF(q). Note~~points of M_{A,B}thatarisesthis~~ordered pair does not satisfy the defining equation~~way has size roughly 1/2of the~~curve in question. I.3. Point Compression for Twisted Edwards Curves If P:=(x, y) is an affine point~~orderof the~~twisted Edwards~~curve~~E_{a,d} defined over the field GF(q), then so is -P:=(-x, y). Since the defining equation a*x^2+y^2=1+d*x^2*y^2 has at most two solutions with fixed y-value, one can represent P by its y-coordinate~~and~~one bit~~each such point arises as imageof~~information that allows one to distinguish P from -P, i.e.,~~preciselyone~~can represent P as the ordered pair compr(P):=(par(x), y).~~t value. Further details are out of scope. NOTE 1:If~~P~~-1isnotasquare in GF(q), the mapping above yields thepoint~~of order one or two, one~~at infinity for t=-1. Onecan~~uniquely represent P~~modify this mapping to always yield an affine point,by~~its y-coordinate alone, since x=0 and has fixed parity. Conversely, given~~mappingthe~~ordered pair (t, y), where y is an~~element-1 to, e.g., the base point Gof~~GF(q) and where t=0 or t=1,~~M_{A,B}andleavingthe~~domain parameters~~remainderof the~~curve, one can use~~mappingthe~~defining equation~~same. Suitabilityof~~the curve to try and determine candidate values for the x-coordinate given y, by solving the quadratic equation x^2:=alpha, where alpha:=(1-y^2)/(a-d*y^2). If alpha is not a square in GF(q), this equation does not have~~sucha~~solution in GF(q) and~~modification is application-specific. Details are out of scope. NOTE 2: The description above assumes thatthe~~ordered pair (t, y) does not correspond to a point~~domain parameter Aof~~this curve. Otherwise, there are two solutions, viz. x=sqrt(alpha) and -x.~~the Montgomery curve is nonzero.If~~alpha~~thisis~~a nonzero element of GF(q), one can uniquely recover~~notthe~~x-coordinate~~case, the curve is a Weierstrass curvefor which~~par(x):=t and, thereby,~~the~~affine point P:=(x, y). This~~domain parameter bis~~also~~zero and Note 2 of Appendix K.3.1 applies. If q = 3 (mod 4), an even simpler approach is possible, where one modifiesthe~~case if alpha=0~~construction aboveand~~t=0,~~simply takes u:=t and u':=-t (which works, since -1 is not a squarein~~which case x=0~~GF(q)and~~the point P has order one or two. However,~~f(-t)=-f(t)). In this case, this construction can be extended to all elements t of GF(q) and,if~~alpha=0~~so, yields a 1-1 mapping between GF(q)and~~t=1, the ordered pair (t, y) does not correspond~~all affine curve points. K.3.3. Mappingto~~the outcome~~Pointsof~~the point compression function. Note~~Twisted Edwards Curve One can map elements of GF(q)that~~the point compression function is defined for all~~are not a square in GF(q) topoints of the twisted Edwards curve E_{a,d}~~(subject to~~via function composition, where one usesthe~~Note in~~mapping ofAppendix~~C.3). Here, the identity element O:=(0,1) is associated with the compressed point compr(O):=(0,1). (Note that this corresponds~~K.3.1toarrive at a point ofthe~~case alpha=0~~Weierstrass curve W_{a,b}and~~t=0 above.) We extend~~where one subsequently uses the isomorphic mapping between twisted Edwards curves and Weierstrass curves of Appendix D.3 to arrive at a point of E_{a,d}. Another mapping is obtained by function composition, where one instead usesthe~~definition~~mappingof~~the compression function further,~~Appendix K.3.2to~~also include~~arrive ata~~special marker element 'btm', by associating this marker element with~~point ofthe~~ordered pair compr(btm):=(1,1)~~Montgomery curve M_{A,B}and~~recover this marker element accordingly. (Note that this corresponds to~~where one subsequently usesthe~~case alpha=0~~isomorphic mapping between twisted Edwards curvesand~~t=1 above.) The marker element 'btm'~~Montgomery curves of Appendix D.1 to arrive at a point of E_{a,d}. Obviously, onecan~~be represented by~~use function composition (now usingthe~~ordered pair (1,1)~~respective pre-images - if these exist) to realize the pre-imagesofeither mapping. K.4. Mappings to High-Order Curve Points Appendix K.3 described how one can mapelements of~~GF(q). Note~~GF(q)that~~this ordered pair does~~arenot~~satisfy the defining equation of the curve in question. Appendix J. Data Conversions The string over some alphabet S consisting of the symbols x_{l-1}, x_{l-2}, ..., x_1, x_0 (each in S),~~a squarein~~this order, is denoted by str(x_{l-1}, x_{l-2}, ..., x_1, x_0). The length of this string (over S) is the number~~GF(q) to pointsof~~symbols it contains (here: l). The empty string is the (unique) string~~a Weierstrass curve, to pointsof~~length l=0. The right-concatenation~~a Montgomery curve, or to pointsof~~two strings X and Y (defined over the same alphabet) is~~a twisted Edwards curve, under some mild conditions onthe~~string Z consisting of~~domain parameters. Below, we usethe~~symbols~~mappingsof~~X (in~~that appendix andthe~~same order) followed by~~parity function par(.) specified in Appendix H to construct mappings to high-order curve points only (i.e., mappings that avoid points inthe~~symbols~~small subgroup, see Appendix B.1). We consider mappings to high-order pointsof~~Y (in the same order). The length~~a Weierstrass curve (see Appendix K.4.1), to high-order points of a Montgomery curve (see Appendix K.4.2), and to high-order pointsofa twisted Edwards curve (see Appendix K.4.3). As before, full details on mappings that apply ifthe~~resulting string Z is~~mild conditions onthe~~sum~~domain parameters are not satisfied are outof~~the lengths~~scope. K.4.1. Mapping to High-Order Pointsof~~X and Y. This string operation is denoted by Z:=X||Y.~~Weierstrass CurveThe~~string X is called a prefix of Z;~~description below assumes thatthe~~string Y a postfix. The t-prefix of~~domain parametersa~~string Z of length l is its unique prefix X~~and bof~~length t;~~the~~t-postfix its unique postfix Y~~Weierstrass curve W_{a,b} are nonzero. For easeof~~length t (where~~exposition,we define~~these notions as well if~~f(z):=z^3+a*z+b. (Note that for an affine point (X,Y) of W_{a,b} one has Y^2=f(X).) Ift is~~outside the interval [0,l]: a t-prefix or t-postfix is the empty string if t~~an element of GF(q) thatis~~negative~~not a square in GF(q)andthatisunequal to -1,the~~entire string Z if t is larger than l). Sometimes, a t-prefix~~mappingof~~a string Z is denoted by trunc- left(Z,t); a t-postfix by trunc-right(Z,t). A string X is called a substring~~Appendix K.3.1 yields an affine point P(t):=(X, Y)of~~Z if it is~~W_{a,b}. Let P0:=(X0, Y0) bea~~prefix of some postfix~~fixed affine pointof~~Z. The string resulting from prepending the string Y with X is the string X||Y. An octet~~W_{a,b} for which neither P0, P0 + P(t), nor P0 - P(t)is~~an integer~~in the~~interval [0,256). An octet string is a string, where~~small subgroup of W_{a,b}. (Note that this implies that P0 and P(t) are distinct affine points ofthe~~alphabet~~curve and that these are not each other's inverse.) For binary digit s, the point Q(t,s)isnow defined as follows: a. If par(Y0*Y)=s, thenthe~~set of all octets. A binary string (or bit string, for short)~~pair (t,s)is~~a string, where~~mapped tothe~~alphabet~~point Q(t,s):=P0 + P(t); b. If par(Y0*Y)<>s, then the pair (t,s)ismapped tothe~~set {0,1}.~~point Q(t,s):=P0 - P(t).Note that~~the length of a string~~this mappingisproperlydefined~~in terms of the underlying alphabet,~~as~~are~~long asthe~~operations in~~fixed point P0 (the so-called "curve offset") alluded to above indeed exists. In cases of practical interest that we are aware of, this is indeedthe~~previous paragraph. J.1. Conversion between Bit Strings and Integers There~~case (see, e.g., Table 1). If -1isnota~~1-1 correspondence between bit strings of length l and the integers~~squareinGF(q),the~~interval [0, 2^l), where the bit string X:=str(x_{l-1}, x_{l-2}, ..., x_1, x_0) corresponds~~pair (-1,s) is mappedto the~~integer x:=x_{l-1}*2^{l-1} + x_{l-2}*2^{l-2} + ... + x_1*2 + x_0*1. (If l=0, the empty bit string corresponds to~~affine point P0 of W_{a,b} (irrespective ofthe~~integer zero.) Note~~value of s). The set of points of W_{a,b}that~~while~~arises this way has size roughly 3/8 ofthe~~mapping from bit strings to integers is uniquely defined,~~order ofthe~~inverse mapping from integers~~curve and each such point arises as image of upto~~bit strings is not, since any non-negative integer smaller than 2^t~~four values of the pair (t,s). Further details are out of scope. From the group law for Weierstrass curves (see Appendix C.1) it follows that onecan~~be represented as a bit string~~express the coordinatesof~~length at least t (due to leading zero coefficients~~Q(t,s), with t<>-1,in~~base 2 representation). The latter representation is called tight if~~terms ofthe~~bit string representation has minimal length. J.2. Conversion between Octet Strings~~X-coordinates of P0and~~Integers (OS2I, I2OS) There~~P(t) and the product of their Y-coordinates. (Here, observe that Y0*Yis a~~1-1 correspondence between octet strings~~square rootof~~length l and the integers in the interval [0, 256^l), where~~f(X0)*f(X).) Thus, Q(t,s) can be computed withoutthe~~octet string X:=str(X_{l-1}, X_{l-2}, ..., X_1, X_0) corresponds~~needto~~the integer x:=X_{l-1}*256^{l-1} + X^{l-2}*256^{l-2} + ... + X_1*256 + X_0*1. (If l=0, the empty string corresponds~~fully compute P(t). K.4.2. Mappingto~~the integer zero.) Note~~High-Order Points of Montgomery Curve The description below assumesthat~~while~~the~~mapping from octet strings to integers is uniquely defined,~~domain parameters A and B ofthe~~inverse mapping from integers to octet strings is not, since any non-negative integer smaller than 256^t can be represented as~~Montgomery curve M_{A,B} are nonzero. For ease of exposition, we define f(z):=z^3+A*z^2+z. (Note that foran~~octet string~~affine point (u,v)of~~length at least~~M_{A,B} one has B*v^2=f(u).) Ift~~(due to leading zero coefficients~~is an element of GF(q) that is not a squarein~~base 256 representation). The latter representation~~GF(q) and thatis~~called tight if the octet string representation has minimal length. This defines the mapping OS2I from octet strings~~unequalto~~integers and~~-1,the mapping~~I2OS(x,l) from non-negative integers smaller than 256^l to octet strings~~of~~length l. J.3. Conversion between Octet Strings and Bit Strings (BS2OS, OS2BS) There~~Appendix K.3.2 yields an affine point P(t):=(u, v) of M_{A,B}. Let P0:=(u0, v0) be a fixed affine point of M_{A,B} for which neither P0, P0 + P(t), nor P0 - P(t)is~~a 1-1 correspondence between octet strings~~in the small subgroupof~~length l and~~M_{A,B}. (Note that this implies that P0and~~bit strings~~P(t) are distinct affine pointsof~~length 8*l, where~~the~~octet string X:=str(X_{l-1}, X_{l-2}, ..., X_1, X_0) corresponds to~~curve and that these are not each other's inverse.) For binary digit s,the~~right-concatenation of~~point Q(t,s) is now defined as follows: a. If par(B*v0*v)=s, thenthe~~8-bit strings x_{l-1}, x_{l-2}, ..., x_1, x_0, where each octet X_i corresponds~~pair (t,s) is mappedto the~~8-bit string x_i according~~point Q(t,s):=P0 + P(t); b. If par(B*v0*v)<>s, then the pair (t,s) is mappedto the~~mapping of Appendix J.1 above.~~point Q(t,s):=P0 - P(t).Note that~~the~~thismapping~~from octet strings to bit strings~~is~~uniquely~~properlydefined~~and so is~~as long asthe~~inverse mapping from bit strings~~fixed point P0 (the so-called "curve offset") alludedto~~octet strings, if one prepends each bit string with the smallest number~~above indeed exists. In casesof~~0 bits so as to result in~~practical interest that we are aware of, this is indeed the case (see, e.g., Table 1). If -1 is nota~~bit string of length divisible by eight (i.e., one uses pre-padding). This defines~~square in GF(q),the~~mapping OS2BS from octet strings~~pair (-1,s) is mappedto~~bit strings and~~the~~corresponding mapping BS2OS from bit strings to octet strings. J.4. Conversion between Field Elements and Octet Strings (FE2OS, OS2FE) There is a 1-1 correspondence between elements~~affine point P0of~~a fixed finite field GF(q), where q=p^m and m>0, and vectors~~M_{A,B} (irrespective of the value of s). The set of points of M_{A,B} that arises this way has size roughly 1/2 of the orderof~~length m, with coefficients in GF(p), where~~the curve andeach~~element x~~such point arises as imageof~~GF(q) is a vector (x_{m-1}, x_{m-2}, ..., x_1, x_0) according~~uptotwo values ofthe~~conventions~~pair (t,s). Further details are outofscope. From the group law for Montgomery curves (seeAppendix~~B.2. In this case, this field element~~C.2) it follows that onecan~~be uniquely represented by~~expressthe~~right-concatenation~~coordinates of Q(t,s), with t<>-1, in termsof the~~octet strings X_{m-1}, X_{m-2}, ..., X_1, X_0, where each octet string X_i corresponds to~~u-coordinates of P0 and P(t) andthe~~integer x_i in~~product of their v-coordinates. (Here, observe that B*v0*v is a square root of f(u0)*f(u).) Thus, Q(t,s) can be computed withoutthe~~interval [0,p-1] according~~need to fully compute P(t). +----------------------------+------------------------+ | Curve | Fixed curve offset P0 | +----------------------------+------------------------+ | NIST P-224 [FIPS-186-4] | Base point (Gx,Gy) | | NIST P-256 [FIPS-186-4] | P0:=(0,y) with y even | | NIST P-384 [FIPS-186-4] | P0:=(0,y) with y even | | NIST P-521 [FIPS-186-4] | P0:=(0,y) with y even | | Brainpool224r1 [RFC5639] | Base point (Gx, Gy) | | Brainpool256r1 [RFC5639] | Base point (Gx, Gy) | | Brainpool320r1 [RFC5639] | Base point (Gx, Gy) | | Brainpool384r1 [RFC5639] | Base point (Gx, Gy) | | Brainpool512r1 [RFC5639] | P0:=(3,y), y even | | Curve25519 [RFC7748] | P0:=(90,v), v even | | Curve448 [RFC7748] | P0:=(50,v), v even | | Wei25519 [Appendix E.3] | P0:=(3,y), y even | | Wei25519.2 [Appendix G.3] | P0:=(244,y), y even | | Wei25519.-3 [Appendix G.3] | P0:=(41,y), y even | | secp256k1.m [Appendix L.3] | P0:=(0,y), y even | +----------------------------+------------------------+ Table 1: Curve offsets P0 for mappings that avoid low-order points K.4.3. Mapping to High-Order Points of Twisted Edwards Curve One can map elements of GF(q) that are not a square in GF(q)topoints of the twisted Edwards curve E_{a,d} via function composition, where one usesthe mapping of Appendix~~J.2 above. Note that both the mapping from field elements~~K.4.1to~~octet strings and the inverse mapping are only uniquely defined if each octet string X_i has the same fixed size (e.g.,~~arrive at a point ofthe~~smallest integer l so~~Weierstrass curve W_{a,b}that~~256^l >= p)~~does not have low orderand~~if all integers are reduced modulo p. If so, the latter representation is called tight if l is minimal so that 256^l >= p. This defines~~where one subsequently usestheisomorphicmapping~~FE2OS(x,l) from field elements to octet strings~~between twisted Edwards curvesandWeierstrass curves of Appendix D.3 to arrive at a point of E_{a,d} with this property. Another mapping is obtained by function composition, where one instead usesthe mapping~~OS2FE(X,l) from octet strings~~of Appendix K.4.2to~~field elements,~~arrive at a point of the Montgomery curve M_{A,B} that does not have low order andwhereone subsequently usesthe~~underlying field is implicit~~isomorphic mapping between twisted Edwards curvesand~~assumed~~Montgomery curves of Appendix D.1to~~be known from context. In~~arrive at a point of E_{a,d} withthis~~case,~~property. Obviously, one can use function composition (now usingthe~~octet string has length l*m. J.5. Conversion between Elements~~respective pre-images - if these exist) to realize the pre-imagesof~~Z mod n and Octet Strings (ZnE2OS, OS2ZnE) There is a 1-1 correspondence between elements~~either mapping. K.5. Randomized Representation of Curve Points The mappingsofAppendix K.3 allow one to representa~~fixed set Z(n)~~curve point Q as a specific element tof~~integers modulo n and integers~~GF(q), provided this point arises as a pointin the~~interval [0,n), where each element x can be uniquely represented by the octet string corresponding to the integer x modulo n according to~~range ofthe mappingat hand. For Montgomery curves and twisted Edwards curves, this covers roughly halfof~~Appendix J.2 above. Note that both~~thecurve points; for Weierstrass curves, roughly 3/8 of the curve points. One can extend the mappings above, bymapping~~from elements~~a pair (t1, t2)of~~Z(n)~~inputsto~~octet strings and~~the~~inverse mapping are only uniquely defined~~point Q:=P2(t1, t2):=P(t1) + P(t2). In this case, each curve point has roughly q/4 representations as an ordered pair (t1, t2) on average. In fact, one can show thatif the~~octet string has a fixed size (e.g.,~~input pairs are generated uniformly at random, thenthe~~smallest integer l so~~corresponding curve points follow a distributionthat~~256^l >= n)~~is also (statistically indistinguishable from) a uniform distribution,and~~if all integers are reduced modulo n. If so,~~vice-versa. Here, each pair (t1, t2) deterministically yields a curve point, whereas for each curve point Q, a randomized algorithm yields an ordered pair (t1, t2) of pre- images of Q, wherethe~~latter representation~~expected number of randomized pre-images one has to tryis~~called tight~~small (fourif~~l is minimal so that 256^l >= n. This defines~~one usesthe mapping~~ZnE2OS(x,l) from elements~~of~~Z(n) to octet strings and~~Appendix K.3.1; two if one usesthe mapping~~OS2ZnE(X,l) from octet strings to elements~~of~~Z(n), where~~Appendix K.3.2). For further details, see Algorithm 1 of [Tibouchi]. Similar properties hold if one usesthe~~underlying modulus n is implicit and assumed to be known from context. In~~mappings of Appendix K.4 (rather than those of Appendix K.3): inthis case, the~~octet string has length l. Note that if n is~~mapping allows one to representa~~prime number p, the conversions ZnE2OS and FE2OS are consistent,~~curve point Qas~~are OS2ZnE and OS2FE. This is, however, no longer the case if n is~~a~~strict prime power. The conversion rules for composite n values are useful, e.g., when encoding the modulus n~~specific element (t,s)of~~RSA (or elements~~GF(q)x{0,1}, provided this point arises as a point in the rangeof~~any other non-prime set Z(n), for that matter). J.6. Ordering Conventions One can consider various representation functions, depending on bit- ordering~~the mapping at hand. For Montgomery curvesand~~octet-ordering conventions. The description below makes use~~twisted Edwards curves, this covers roughly halfof~~an auxiliary function (the reversion function), which we define both~~the curve points;for~~bit strings and octet strings. For a bit string [octet string] X:=str(x_{l-1}, x_{l-2}, ..., x_1, x_0), its reverse is~~Weierstrass curves, roughly 3/8 ofthe~~bit string [octet string] X':=rev(X):=str(x_0, x_1, ..., x_{l-2}, x_{l-1}). We now describe representations in most-significant-bit first (msb) or least-significant-bit first (lsb) order and those in most- significant-byte first (MSB) or least-significant-byte first (LSB) order.~~curve points.One~~distinguishes~~can extendthe~~following octet-string representations of integers and field elements: 1. MSB, msb: represent field elements and integers as~~mappingsabove,~~yielding the octet string str(X_{l-1}, X_{l-2}, ..., X_1, X_0). 2. MSB, lsb: reverse the bit-order~~by mapping a pair ((t1,s1), (t2,s2))ofinputs to the point Q:=Q2((t1,s1), (t2,s2)):=Q(t1,s1) - Q(t2,s2). In this case,each~~octet, viewed~~curve point has roughly q representationsas~~8-bit string, yielding~~an ordered pair ((t1,s1), (t2,s2)) on average. In fact, one can show that ifthe~~octet string str((rev(X_{l-1}), rev(X_{l-2}), ..., rev(X_1), rev(X_0)). 3. LSB, lsb: reverse~~input pairs are generated uniformly at random, thenthe~~octet string~~corresponding curve points follow a distribution that is also (statistically indistinguishable from) a uniform distribution,and~~bit-order of~~vice-versa. Here,each~~octet, yielding~~pair ((t1,s1), (t2,s2)) deterministically yields a curve point, whereas for each curve point Q, a randomized algorithm yields an ordered pair ((t1,s1), (t2,s2)) of pre-images of Q, wherethe~~octet string str(rev(X_{0}), rev(X_{1}), ..., rev(X_{l-2}), rev(X_{l-1})). 4. LSB, msb: reverse~~expected number of randomized pre-images one has to try is small (four if one usesthe~~octet string, yielding~~mapping of Appendix K.4.1; two if one usesthe~~octet string str(X_{0}, X_{1}, ..., X_{l-2}, X_{l-1}). Thus,~~mapping of Appendix K.4.2). Further details are out of scope. NOTE 1: The main difference betweenthe~~2-octet string "07e3" represents~~two constructions above is that thatthe~~integer 2019 (=0x07e3) in MSB/msb order,~~first construction usesthe~~integer 57,543 (0xe0c7)~~mappings to curve points describedin~~MSB/lsb order,~~Appendix K.3, whilethe~~integer 51,168 (0xc7e0) in LSB/lsb order, and~~second construction usesthe~~integer 58,119 (=0xe307)~~mappings to high-order curve points describedin~~LSB/msb order.~~Appendix K.4.Note~~that, with~~that Q2((t1,s1), (t2,s2)) assumes all values (+/-) P(t1) (+/-) P(t2) if one considers all possible values for the binary digits s1 and s2. (This, thereby, includesthevalue P2(t1, t2).) NOTE 2: The second mappingabove~~data conversions, there~~operates on input pairs (t,s), where tis~~still some ambiguity as to how to represent an integer or a field element as a bit string or octet string (due to leading zeros). However, tight representations (as defined above) are non-ambiguous. (Note, in particular, that tightness implies that elements~~an elementof GF(q)~~are always uniquely represented.) Note~~that~~elements of a prime field GF(p), where p~~isnota~~255-bit prime number, have a tight representation as a 32-byte string,~~square in GF(q) andwhere~~a fixed bit position~~sis~~always~~a binary digit from theset{0,1}. One can use these mappingsto~~zero. (This is~~produce a mapping fromthe~~leftmost bit position~~nonzero elementsof~~this octet string if~~GF(q) to points of a curve via function composition, whereone~~follows the MSB/msb representation conventions.) This allows~~first maps any nonzero element u of GF(q) tothe~~parity bit~~pair (t,s):=(delta*u^2, par(u)), where delta is a fixed elementofGF(q) that is nota~~compressed point (see Appendix I) to be encoded~~squarein~~this bit position and, thereby, allows a compressed point~~GF(q),andwhere one subsequently applies any of the mappings above to yielda~~field element~~pointof~~GF(p)~~the curve in question. The resulting mapping from the nonzero elements of GF(q)tohigh-order curve points canbe~~represented~~extended further to one that operates on all elements of GF(q)by~~an octet string~~mapping 0 to any fixed high-order pointof the~~same length. This is~~curve in question (e.g., to the fixed "curve offset" P0 of this curve [henceforthcalled the~~squeezed point representation. Obviously,~~default completed mapping]). Depending on application-specific criteria, yetother~~representations (e.g., those of elements of Z(n))~~function compositionsmay~~also have fixed bit values on certain positions, which can~~be~~used~~preferred. For the first mapping above, one can use a similar function composition, where one simply drops the binary digit s and maps 0to~~squeeze-in additional information.~~the point at infinity or any other suitable curve point.Further details are out of scope. Appendix~~K.~~L. Curve secp256k1 and Friend This section illustrates how isogenies can be used to yield curves with specific properties (here, for illustrated for the "BitCoin" curve secp256k1). L.1. Curve Definition and AlternativeRepresentation~~Examples Curve25519 Family Members We present some examples of computations using~~The elliptic curve secp256k1 isthe~~curves introduced in this document. In each case, we indicate~~Weierstrass curve W_{a,b} defined overthe~~values of P, k*P,~~prime field GF(p), with p:=2^256-2^32-2^9-2^8-2^7-2^6-2^4-1, where a:=0and~~(k+1)*P,~~b:=7. This curve has order h*n,where~~P~~h=1 and where nis a~~fixed multiple (here: 2019) of the base point~~prime number. For this curve, domain parameter a is zero, whereas b is not. The quadratic twistof~~the~~thiscurve~~in question and~~has order h1*n1,where~~the private key k~~h1is~~the~~a 37-bitinteger~~k 45467544759954639344191351164156560595299236761702065033670739677 691372543056 (=0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50). K.1. Example with Curve25519 Pm=(u, v), k*Pm=(u1, v1), and (k+1)*Pm=(u2, v2) with Curve25519: u 53025657538808013645618620393754461319535915376830819974982289332 088255623750 (=0x753b7566 df35d574 4734142c 9abf931c ea290160 aa75853c 7f972467 b7f13246). v 53327798092436462013048370302019946300826511459161905709144645521 233690313086 (=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e). u1 42039618818474335439333192910143029294450651736166602435248528442 691717668056 (=0x5cf194be f0bdd6d6 be58e18a 8f16740a ec25f4b0 67f7980a 23bb6468 88bb9cd8). v1 76981661982917351630937517222412729130882368858134322156485762195 67913357634 (=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd f5771306 479ad142). u2 34175116482377882355440137752573651838273760818624557524643126101 82464621878 (=0x078e3e38 41c3e0d0 373e5454 ecffae33 2798b10a 55c72117 62629f97 f1394d36). v2 43046985853631671610553834968785204191967171967937842531656254539 962663994648 (=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e fbc17f7f 7fda8518). As suggested in Appendix C.2, the v-coordinate of k*Pm can be indirectly computed from the u-coordinates of Pm, k*Pm, and (k+1)*Pm,~~andwhere n1 is a prime number. For this curve,the~~v-coordinate of Pm, which allows computation of~~base point isthe~~entire~~point~~k*Pm (and not just its u-coordinate) if k*Pm~~(GX, GY). The curve secp256k1is~~computed using~~3-isogenous tothe~~Montgomery ladder (as, e.g., [RFC7748] recommends), since that algorithm computes both u1~~Weierstrass curve secp256k1.m defined over GF(p), which has nonzero domain parameters aand~~u2~~bandhas as base pointthe~~v-coordinate of~~pair (GmX,GmY), where parameters are as specified in Appendix L.3 and wheretherelated mappings are as specified in Appendix L.2. L.2. Switching Between Representations Each affinepoint~~Pm may be available from context. The representation~~(X,Y)of~~k and~~secp256k1 corresponds tothe~~compressed representations~~point (X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3)of~~Pm~~secp256k1.m, where u, v,and~~k*Pm in tight LSB/msb-order~~ware~~given by repr(k) 0x509ce215 bd5a8dc0 c3328c77 5dc6f59c 4d4915f9 e4bf5d0d c2e583cd e6b78564 repr(Pm) 0x4632f1b7 6724977f 3c8575aa 600129ea 1c93bf9a 2c143447 74d535df 66753b75; repr(k*Pm) 0xd89cbb88 6864bb23 0a98f767 b0f425ec 0a74168f 8ae158be d6d6bdf0 be94f15c, where~~the~~leftmost bit~~polynomials with coefficients in GF(p) as defined in Appendix L.4.1, while the point at infinityofsecp256k1 corresponds tothe~~rightmost octet indicates~~point at infinity of secp256k1.m. Under this isogenous mapping,the~~parity~~base point (GX,GY)ofsecp256k1 corresponds tothe~~v-coordinate~~base point (GmX,GmY)ofsecp256k1.m. The dual isogeny mapstheaffinepoint(X',Y')of~~Curve25519 in question (which, in this case, are both zero, since v and v1 are even). See Appendix I.2 and Appendix J for further detail on (squeezed)~~secp256k1.m to the affinepoint~~compression. The scalar representation~~(X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3) of secp256k1, where u', v',and~~(squeezed) point representation illustrated above~~w'are~~consistent with~~the~~representations specified~~polynomials with coefficientsin~~[RFC7748], except that~~GF(p) as definedin~~[RFC7748] only an affine point's u-coordinate is represented (i.e., the v-coordinate of any point is always implicitly assumed to have an even value) and that~~Appendix L.4.2, while mappingthe~~representation~~point at infinity Oofsecp256k1.m tothe point at infinity~~is not specified. Another difference is that [RFC7748] allows non-unique representations~~Oof~~some elements~~secp256k1. Under this dual isogenous mapping, the base point (GmX, GmY)of~~GF(p), whereas our representation conventions do not (since tight). A randomized representation (t1, t2)~~secp256k1.m corresponds to a multipleof thebasepoint~~k*Pm in tight LSB/ msb order is given by t1 409531317901122685707535715924445398426503483189854716584 37762538294289253464 (=0x5844b232 8c4586dc 62f593c5 599c2a8c e61ba893 bb052de6 77510a42 b3a68a5a) t2 451856098332889407421278004628150814449259902023388533929 08848927625430980881 (=0x11598452 e65138dc ce948d7e d8f46a18 b640722c 8e170957 751b7729 1b26e663),~~(GX, GY) of secp256k1,where this~~representation~~multipleis~~defined in Appendix L.4 and uses the mapping~~l=3 (the degreeofthe isogeny; see the description inAppendix~~L.3.2 with~~F.4). Note that this isogenous map (and its dual) primarily involvesthe~~default square root function. K.2. Example with Edwards25519 Pe=(x, y), k*Pe=(x1, y1), and (k+1)*Pe=(x2, y2) with Edwards25519: x 25301662348702136092602268236183361085863932475593120475382959053 365387223252 (=0x37f03bc0 1070ed12 d3218f8b ba1abb74 fd6b94eb 62033d09 83851e21 d6a460d4). y 54434749145175762798550436656748568411099702168121592090608501578 942019473360 (=0x7858f9e7 6774ed8e 23d614d2 36715fc7 56813b02 9aa13c18 960705c5 b3a30fd0). x1 42966967796585460733861724865699548279978730460766025087444502812 416557284873 (=0x5efe7124 465b5bdb b364bb3e e4f106e2 18d59b36 48f4fe83 c11afc91 785d7e09). y1 46006463385134057167371782068441558951541960707376246310705917936 352255317084 (=0x65b6bc49 985badaf bc5fdd96 fb189502 35d5effd 540b439d 60508827 80bc945c). x2 42629294840915692510487991904657367226900127896202625319538173473 104931719808 (=0x5e3f536a 3be2364a 1fa775a3 5f8f65ae 93f4a89d 81a04a2e 87783748 00120a80). y2 29739282897206659585364020239089516293417836047563355347155817358 737209129078 (=0x41bfd66e 64bdd801 c581a720 f48172a8 187445fa 350924a2 c92c791e 38d57876). The representation~~evaluationof~~k and~~three fixed polynomials involvingthe~~compressed representations of Pe and k*Pe in tight LSB/lsb-order are given by repr(k) =0x0a3947a8 bd5ab103 c34c31ee ba63af39 b292a89f 27fdbab0 43a7c1b3 67eda126; repr(Pe) =0x0bf0c5cd a3a0e069 183c8559 40dc816a e3fa8e6c 4b286bc4 71b72ee6 e79f1a1e; repr(k*Pe) =0x3a293d01 e4110a06 b9c2d02a bff7abac 40a918df 69bbfa3d f5b5da19 923d6da7, where~~x-coordinate, which takes roughly 10 modular multiplications (or less than 1% relative incremental cost compared tothe~~rightmost bit~~cost of an elliptic curve scalar multiplication). L.3. Domain Parameters The parametersof the~~rightmost octet indicates~~curve sec256k1 andthe~~parity of~~corresponding 3-isogenous curve sec256k1.m are as indicated below. Here,the~~x-coordinate~~domain parametersof the~~point of Edwards25519 in question (which,~~curve secp256k1 are as specifiedin~~this case,~~[SEC2]; the domain parameters of secp256k1.mare~~zero and one, respectively, since x is even and x1 is odd). See Appendix I.3 and Appendix J for further detail on (squeezed) point compression.~~"new". General parameters (for all curves): p 2^256-2^32-2^9-2^8-2^7-2^6-2^4-1 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe fffffc2f) h 1 n 11579208923731619542357098500868790785283756427907490438260516314 1518161494337 (=0xffffffff ffffffff ffffffff fffffffe baaedce6 af48a03b bfd25e8c d0364141) h1 23479460174521 (=0x1a 9bfcab89) n1 10131766773001318469008702396060356387381009972480920692566974370 31 (=0x099ee564 ea5d84f5 08913936 a761b0d5 d792a426 a7779817 ae2f5b67) Weierstrass curve-specific parameters (for secp256k1): a 0 (=0x00) b 7 (=0x07) GX 55066263022277343669578718895168534326250603453777594175500187360 389116729240 (=0x79be667e f9dcbbac 55a06295 ce870b07 029bfcdb 2dce28d9 59f2815b 16f81798) GY 32670510020758816978083085130507043184471273380659243275938904335 757337482424 (=0x483ada77 26a3c465 5da4fbfc 0e1108a8 fd17b448 a6855419 9c47d08f fb10d4b8) Weierstrass curve-specific parameters (for secp256k1.m): a 93991599167772749909245591943117186381494883464374162770646538702 960816911535 (=0xcfcd5c21 75e2ef7d ccdce737 770b7381 5a2f13c5 09035ca2 54a14ac9 f08974af) b 1771 (=0x06eb) GmX 26591621185618668069038227574782692264471832498547635565821216767 730887659845 (=0x3aca5300 959fa1d0 baf78dcf f77a616f 395e586d 67aced0a 88798129 0c279145) GmY 67622516283223102233819216063319565850973524550533340939716651159 860372686848 (=0x9580fce5 3a170f4f b744579f f3d62086 12cd6a23 3e2de237 f976c6a7 8611c800) L.4. Isogeny DetailsThe~~scalar representation~~isogenyand~~(squeezed) point representation illustrated above~~dual isogenyare~~fully consistent~~both isogenieswith~~the representations~~degree l=3. Both arespecified~~in [RFC8032]. Note that, contrary to [RFC7748], [RFC8032] requires unique representations of all elements~~by a tripleof~~GF(p). A randomized representation (t1, t2)~~polynomials u, v, and w (resp. u', v', and w')of~~the point k*Pe~~degree 3, 3, and 1, respectively, with coefficientsin~~tight LSB/ lsb order is given by t1 577913017083163641949634219017190182170288776648725395935 97750427519399254040 (=0x181a32c5 10e06dbc ea321882 f3519055 535e289e 8faac654 82e26f61 aded23fe) t2 454881407940919718426608573125377401686255068210624245884 05479716220480287974 (=0x672e36c5 ae353073 cdfac343 e8297b05 1b010d0f 5b1016db dd4baf54 28068926), where this representation is defined~~GF(p). The coeffients of each of these polynomials are specifiedin Appendix~~L.4 and uses~~L.4.1 (forthe~~mapping of~~isogeny) and inAppendix~~L.3.3 with~~L.4.2 (forthe~~default square root function and underlying isomorphic mapping between Edwards25519 and Curve25519~~dual isogeny). For each polynomial in variable x, the coefficients are tabulated as sequence of coefficients of x^0, x^1, x^2, ..., in hexadecimal format. L.4.1. Isogeny Parameters L.4.1.1. Coefficients of u(x) 0 0x54 1 0xa4d89db3ed06c81e6143ec2eca9f761d8d17260dc229e1da1f73f714506872a9 2 0xcc58ffccbd9febb4a66222c7d1311d988d88c0624bcd68ec4c758a8e67dfd99b 3 0x01 L.4.1.2. Coefficients of v(x) 0 0x1c 1 0x94c7bc69befd17f2fae2e3ebf24df1f355d181fa1a8056103ba9baad4b40f029 2 0xb2857fb31c6fe18ef993342bb9c9ac64d44d209371b41d6272b04fd61bcfc851 3 0x01 L.4.1.3. Coefficients of w(x) 0 0xe62c7fe65ecff5da53311163e8988ecc46c4603125e6b476263ac546b3efeae5 1 0x01 L.4.2. Dual Isogeny Parameters L.4.2.1. Coefficients of u'(x) 0 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7 1 0x44cd5cd7ce55a801725891578fbe7356bd936355fd0e2f538797cecff7a37244 2 0x668d0011162006c3c889f4680f9a4b77d0d26a89e6bb87b13bd8d1cfdd600a41 3 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c L.4.2.2. Coefficients of v'(x) 0 0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c 1 0x519ba9c1f48f68054def6a410f0fa6e8b71c6c3b4a8958324681f6508c01fada 2 0xb34680088b100361e444fa3407cd25bbe8693544f35dc3d89dec68e76eb00338 3 0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84 L.4.2.3. Coefficientsofw'(x) 0 0x4d7a804ce3901e71066ccbd44636539b2bb2df6c8e4be29d8d4fb028e43033de 1 0x01Appendix~~E.2. K.3. Example with Wei25519 Pw=(X, Y), k*Pw=(X1, Y1),~~M. Curve448and~~(k+1)*Pw=(X2, Y2) with Wei25519: X 14428294459702615171094958724191825368445920488283965295163094662 783879239338 (=0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa). Y 53327798092436462013048370302019946300826511459161905709144645521 233690313086 (=0x75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e). X1 34422557393689369648095312405803933433606568476197477554293337733 87341283644 (=0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 ce660f13 3368c13c). Y1 76981661982917351630937517222412729130882368858134322156485762195 67913357634 (=0x110501f6 1dff511e d6c4e9b9 bfd5acbe 8bf043b8 c3e381dd f5771306 479ad142). X2 22716193187790487472805844610038683159372373526135883092373909944 834653057415 (=0x3238e8e2 ec6e8b7a e1e8feff 97aa58dd d2435bb5 0071cbc2 0d0d4a42 9be67187). Y2 43046985853631671610553834968785204191967171967937842531656254539 962663994648 (=0x5f2bbb06 f7ec5953 2c2a1a62 21124585 1d2682e0 cc37307e fbc17f7f 7fda8518). The representation of k~~Cousins This section introduces curves related to Curve448and~~the compressed representations of Pw~~explains their relationships. M.1. Curve Definitionand~~k*Pw in tight MSB/msb-order are given by repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50; repr(Pw) =0x1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa; repr(k*Pw) =0x079c3f69 9b688181 69038c35 39c11eb5 96d09f5b 12a242b4 ce660f13 3368c13c, where the leftmost bit of~~Alternative Representations The elliptic curve Curve448 isthe~~leftmost octet indicates~~Montgomery curve M_{A,B} defined overthe~~parity~~prime field GF(p), with p:=2^{448}-2^{224}-1, where A:=156326 and B:=1. This curve has order h*n, where h=4 and where n is a prime number. For this curve, A^2-4 is not a square in GF(p), whereas A-2 is. The quadratic twistofthis curve has order h1*n1, where h1=4 and where n1 is a prime number. For this curve,the~~Y-coordinate of~~base point isthe point~~of Wei25519 in question (which, in this case, are both zero, since Y and Y1 are even). See Appendix I.1~~(Gu, Gv), where Gu=5and~~Appendix J for further detail on (squeezed) point compression. The scalar representation~~where Gvis~~consistent~~an even integer in the interval [0, p-1]. This curve has the same group structure as (is "isomorphic" to) the twisted Edwards curve E_{a,d} defined over GF(p),withas base pointthe~~representations~~point (Gx, Gy), where parameters are asspecified in~~[SEC1]; the (squeezed) point representation illustrated above~~Appendix M.3. This curveis~~"new".~~denoted as Ed448.For~~completeness, we include~~this curve, the parametera~~SEC1-consistent representation~~is a square in GF(p), whereas d is not, so the group lawsofAppendix C.3 apply. The curve is also isomorphic to the elliptic curve W_{a,b} in short- Weierstrass form defined over GF(p), with as base pointthe point~~Pw in affine format and~~(GX, GY), where parameters are as specifiedin~~compressed format below. The SEC1-compliant~~Appendix M.3. This curve is denoted as Wei448. M.2. Switching between Alternative Representations Eachaffine~~representation~~point (u, v)ofCurve448 corresponds tothe point~~Pw in tight MSB/msb-order is given by aff(Pw) =0x04 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa 75e676ce deee3b3c 12942357 22f1d884 ac06de07 330fb07b ae35ca26 df75417e, whereas the SEC1-compliant compressed representation~~(X, Y):=(u + A/3, v)ofWei448, whilethe point~~Pw in tight MSB/msb-order is given by compr(Pw) =0x02 1fe62011 89e0801e f1debed7 456a3dc7 94d3ac0b 55202fe7 2a41cf12 629e56aa; The SEC1-compliant uncompressed format aff(Pw)~~at infinityof~~an affine point Pw~~Curve448corresponds to the~~right-concatenation~~point at infinityof~~its X- and Y-coordinates, each in tight MSB/msb-order, prepended by~~Wei448. (Here, we usedthe~~string 0x04, where~~mappings of Appendix D.2 and that B=1.) Under this mapping,the~~reverse procedure is uniquely defined, since elements~~base point (Gu, Gv)of~~GF(p) have a unique fixed-size representation. The (squeezed) compressed format repr(Pw)~~Curve448corresponds to the~~SEC1-compliant compressed format by extracting~~base point (GX, GY) of Wei448. The inverse mapping mapsthe~~parity bit t from~~affine point (X, Y) of Wei448 to (u, v):=(X - A/3, Y) of Curve448, while mappingthe~~leftmost bit~~point at infinityofWei448 tothe~~leftmost octet~~point at infinity of Curve448. Note that this mapping involves a simple shiftof~~repr(Pw), replacing~~the~~bit position by~~first coordinate and can be implemented via integer-only arithmetic as a shift of -(p-A)/3 forthe~~value zero,~~isomorphic mappingand~~prepending~~a shift of (p-A)/3 for its inverse, where delta=(p-A)/3 isthe~~octet string with 0x02 or 0x03,~~element of GF(p) defined by delta 24227957476520229684977460262933484478454712022910602009383006 63935374427222435908954654612328921819766962948206145457870178326 72736371 (=0x55555555 55555555 55555555 55555555 55555555 55555555 55555554 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffff3473). (Note that,depending on~~whether t=0 or t=1, respectively, where~~the~~reverse procedure is uniquely defined, since GF(p) is a 255-bit prime field. For further details, see [SEC1]. A randomized representation (t1, t2)~~implementation detailsof the~~point k*Pw in tight MSB/ msb order is given~~field arithmetic, one may have to shift the resultby~~t1 446363445988889734093446280484122107283059206243307955388 84223152228795899590 (=0x62af4697 4dd469ac 96c64809 c16c8517 b6a0cee5 40ba0e2e 6dd2b36a fcc75ec6) t2 213890166610228613105792710708385961712211281744756216061 11930888059603107561 (=0x2f49c121 8fed7912 031157ee ae066507 a972320b 6180e267 4025b006 2e67bee9), where~~+p or -p ifthis~~representation~~integeris~~defined~~notin~~Appendix L.4 and uses the mapping of Appendix L.3.1 with~~the~~default square root function. K.4. Example with Wei25519.2 Pw2=(X, Y), k*Pw2=(X1, Y1), and (k+1)*Pw2=(X2, Y2) with Wei25519.2: X 17830493209951148331008014701079988862634531394137235438571836389 227198459763 (=0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c f21c8672 d1ecaf73). Y 21064492012933896105338241940477778461866060481408222122979836206 137075789640 (=0x2e921479 5ad47af7 784831de 572ed8e9 7e20e137 cc67378c 184ca19f f9136f48). X1 65470988951686461979789632362377759464688342154017353834939203791 39281908968 (=0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 e242192d 3b87f4e8). Y1 51489590494292183562535790579480033229043271539297275888817125227 35262330110 (=0x0b623521 c1ff84bc 1522ff26 3376796d be77fcad 1fcabc28 98f1be85 d7576cfe). X2 83741788501517200942826153677682120998854086551751663061374935388 3494226693 (=0x01d9f633 b2ac2606 9e6e93f7 6917446c 2b27c16f 729121d7 709c0a58 00ef9b05). Y2 42567334190622848157611574766896093933050043101247319937794684825 168161540336 (=0x5e1c41e1 fb74e41b 3a19ce50 e1b2caf7 7cabcbb3 0c1c1474 a4fd13e6 6c4c08f0).~~interval [0,p-1].)The~~representation~~curve Ed448 is isomorphic to the curve Curve448, where the base point (Gu, Gv)of~~k and~~Curve448 corresponds tothe~~compressed representations~~base point (Gx,Gy)of~~Pw2~~Ed448and~~k*Pw2 in tight MSB/msb-order are given by repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50; repr(Pw2) =0x276bb396 d766b695 bfe60ab1 3c0260dd c09f5bcf 7b3ca47c f21c8672 d1ecaf73; repr(k*Pw2) =0x0e7986d2 e94354ab 8abd8806 3154536a 4dcf8e6e 65557183 e242192d 3b87f4e8,~~where the~~leftmost bit of the leftmost octet indicates~~point at infinity andthe~~parity~~point (0,0)of~~the Y-coordinate~~order twoofCurve448 correspond to, respectively, the point (0, 1) andthe point(0, -1)of~~Wei25519.2 in question (which, in this case, are both zero, since Y and Y1 are even). See Appendix Appendix I.1~~order two of Ed448and~~Appendix J for further detail on (squeezed)~~where each otherpoint~~compression. A randomized representation (t1, t2)~~(u, v)ofCurve448 corresponds tothe point~~k*Pw2 in tight MSB/ msb order is given by t1 416669672354928148679758598803660112405431159793278161879 36189858804289581274 (=0x5c1eaaef 80f9d4af 33c119fc c99acd58 f81e7d69 999c7048 e4043a77 87a930da) t2 361115271162391608083096560179337391059615651279123199921 18531180247832114098 (=0x4fd66668 e7174775 de44c852 92df8cfe b9832ef8 2570b3b8 fe5ec21a b2d4b3b2),~~(c*u/v, (u+1)/(u-1)) of Ed448,where~~this representation~~cisthe element of GF(p)defined~~in~~by c sqrt((A-2)/B) 19788846729546443953835400975385803825683515259105980214819977919 60874042320025157136042631277930307478554244641856917664538448351 92428 (=0x45b2c5f7 d649eed0 77ed1ae4 5f44d541 43e34f71 4b71aa96 c945af01 2d182975 0734cde9 faddbda4 c066f7ed 54419ca5 2c85de1e 8aae4e6c). (Here, we used the mapping ofAppendix~~L.4~~D.1and~~uses~~normalized this usingthe mapping of Appendix~~L.3.1 with~~F.1 (wherethe~~default square root function. K.5. Example with Wei25519.-3 Pw3=(X, Y), k*Pw3=(X1, Y1),~~element s of that appendix is set to c above).) The inverse mapping from Ed448 to Curve448 is defined by mapping the point (0, 1)and~~(k+1)*Pw3=(X2, Y2) with Wei25519.-3: X 14780197759513083469009623947734627174363231692126610860256057394 455099634096 (=0x20ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 eb4c9272 03ca71b0). Y 45596733430378470319805536538617129933663237960146030424392249401 952949482817 (=0x64ced628 e982648e 4bfcf30c 71c4d267 ba48b0ce fee20062 b43ef4c9 73f7b541). X1 47362979975244556396292400751828272600887612546997532158738958926 60745725532 (=0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 63b8455e 2e04e65c). Y1 30318112837157047703426636957515037640997356617656007157255559136 153389790354 (=0x64ced628 e982648e 4bfcf30c 71c4d267 ba48b0ce fee20062 b43ef4c9 73f7b541). X2 23778942085873786433506063022059853212880296499622328201295446580 293591664363 (=0x3492677e 6ae9d1c3 e08f908b 61033f3d 4e8322c9 fba6da81 2c95b067 9b1486eb). Y2 44846366394651736248316749170687053272682847823018287439056537991 969511150494 (=0x632624d4 ab94c83a 796511c0 5f5412a3 876e56d2 ed18eca3 21b95bef 7bf9939e).~~the point (0, -1) of order two of Ed448 to, respectively, the point at infinity and the point (0,0) of order two of Curve448 and having each other point (x, y) of Ed448 correspond to the point ((y + 1)/(y - 1), c*(y + 1)/((y-1)*x)) of Curve448.The~~representation~~curve Ed448 is isomorphic to the Weierstrass curve Wei448, where the base point (Gx, Gy)of~~k~~Ed448 corresponds to the base point (GX,GY) of Wei448andwherethe~~compressed representations~~identity element (0,1) and the point (0,-1)of~~Pw3~~order two of Ed448 correspond to, respectively, the point at infinity O and the point (A/3, 0) of order two of Wei448and~~k*Pw3 in tight MSB/msb-order are given by repr(k) =0x6485b7e6 cd83e5c2 0d5dbfe4 f915494d 9cf5c65d 778c32c3 c08d5abd 15e29c50; repr(Pw3) =0xa0ad4ba4 612f0586 221787b0 d01ba46c d1d8cd5a 0348ef00 eb4c9272 03ca71b0; repr(k*Pw3) =0x0a78a650 a39995ef dcf4de88 940d4ce9 5b2ca35c c5d70e06 63b8455e 2e04e65c,~~whereeach other point (x, y) of Ed448 corresponds tothe~~leftmost bit~~point (X, Y):=((y+1)/(y-1)+A/3, c*(y+1)/((y-1)*x)) of Wei448, where c was defined before. (Here, we used the mappingofAppendix D.3.) The inverse mapping from Wei448 to Ed448 is defined by mappingthe~~leftmost octet indicates~~point at infinity O andthe~~parity~~point (A/3, 0) of order twoofWei448 to, respectively,the~~Y-coordinate~~identity element (0,1) and the point (0,-1) of order two of Ed448 and having each other point (X, Y)ofWei448 correspond tothe point(c*(X-A/3)/Y, (X-A/3+1)/(X-A/3-1))of~~Wei25519.-3 in question (which, in this case,~~Ed448. Note that these mappings can be easily realized if pointsare~~one~~represented in projective coordinates, using a few field multiplications only, thus allowing switching between alternative curve representations with negligible relative incremental cost. M.3. Domain Parameters The parameters of the Montgomery curveand~~zero, respectively, since Y is odd~~the corresponding isomorphic curves in twisted Edwards curveand~~Y1 is even). See Appendix I.1~~short-Weierstrass form are as indicated below. Here, the domain parameters of the Montgomery curve Curve448and~~Appendix J for further detail on (squeezed) point compression. A randomized representation (t1, t2)~~of thetwisted Edwards curve Ed448 are as specified in [RFC7748]; the domain parameters of Wei448 are "new". IMPORTANT NOTE: the supposed basepoint~~k*Pw3~~of Ed448 specifiedin~~tight MSB/ msb order is given by t1 573714937613596601525680684642155667097217474964816246889 88981227297409008259 (=0x7ed71d5f 566d2259 99bdb404 bfb9d6cf d2e86ccb 1894d4a6 c75e3c69 e5eb0283) t2 269945781324580189815142015663892935722419453863927287235 57891665397640090729 (=0x3bae63c8 70f60de0 c2e35f94 d24220f1 bb6efd00 37625869 f84923de ff4c5469), where this representation~~[RFC7748]is~~defined in Appendix L.4~~incorrect, since it has order 2*n,and~~uses~~- inthe~~mapping of Appendix L.3.1 with~~notation below - that point isthe~~default square root function. Appendix L. Auxiliary Functions L.1. Square Roots in GF(q) Square roots are easy to compute~~point (Gx,-Gy)=-(Gx, Gy)+(0,-1). The birational mapin~~GF(q) if q = 3 (mod 4) (see Appendix L.1.1) or if q =~~that document is also incorrect. General parameters (for all curve models): p 2^{448}-2^{224}-1 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff) h 4 n 18170968107390172263733095197200113358841034017182951507037254979 51460039615395857161957552916923759633102937090916623047737558596 49779 (=2^{446} - 0x8335dc16 3bb124b6 5129c96f de933d8d 723a70aa dc873d6d 54a7bb0d) h1 4 n1 18170968107390172263733095197200113358841034017182951507037254979 51601601218258006270024365576458970017341485218301563757529931495 32941 (=2^{446} + 0x0335dc16 3bb124b6 5129c96f de933d8d 723a70aa dc873d6d 54a7bb0d) Montgomery curve-specific parameters (for Curve448): A 156326 (=0x0262a6) B 1 (=0x01) Gu5~~(mod 8) (see~~(=0x05) Gv 35529392678556817526412750206378333480897639938771427183188089843 51690887869674100029326737658645509101427741472681058389855952906 06362 (=0x7d235d12 95f5b1f6 6c98ab6e 58326fce cbae5d34 f55545d0 60f75dc2 8df3f6ed b8027e23 46430d21 1312c4b1 50677af7 6fd7223d 457b5b1a) Edwards curve-specific parameters (for Ed448): a 1 (0x01) d 39082/39081 = (A+2)/(A-2) (=611975850744529176160423220965553317543219696871016626328968936 41508786004263647489178559928366602041476867897998937814706546281 5545017) (=0xd78b4bdc 7f0daf19 f24f38c2 9373a2cc ad461572 42a50f37 809b1da3 412a12e7 9ccc9c81 264cfe9a d0809970 58fb61c4 243cc32d baa156b9) Gx 34539749303972951637400860415053741026665526007518329021640697028 16456950736723444304817877593406332217083915834240417889241245677 00732 (=0x79a70b2b 70400553 ae7c9df4 16c792c6 1128751a c9296924 0c25a07d 728bdc93 e21f7787 ed697224 9de732f3 8496cd11 69871309 3e9c04fc) Gy 3/2 36341936214780344527466190394400226717682068034365903014074509959 03061640833653863431981918493382729650444422309218186805267490091 82721 (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 80000000 00000000 00000000 00000000 00000000 00000000 00000001) Weierstrass curve-specific parameters (for Wei448): a 48455914953040459369954920525866968956909424045821204018766013278 70748854444871817909309224657843639533925896412290915740356571996 37535 (=0xaaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaa9 ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe 1a76d41f) b 26919952751689144094419400292148316087171902247678446677092229599 28193808024928787727394013698802021963292164673494953191916856645 13904 (=0x5ed097b4 25ed097b 425ed097 b425ed09 7b425ed0 97b425ed 097b425e 71c71c71 c71c71c7 1c71c71c 71c71c71 c71c71c7 1c72c87b 7cc69f70) GX 48455914953040459369954920525866968956909424045821204018766013278 70748854444871817909309224657843639533925896412290915740356653456 29073 (=0xaaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa 00000000 00000000 00000000 00000000 00000000 00000000 0000cb91) GY 35529392678556817526412750206378333480897639938771427183188089843 51690887869674100029326737658645509101427741472681058389855952906 06362 (=0x7d235d12 95f5b1f6 6c98ab6e 58326fce cbae5d34 f55545d0 60f75dc2 8df3f6ed b8027e23 46430d21 1312c4b1 50677af7 6fd7223d 457b5b1a)Appendix~~L.1.2). Details on how to compute square roots for other values of q are out~~N. Further Cousinsof~~scope. If square roots are easy~~Curve448 This section introduces some further curves relatedto~~compute in GF(q), then so~~Curve448 and explains their relationships. N.1. Further Alternative Representations The Weierstrass curve Wei448 is isomorphic to the Weierstrass curve Wei448.1 defined over GF(p), with as base point the pair (G1X,G1Y), and isogenous to the Weierstrass curve Wei448.-3 defined over GF(p), with as base point the pair (G3X, G3Y), where parametersare~~these in GF(q^2). L.1.1. Square Roots~~as specifiedin~~GF(q),~~Appendix N.3 andwhere~~q = 3 (mod 4) If y~~the related mappings are as specified in Appendix N.2. The Edwards curve Ed448is~~a nonzero element of GF(q)~~isogenous to the Edwards curve Edwards448 defined over GF(p), with as base point the pair (G1x,G1y), where parameters are as specified in Appendix N.3and~~z:= y^{(q-3)/4}, then y is a square~~where the related mappings are as specifiedin~~GF(q) only if y*z^2=1. If y*z^2=1, z is a square root~~Appendix N.2. N.2. Further Switching Each affine point (X, Y)of~~1/y and y*z is a square root~~Wei448 corresponds to the point (X', Y'):=(X*s^2,Y*s^3)of~~y in GF(q). L.1.2. Square Roots in GF(q),~~Wei448.1,where~~q = 5 (mod 8) If y~~sis~~a nonzero~~theelement of~~GF(q) and z:=y^{z-5)/8}, then y is a square in GF(q) only if y^2*z^4=1. a. If y*z^2=+1, z is a square root~~GF(p) defined by s 52322274343677442779379520589771028818568404587729117919590511061 93509510238347880134473888687471465216641846232724641298954890800 00881 (=0xb848cd01 981d2f83 f2829b42 eb86914e 88f44c9d 05dcbdff dbdd1e56 c4674bc8 d6d90d91 862a38f5 ca797ca7 f21c05cf a7ac32bf d2ca0171), while the point at infinityof~~1/y and y*z is a square root~~Wei448 corresponds to the point at infinityof~~y in GF(q); b. If y*z^2=-1, i*z is a square root~~Wei448.1. (Here, we used the mappingof~~1/y and i*y*z is a square root~~Appendix F.3.) Under this mapping, the base point (GX, GY)of~~y. Here, i is an element~~Wei448 corresponds to the base point (G1X,G1Y)of~~GF(q) for~~Wei448.1. The inverse mapping maps the affine point (X', Y') of Wei448.1 to (X,Y):=(X'/s^2,Y'/s^3) of Wei448, while mapping the point at infinity O of Wei448.1 to the point at infinity O of Wei448. Note that this mapping (and its inverse) involves a modular multiplication of both coordinates with fixed constants s^2 and s^3 (respectively, 1/s^2 and 1/s^3),which~~i^2=-1 (e.g., i:=2^{(q-1)/4}). This field element~~can be precomputed.~~L.2. Inversion If y~~Each affine point (X,Y) of Wei448 for which the Y-coordinateis~~an integer and gcd(y,n)=1, one can efficiently compute 1/y (mod n) via~~nonzero (i.e., each point with order larger than two) corresponds tothe~~extended Euclidean Algorithm (see Section 2.2.5~~point (X',Y'):=(X1*t^2,Y1*t^3)of~~[GECC]). One can use this algorithm~~Wei448.-3, where (X1,Y1)=(u(X)/w(X),Y*v(X)/w(X)^2), where u, v, and w are the polynomials with coefficients in GF(p)as~~well to compute~~defined in Appendix N.4.1 and where t isthe~~inverse of a nonzero~~element~~y~~of~~a prime field GF(p), since gcd(y,p)=1. The inverse~~GF(p) defined by t 23579450751475691430882365546539966269774125426758968522698856022 13378944265540874438945283200254318223329383397068961863760712339 07365 (=0x530c9a1d7cf071d09646b83db246626b4e57ba5d6a791bef761972543209d c5c20d81498d5ab8d7a2fb22507ca68c040a6c82eb3b6c7aaa5), while the point at infinity and the point (A/3,0)of~~a nonzero element y~~order twoof~~GF(q) can be computed as 1/y:=y^{q-2} (since y^{q-1}=1). Further details are out~~Wei448 corresponds to the point at infinityof~~scope. If inverses are easy~~Wei448.-3. (Here, we used the isogenous mapping of Appendix F.4.) Under this isogenous mapping, the base point (GX,GY) of Wei448 correspondsto~~compute in GF(q), then so are these in GF(q^2). The inverses~~the base point (G3X,G3Y)of~~two nonzero elements y1 and y2~~Wei448.-3. The dual isogeny maps the affine point (X',Y')of~~GF(q) can be computed by first computing~~Wei448.-3 tothe~~inverse z~~affine point (X,Y):=(u'(X1)/w'(X1),Y1*v'(X1)/w'(X1)^2)of~~y1*y2~~Wei448, where (X1,Y1)=(X'/t^2,Y'/t^3)and~~by subsequently computing y2*z=:1/y1~~where u', v',and~~y1*z=:1/y2. L.3. Mapping to Curve Points One can map elements of GF(q) that~~w'are~~not a square~~the polynomials with coefficientsin~~GF(q)~~GF(p) as defined in Appendix N.4.2, while mapping the point at infinity O of Wei448.-3to~~points~~the point at infinity O of Wei448. Under this dual isogenous mapping, the base point (G3X, G3Y)of~~a Weierstrass curve (see Appendix L.3.1),~~Wei448.-3 correspondsto~~points of~~a~~Montgomery curve (see Appendix L.3.2), or to points~~multipleof~~a twisted Edwards curve (see Appendix L.3.3), under some mild conditions on~~the~~domain parameters. Full details on mappings that apply if these conditions are not satisfied are out~~base point (GX, GY)of~~scope. L.3.1. Mapping to Points~~Wei448, where this multiple is l=2 (the degreeof~~Weierstrass Curve The~~the isogeny; see thedescription~~below assumes~~in Appendix F.4). Notethatthis isogenous map (and its dual) primarily involvesthe~~domain parameters a and b~~evaluationofthree fixed polynomials involvingthe~~Weierstrass curve W_{a,b} are nonzero. For ease~~x-coordinate, which takes only a few modular multiplications (less than 0.5% relative incremental cost compared to the costof~~exposition, we define f(z):=z^3+a*z+b. (Note that for~~an~~affine~~elliptic curve scalar multiplication). Eachpoint~~(X,Y)~~(x1,y1)of~~W_{a,b} one has Y^2=f(X).) If t is an element of GF(q) that is not a square in GF(q) and that is unequal~~Edwards448 correspondsto~~-1, then~~the~~element X:=(-b/a)*(1+1/(t+t^2)) is~~point (x,y) of Ed448, where x = c*x1*y1/(1-d1*x1^2*y1^2) = c*x1*y1/(2-x1^2-y1^2) and y =(1 + d1*x1^2*y1^2)/(y1^2-x1^2) = -(x1^2+y1^2)/(x1^2-y1^2). (Here, we usedthe~~unique solution~~4-isogenous mappingofAppendix F.4. Under this isogenous mapping,the~~equation f(t*X)=t^3*f(X) and is nonzero. Consequently, either X or X':=t*X is~~base point (G1x, G1y) of Edwards448 corresponds tothe~~x-coordinate~~base point (Gx,Gy)of~~an affine~~Ed448. The dual isogeny maps eachpoint(x,y)of~~W{a,b}, depending on whether f(X) is a square in GF(q). a. If f(X) is a square in GF(q) and Y:=sqrt(f(X)), then t is mapped~~Ed448to the point~~P(t):=(X, Y); b. If f(X) is not a square in GF(q)~~(x1,y1) of Edwards448, where x1 = (4*x*y/c)/(y^2-x^2)and~~Y':=sqrt(f(X')), then t is mapped~~y1 = (1 - d*x^2*y^2)/(1 + d*x^2*y^2) = (2-x^2-y^2)/(x^2+y^2). Under this dual isogenous mapping, the base point (Gx, Gy) of Ed448 correspondstoa multiple ofthebasepoint~~P(t):=(X', -Y'). Formally,~~(G1x, G1y) of Edwards448, wherethis~~mapping is not properly defined, since a nonzero square y:=x^2 in GF(q) has two solutions, viz. x and -x; it is properly defined, however, if one designates for each element in GF(q) that~~multipleis~~a square in GF(q) precisely one square root as "the" square root~~l=4 (the degreeof~~this element. Note that always picking~~the~~square root with zero parity (see~~isogeny; see the description inAppendix~~I) satisfies~~F.4). Note thatthis~~condition (henceforth called~~isogenous map (and its dual) primarily involvesthe~~default square root function). If -1 is not~~evaluation of three fixed polynomials, which takes onlya~~square in GF(q), this element is mapped~~few multiplications (less than 0.5% relative incremental cost comparedto thecost of an elliptic curve scalar multiplication). The point (0,1) and the point (0,-1) of order two of Edwards448 correspond to, respectively, thepoint at infinity~~O~~and the point (0,0)of~~W_{a,b}. The set~~order twoof~~points~~Curve448, while each other point (x1,y1)of~~W_{a,b} that arises~~Edwards448 corresponds to the point (u,v) of Curve448, where u = y1^2/x1^2 and v = y1*(2-x1^2-y1^2)/x1^3. Underthis~~way has size roughly 3/8~~isogenous mapping, the base point (G1x, G1y)ofEdwards448 corresponds tothe~~order~~base point (Gu,Gv)ofCurve448. The dual isogeny maps boththe~~curve~~point at infinityand~~each such~~thepoint~~arises as image~~(0,0)of~~one or~~ordertwo~~t values. Further details are out~~of~~scope. NOTE 1: If -1 is not a square in GF(q), the mapping above yields~~Curve448 tothe point~~at infinity for t=-1. One can modify this mapping~~(0,1) of Edwards448, while each other point (u,v) of Curve448 correspondsto~~always yield an affine point, by mapping the element -1 to, e.g.,~~the~~base~~point~~G~~(x1,y1)of~~W_{a,b}~~Edwards448, where x1 = 4*(u^2-1)*v/((u^2-1)^2+4*v^2)and~~leaving~~y1 = u*((u^2-1)^2-4*v^2)/(2*(u^2+1)*v^2-u*(u^2-1)^2). Under this dual isogenous mapping,the~~remainder~~base point (Gu, Gv) of Curve448 corresponds to a multipleof the~~mapping the same. Suitability~~base point (G1x, G1y)of~~such a modification~~Edwards448, where this multipleis~~application-specific. Details are out~~l=4 (the degreeof~~scope. NOTE 2: The description above assumes that~~the~~domain~~isogeny; see above). N.3. Further Domain Parameters Theparameters~~a and b~~of the Weierstrass curve~~are nonzero. If this~~with a=1 thatis~~not the case, one can often find an isogenous curve W_{a',b'} for which~~isomorphic with Wei448 andthe~~domain~~parameters~~a' and b' are nonzero. If so, one can map elements~~of~~GF(q)~~the Weierstrass curve with a=-3thatis isogenous with Wei448are~~not a square in GF(q) to points of W_{a,b} via function composition, where one uses the mapping above~~as indicated below. Both domain parameter sets can be exploited directlyto~~arrive at a~~derive more efficientpointaddition formulae, should an implementation facilitate this. The domain parametersof~~W_{a',b'} and where one subsequently uses~~the~~dual isogeny from W_{a',b'} to W_{a,b} to arrive at a point of W_{a,b}. As an example, one can show that if a is zero and -4*b is a cube~~twisted Edwards curve Edwards448 are as specifiedin~~GF(q) (such~~[RFC7748]. General parameters: sameas~~is the case with, e.g., the "BitCoin" curve secp256k1 [SEC2]), this curve is 3-isogenous to~~for Wei448 (see Appendix M.3) Weierstrass curve-specific parameters (for Wei448.1, i.e., with a=1): a 1 (=0x01) b 65961281701807170531944804985907990287225248056560036392380945951 38183088507635437786021044927715119224497407914895790669345268896 52743 (=0xe8528596 bfbcbac9 7ebdbe4e 9683e25c 73a5ff37 6c4cd400 5a75c425 8e3eb05a 9f6f8c24 24cb5aa9 0dcf9fa4 cab6691d 5530347c 28437207) G1X 19236211982508211644805033459306273038523230481309141518540414163 72091186292458482231912460243257247478684005448999746809691007995 9723 (=0x06c672d5 b5bae33b 010fa210 9de7937a 95db8ffc 043c507f 5e0d07a1 25382eaf 13f5fc3b 75db2614 6e6d002f d8364ed6 c9bc8fbf bbda22ab) G1Y 30319443056877169804488072384563064288675576234196773667920807567 79177927858755621958756222206632465988308466319556948821775845861 64158 (=0x6ac9c53c 767cd3ae cbf904a1 2923502f 115355d1 6ae8911c 5c92f612 aa854455 d1e6d29f 4db4ddea 519a174f c0dd2505 ec3328ba 250a07be) Weierstrass curve-specific parameters (for Wei448.-3, i.e., with a=- 3): a -3 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffc) b 69993768681000150084833669961900533067383335592494498709534693464 91314250731583068774689950893229681024927315747794587331422088592 54465 (=0xf686723d 80e29d06 2d00a9f1 3305b698 85790019 cca78035 9dac226b efb1ae21 125397dd 16f255b0 cc5d18e5 43582a1c af90dfe2 c0aeaec1) G3X 40677474994869876470916133424311516856662407970799424837841348421 87696274665113140719001227030116551378877280368526334985627104680 88795 (=0x8f452c6b dc3265dd 580b2638 59a02b20 198cc020 1dd7fba1 8b431694 4a936052 fb4e4a41 93d01fa5 5fb5c732 7393208b 8170f3f2 be78d3db) G3Y 54594210970205994927260789585006437115117066846498189378285031510 90310290468347714929366106635470978666795512446629051235704504868 06147 (=0xc0494f90 461db11c 35fb7646 8349399a ae230351 11330cce b7473244 ab63c955 cf6ec02f 2656b439 44b19f4b 52eef12e 73026bbc 84444683) Edwards curve-specific parameters (for Edwards448):a~~curve with this property~~1 (0x01) d1 -39081 = -(A-2)/4 (=726838724295606890549323807888004534353641360687318060281490199 18061232816673077268639638369867654593008888446184363736105349801 8326358) (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffff6756) G1x 22458004029592430018760433409989603624678964163256413424612546168 69504154674060329090291928693579532825780320751464461736746026352 47710 (=0x4f1970c6 6bed0ded 221d15a6 22bf36da 9e146570 470f1767 ea6de324 a3d3a464 12ae1af7 2ab66511 433b80e1 8b00938e 2626a82b c70cc05e) G1y 29881921007848149267601793044393067343754404015408024209592824137 23315061898358760035368786554187847339823032335034625005315450628 32660 (=0x693f4671 6eb6bc24 88762037 56c9c762 4bea7373 6ca39840 87789c1e 05a0c2d7 3ad3ff1c e67c39c4 fdbd132c 4ed7c8ad 9808795b f230fa14) N.4. Isogeny Details The isogenyand~~the strategy above applies (for an example~~dual isogeny are both isogenieswith~~secp256k1, see Appendix M). Further details~~degree l=2. Bothare~~out~~specified by a tripleof~~scope. L.3.2. Mapping to Points~~polynomials u, v, and w (resp. u', v', and w')of~~Montgomery Curve~~degree 2, 2, and 1, respectively, with coefficients in GF(p).The~~description below assumes that the domain parameter A of the Montgomery curve M_{A,B} is nonzero. For ease of exposition, we define f(z):=z^3+A*z^2+z. (Note that for an affine point (u,v)~~coeffientsof~~M_{A,B} one has B*v^2=f(u).) If t is an element~~eachof~~GF(q) that is not a square~~these polynomials are specifiedin~~GF(q) and that is unequal to -1, then the element u:=-(1+1/t)/A is~~Appendix N.4.1 (forthe~~unique nonzero solution of~~isogeny) and in Appendix N.4.2 (forthe~~equation f(t*u)=t^3*f(u). Consequently, either u or u':=t*u is~~dual isogeny). For each polynomial in variable x,the~~u-coordinate~~coefficients are tabulated as sequenceof~~an affine point~~coefficientsof~~M{A,B}, depending on whether f(u)/B is a square in GF(q). a. If f(u)/B is a square~~x^0, x^1, x^2, ...,in~~GF(q) and v:=sqrt(f(u)/B), then t is mapped to~~hexadecimal format. N.4.1. Isogeny Parameters N.4.1.1. Coefficients of u(x) 0 0x01 1 0x55555555555555555555555555555555555555555555555555555554ffffffff ffffffffffffffffffffffffffffffffffffffffffff3473 2 0x01 N.4.1.2. Coefficients of v(x) 0 0x1c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c71c55555555 5555555555555555555555555555555555555555f72db94a 1 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa9ffffffff fffffffffffffffffffffffffffffffffffffffffffe68e6 2 0x01 N.4.1.3. Coefficients of w(x) 0 0x55555555555555555555555555555555555555555555555555555554ffffffff ffffffffffffffffffffffffffffffffffffffffffff3473 1 0x01 N.4.2. Dual Isogeny Parameters N.4.2.1. Coefficients of u'(x) 0 0x016c26e0e8 1 0x5555555555555555555555555555555555555555555555555555555500000000 0000000000000000000000000000000000000000000065c6 2 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffc0000000 000000000000000000000000000000000000000000000000 N.4.2.2. Coefficients of v'(x) 0 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa45836c31 1 0x5555555555555555555555555555555555555555555555555555555500000000 0000000000000000000000000000000000000000000065c6 2 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffe0000000 000000000000000000000000000000000000000000000000 N.4.2.3. Coefficients of w'(x) 0 0x5555555555555555555555555555555555555555555555555555555500000000 000000000000000000000000000000000000000000019719 1 0x01 Appendix O. Representation Examples Curve448 Family Members We present some examples of computations usingthe~~point P(t):=(u, v); b. If f(u)/B is a not a square~~curves introducedin~~GF(q)~~this document. In each case, we indicate the values of P, k*P,and~~v':=sqrt(f(u')/B), then t~~(k+1)*P, where Pis~~mapped to~~a fixed multiple (here: 2019) ofthebasepoint~~P(t):=(u', -v'). As before, formally, this mapping is not properly defined, since a nonzero square y:=x^2~~of the curvein~~GF(q) has two solutions, viz. x~~questionand~~-x; it is properly defined, however, if one designates for each element in GF(q) that~~where the private key kis~~a square in GF(q) precisely one square root as "the" square root of this element. Note that always picking~~the~~square root~~integer k 62662039304523906689788124833289384446202946474440057655160773695 63756342505410402166230018620066482794080866641616932013327623579 01952 (=0xdcb3bbb9 e42d7aca fe62052d 902123c7 0872b984 4c1e199f 7c5d37bd 1171102b c20a6352 d9c91886 29b685de 51441e84 3afe2665 5251aa80). O.1. Examplewith~~zero parity (see Appendix I) satisfies this condition (henceforth called the default square root function). If -1 is not a square~~Curve448 Pm=(u, v), k*Pm=(u1, v1), and (k+1)*Pm=(u2, v2) with Curve448: u 53298594738299085772373536080133483236673782578895339676785179923 90764298300090102709453866054695061082746243636045110750296444932 27715 (=0xbbb91ba3 b0ef74c3 214394b4 d8f0d32d c4a92193 5f573009 39fd86a3 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd a80166fe 18c086c3). v 30578727850066757341435137807347775064915058999485530015946871157 86794631407274936870618580714107931661730999350222644894729285604 97149 (=0x6bb38e82 8d52337f 6f0395ef dc16c776 52162f5e 309112ae fc7401bf 0cfb0499 eb1ed555 bf507ebc c33b4753 2d6dc6c5 d68dea1c c1e4c1fd). u1 64579461799301726935877447646800238443923683299745374127971411973 12515295161791889743228049222279188968365877164188075095074418806 82513 (=0xe37497bf 9f704689 54ec6537 cbbe91d0 3ffcdcdb 8b707253 a2212cdb e020ba9a 0bf65a1d 5d9a128a f85c63a2 79a00139 7aca56db 15335011). v1 55735504615964066386264989698774850924544182484936624265048483231 35693859362627880184586282439234602798023594054611737412667543758 11547 (=0xc44e5e0f 2c254d23 1dc082db 77175e8c fd37793c 22ebe200 77905a5f 750b3c9f 4a95d4d5 4e1a1e54 d2d31689 4249252d 0c8b1c45 1c1481db). u2 32685564331119553171673802371596819258307818641496728161547328225 07595618587323619256769558535630624960575212644680149034661008254 8876 (=0x0b831eca 9c6215b0 5d830361 4013732f 7a9dd07f ebb9441e 49129264 eb724f44 dc53671c ffabb9ee 0c02aa74 b083cd82 a821a4cf 6f6d8c8c). v2 57682103223585233918507344950062950306770296215271320612937204938 77499282103483092990510136901415757273082719665657484294344333591 20741 (=0xcb2988a4 6e37f9a9 a7a1255b 2fd2eea9 82308e7c eb8e18b8 2252175f fd416a10 5984c6b8 36470e48 31879293 8f6139c6 f96164cb 14010965). As suggestedin~~GF(q), this element is mapped to~~Appendix C.2,the~~point at infinity O of M_{A,B}. The set of points of M_{A,B} that arises this way has size roughly 1/2~~v-coordinateofk*Pm can be indirectly computed fromthe~~order~~u-coordinatesof~~the curve~~Pm, k*Pm,and~~each such point arises as image~~(k+1)*Pm, and the v-coordinateof~~precisely one t value. Further details are out~~Pm, which allows computationof~~scope. NOTE 1: If -1 is not a square in GF(q), the mapping above yields~~theentirepoint~~at infinity for t=-1. One can modify this mapping to always yield an affine point, by mapping~~k*Pm (and not just its u-coordinate) if k*Pm is computed usingthe~~element -1 to,~~Montgomery ladder (as,e.g.,[RFC7748] recommends), since that algorithm computes both u1 and u2 and the v-coordinate ofthe~~base~~point~~G~~Pm may be available from context. The representationof~~M_{A,B}~~kand~~leaving~~the~~remainder~~compressed representationsofPm and k*Pm in tight LSB/msb-order are given by repr(k) 0x80aa5152 6526fe3a 841e4451 de85b629 8618c9d9 52630ac2 2b107111 bd375d7c 9f191e4c 84b97208 c7232190 2d0562fe ca7a2de4 b9bbb3dc; repr(Pm) 0xc386c018 fe6601a8 cdb0a7dc fd3973ed bb812369 0b38634d 2abe548d a386fd39 0930575f 9321a9c4 2dd3f0d8 b4944321 c374efb0 a31bb9bb 80; repr(k*Pm) 0x11503315 db56ca7a 3901a079 a2635cf8 8a129a5d 1d5af60b 9aba20e0 db2c21a2 5372708b dbdcfc3f d091becb 3765ec54 8946709f bf9774e3 80, wherethe~~mapping the same. Suitability~~leftmost bitof~~such a modification is application-specific. Details are out~~the rightmost octet indicates the parityof~~scope. NOTE 2: The description above assumes that~~the~~domain parameter A~~v-coordinateof the~~Montgomery curve is nonzero. If~~point of Curve448 in question (which, inthis~~is not the~~case,~~the curve is a Weierstrass curve for which the domain parameter b is zero~~are both one, since vand~~Note 2 of~~v1 are odd). SeeAppendix~~L.3.1 applies. If q = 3 (mod 4), an even simpler approach is possible, where one modifies the construction above~~H.2and~~simply takes u:=t~~Appendix I for further detail on (squeezed) point compression. The scalar representationand~~u':=-t (which works, since -1 is not a square~~(squeezed) point representation illustrated above are consistent with the representations specifiedin~~GF(q) and f(-t)=-f(t)). In this case, this construction can be extended to all elements t of GF(q) and, if so, yields a 1-1 mapping between GF(q) and all affine curve points. L.3.3. Mapping to Points of Twisted Edwards Curve One can map elements of GF(q)~~[RFC7748], exceptthat~~are not a square~~in~~GF(q) to points of the twisted Edwards curve E_{a,d} via function composition, where one uses~~[RFC7748] only an affine point's u-coordinate is represented (i.e.,the~~mapping~~v-coordinateof~~Appendix L.3.1 to arrive at a~~anypoint~~of the Weierstrass curve W_{a,b}~~is always implicitly assumed to have an even value)and~~where one subsequently uses~~thatthe~~isomorphic mapping between twisted Edwards curves and Weierstrass curves~~representationof~~Appendix D.3 to arrive at a~~thepoint~~of E_{a,d}. Another mapping~~at infinityis~~obtained by function composition, where one instead uses~~not specified. (Note that due tothe~~mapping~~bit-sizeof~~Appendix L.3.2~~the prime p, the lossless representation requires an additional octet comparedto~~arrive at a point~~the lossy representation without v-coordinate.) Another difference is that [RFC7748] allows non-unique representations of some elements of GF(p), whereas our representation conventions do not (since tight). A randomized representation (t1, t2)of the~~Montgomery curve M_{A,B} and~~point k*Pm in tight LSB/ msb order is given by t1 642695971489808425948939115432957219707501931105169269237 122551860533279049805112466411050091592893048844749561382 909707113070546618079 (=0xdf86cb83 ae1ca6e6 da6afbaf afbb2fc0 606a136f 80eea078 c868a5d7 7e638d09 99518385 65250cf1 9c034f96 1fa28f54 f3016600 68335de2) t2 569275737967591640709387827593956375775147481657775744720 460881642951497067363381071471046477130052706607411985560 522861593611384288817 (=0x3176361c 580a7bcd d7880d84 aba10bc6 57010328 afb728cc 2016461b 246bef46 0eb4bb04 8c1a3616 c3f74a56 3cc1790f 6472256b ca3481c8),where~~one subsequently~~this representation is defined in Appendix K.5 anduses the~~isomorphic~~mapping~~between twisted Edwards curves and Montgomery curves~~of Appendix~~D.1 to arrive at a point of E_{a,d}. Obviously, one can use function composition (now using the respective pre-images - if these exist) to realize~~K.3.2 withthe~~pre-images of either mapping. L.4. Randomized Representation of Curve Points~~default square root function. O.2. Example with Ed448 Pe=(x, y), k*Pe=(x1, y1), and (k+1)*Pe=(x2, y2) with Ed448: x 12711234107145442394649604543297947887906244696692372551963816418 93066253979844478364753304240794498368174540810674220788120782656 62747 (=0x2cc52fd1 6370554f 00c0f73f 64bda240 f5950177 d9033f6d 74acd12d 68c79a51 315f556f 240973f9 e5f71ed7 9314ee9d c87f0b1b bcc0fd1b). y 69251010954633529003803699627438795111055087299023774963200632446 22677618700964599963790149315020469517869703738619380660774687159 85238 (=0xf3e8bb95 c9675fd0 0c388fc5 e96cfbc7 3c19d945 76849979 34c4ab60 73c4a763 c2a89bac d3879838 f4de11a3 3a4710c2 396dea1d cc012956). x1 69268794439088733926883958090256942256857349796922332363888137509 71700910417786272464007666020220956482611896297610096130434552586 39205 (=0xf3f8c472 ca2e730b 05cc9092 f9d40956 029113e3 e92c2d55 76406db2 c2903721 62f43371 1c0ec80c f8d7222d 1d701467 9da18531 0fb5bb65). y1 50516707418203531159001223293623288296803299598968490915066154362 78541820739332329525138363312119838075438487384161435963107103409 09734 (=0xb1eccbfc 5f5f92e8 d9129d14 b721c524 96fc1b1f a4c17c5f e4979b0c 763f34ba 91299376 d2499220 19b05f56 c3bb6b5d ac988271 287d7aa6). x2 67287262124444231243108222498849910362455590990935326363062127166 04126947894055981270997819628982374416022607672923451356182938105 87868 (=0xecfe1a4f a4cd7e2f 19afcf16 1ce2198f 0a850beb 41afa209 94741609 5b1a858a 8e9548f5 011d188e d50484d3 119103f6 8bcd5ba2 a6e3e8dc). y2 13744276256057290540518554008940700979716578667786691114397525367 92684542875757407063179870154307882588988293167000249160114881659 30341 (=0x3068a338 4016ebfd a229ac73 b5c30bba ff67e183 71d1185f 19dfbbee 28478baf 9034ebad 51407f01 35162743 c2c234bc 2d484c13 552ea565).The~~mappings~~representationof~~Appendix L.3.1, Appendix L.3.2,~~kand~~Appendix L.3.3 allow one to represent a curve point Q as a specific element of GF(q), provided this point arises as a point in~~the~~range~~compressed representationsof~~the mapping at hand. For Montgomery curves~~Peand~~twisted Edwards curves, this covers roughly half of~~k*Pe in tight LSB/lsb-order are given by repr(k) =0x01558a4a a6647f5c 2178228a 7ba16d94 6118939b 4ac65043 d4088e88 bdecba3e f9987832 219d4e10 e3c48409 b4a0467f 535eb427 9dddcd3b; repr(Pe) =0x6a948033 b857b69c 4308e25c c5887b2f 1c19e1cb 35d91543 c6e523ce 06d5232c 9e99216e a29b983c e3df3697 a3f11c30 0bfae693 a9dd17cf 01; repr(k*Pe) =0x655ebe14 8e411935 bad6ddc3 6afa0d98 0449924b 6ec99489 5d2cfc6e 30d9e927 fa3e8325 f8d83f69 24a384ed 28b9489b 1749fafa 3fd3378d 01, wherethe~~curve points; for Weierstrass curves, roughly 3/8~~rightmost bitof the~~curve points. One can extend~~rightmost octet indicatesthe~~mappings above, by mapping a pair (t1, t2)~~parity of the x-coordinateof~~inputs to~~the point~~Q:=P2(t1, t2):=P(t1) + P(t2). In~~of Ed448 in question (which, inthis case,~~each curve point has roughly q/4 representations as an ordered pair (t1, t2) on average. In fact, one can show that if the input pairs~~are~~generated uniformly at random, then the corresponding curve points follow a distribution that is also (statistically indistinguishable from) a uniform distribution,~~both one, since xand~~vice-versa. Here, each pair (t1, t2) deterministically yields a curve point, whereas~~x1 are odd). See Appendix H.3 and Appendix Ifor~~each curve~~further detail on (squeezed)point~~Q, a~~compression. The scalar representation and (squeezed) point representation illustrated above are fully consistent with the representations specified in [RFC8032]. Note that, contrary to [RFC7748], [RFC8032] requires unique representations of all elements of GF(p). Arandomized~~algorithm yields an ordered pair~~representation(t1, t2) of~~pre-images~~the point k*Pe in tight LSB/ lsb order is given by t1 397357047759003459380102071532091085834125520561197668989 747600577137881485970346806080038194336473483709104865191 806326006691504231547 (=0xde295d0e 5efceb9b f43967ca be45a54b a1f75bdd a4b1b1b3 b24a8d1d f2056329 e506867e c968aa8b 866017e4 f0cbc343 2cf8e7fa 0b202fd1) t2 711800301530600330791068062467600183663589340593884950808 136091389056251997893995894309660827763434071897306280320 151044063120296064809 (=0x94ecb72a 069a5322 e62d9357 c49d5664 1c351611 d1f361a8 cbb8a12c f410e821 4fbe8e02 8d85d404 399b4c7c 5a6a72ce deef7b08 96302d5f), where this representation is defined in Appendix K.5 and uses the mappingof~~Q,~~Appendix K.3.3 with the default square root function and underlying isomorphic mapping between Ed448 and Curve448 of Appendix M.2. O.3. Example with Wei448 Pw=(X, Y), k*Pw=(X1, Y1), and (k+1)*Pw=(X2, Y2) with Wei448: X 29070637261778856087396075817199998758219070555984737667402173284 55389871077654193754799253725773241315783295429899652880118118204 91344 (=0x6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 0a01dab3 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd a80166fe 18c15250). Y 30578727850066757341435137807347775064915058999485530015946871157 86794631407274936870618580714107931661730999350222644894729285604 97149 (=0x6bb38e82 8d52337f 6f0395ef dc16c776 52162f5e 309112ae fc7401bf 0cfb0499 eb1ed555 bf507ebc c33b4753 2d6dc6c5 d68dea1c c1e4c1fd). X1 40351504322781497250899987383866753965468971276834772118588405333 77140867939355980788573436893357369201402928958042617224896092079 46142 (=0x8e1f426a 4a1af133 ff970fe2 76693c7a eaa78786 361b1cfe 4ccbd786 e020ba9a 0bf65a1d 5d9a128a f85c63a2 79a00139 7aca56db 15341b9e). Y1 55735504615964066386264989698774850924544182484936624265048483231 35693859362627880184586282439234602798023594054611737412667543758 11547 (=0xc44e5e0f 2c254d23 1dc082db 77175e8c fd37793c 22ebe200 77905a5f 750b3c9f 4a95d4d5 4e1a1e54 d2d31689 4249252d 0c8b1c45 1c1481db). X2 51724471386152414687122300763026650882740205909970876834920746101 21508416303604179834986180511406702029983417676758930643822754281 77944 (=0xb62dc975 470cc05b 082dae0b eabe1dda 25487b2a 9663eec8 f3bd3d0e eb724f44 dc53671c ffabb9ee 0c02aa74 b083cd82 a821a4cf 6f6e5818). Y2 57682103223585233918507344950062950306770296215271320612937204938 77499282103483092990510136901415757273082719665657484294344333591 20741 (=0xcb2988a4 6e37f9a9 a7a1255b 2fd2eea9 82308e7c eb8e18b8 2252175f fd416a10 5984c6b8 36470e48 31879293 8f6139c6 f96164cb 14010965). The representation of k and the compressed representations of Pw and k*Pw in tight MSB/msb-order are given by repr(k) =0xdcb3bbb9 e42d7aca fe62052d 902123c7 0872b984 4c1e199f 7c5d37bd 1171102b c20a6352 d9c91886 29b685de 51441e84 3afe2665 5251aa80; repr(Pw) =0x80 6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 0a01dab3 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd a80166fe 18c15250; repr(k*Pw) =0x80 8e1f426a 4a1af133 ff970fe2 76693c7a eaa78786 361b1cfe 4ccbd786 e020ba9a 0bf65a1d 5d9a128a f85c63a2 79a00139 7aca56db 15341b9e,where the~~expected number~~leftmost bitof~~randomized pre-images one has to try is small (four if one uses~~the~~mapping~~leftmost octet indicates the parityof~~Appendix L.3.1; two if one uses~~the~~mapping~~Y-coordinateof~~Appendix L.3.2). For further details, see Algorithm 1~~the pointof~~[Tibouchi]. Appendix M. Curve secp256k1~~Wei448 in question (which, in this case, are both one, since Yand~~Friend M.1. Curve Definition~~Y1 are odd). See Appendix H.1and~~Alternative Representation~~Appendix I for further detail on (squeezed) point compression.The~~elliptic curve secp256k1~~scalar representationisconsistent withthe~~Weierstrass curve W_{a,b} defined over~~representations specified in [SEC1];the~~prime field GF(p), with p:=2^256-2^32-2^9-2^8-2^7-2^6-2^4-1, where a:=0 and b:=7. This curve has order h*n, where h=1 and where n~~(squeezed) point representation illustrated aboveis~~a prime number.~~"new".For~~this curve, domain parameter~~completeness, we includea~~is zero, whereas b is not. The quadratic twist~~SEC1-consistent representationof~~this curve has order h1*n1, where h1 is a 37-bit integer and where n1 is a prime number. For this curve, the base point is the point (GX, GY). The curve secp256k1 is 3-isogenous to~~the~~Weierstrass curve secp256k1.m defined over GF(p), which has nonzero domain parameters a and b and has as base~~point~~the pair (GmX,GmY), where parameters are as specified~~Pwin~~Appendix M.3~~affine formatand~~where the related mappings are as specified~~in~~Appendix M.2. M.2. Switching Between Representations Each~~compressed format below. The SEC1-compliantaffine~~point (X,Y)~~representationof~~secp256k1 corresponds to~~the point~~(X',Y'):=(u(X)/w(X)^2,Y*v(X)/w(X)^3) of secp256k1.m, where u, v, and w are the polynomials with coefficients in GF(p) as defined~~Pwin~~Appendix M.4.1, while~~tight MSB/msb-order is given by aff(Pw) =0x6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 0a01dab3 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd a80166fe 18c15250 6bb38e82 8d52337f 6f0395ef dc16c776 52162f5e 309112ae fc7401bf 0cfb0499 eb1ed555 bf507ebc c33b4753 2d6dc6c5 d68dea1c c1e4c1fd, whereas the SEC1-compliant compressed representation ofthe point~~at infinity~~Pw in tight MSB/msb-order is given by compr(Pw) =0x03 6663c64e 5b9a1f6d cbee3f5f 839b7dd8 6f53cc3e 0a01dab3 e4a8314e 8d54be2a 4d63380b 692381bb ed7339fd dca7b0cd a80166fe 18c15250. The SEC1-compliant uncompressed format aff(Pw)of~~secp256k1~~an affine point Pwcorresponds to the~~point at infinity~~right-concatenationof~~secp256k1.m. Under this isogenous mapping,~~its X- and Y-coordinates, each in tight MSB/msb-order, prepended bythe~~base point (GX,GY)~~string 0x04, where the reverse procedure is uniquely defined, since elementsof~~secp256k1~~GF(p) have a unique fixed-size representation. The (squeezed) compressed format repr(Pw)corresponds to the~~base point (GmX,GmY) of secp256k1.m. The dual isogeny maps~~SEC1-compliant compressed format by extractingthe~~affine point (X',Y')~~parity bit t from the leftmost bitof~~secp256k1.m to~~the~~affine point (X,Y):=(u'(X')/w'(X')^2,Y'*v'(X')/w'(X')^3)~~leftmost octetof~~secp256k1, where u', v',~~repr(Pw),and~~w' are the polynomials~~replacing this leftmost octetwith~~coefficients in GF(p) as defined in Appendix M.4.2, while mapping~~0x02 or 0x03, depending on whether t=0 or t=1, respectively, wherethe~~point at infinity O of secp256k1.m~~reverse procedure is uniquely defined. For further details, see [SEC1]. Note that, dueto the~~point at infinity O~~bit-sizeof~~secp256k1. Under this dual isogenous mapping,~~the~~base point (GmX, GmY) of secp256k1.m corresponds to a multiple~~prime p, the squeezed compressed format repr(Pw) and the SEC1-compliant compressed format compr(Pw) have the same size. A randomized representation (t1, t2)of the~~base~~point~~(GX, GY) of secp256k1,~~k*Pw in tight MSB/ msb order is given by t1 655783099225353926682910498535559663266263823350679216116 172951494291735730803127024621397533084891460609898061397 896825551162064841608 (=0xe6f93655 2765628b accfe61c 7dc6a594 e06fb243 70195ded 74d88a53 fdedc2e8 077e0eff 62fa6a80 fa26b499 1f8796f5 21f2f03b f7e92b88) t2 357918241879339174086992006475988394618511927120788596330 507910466738735762660894972854331591097934354210992993787 402433561014235472657 (=0x7e0ffcaf 7add27bc bb723629 95fdedd0 8769f676 78d953bc 0d38f4f6 d63a59dc 00f2d55a a4db7dab 16364503 591edcb1 e095a577 43dea311),where this~~multiple~~representationis~~l=3 (the degree~~defined in Appendix K.5 and uses the mappingofAppendix K.3.1 withthe~~isogeny; see~~default square root function. O.4. Example with Wei448.-3 Pw3=(X, Y), k*Pw3=(X1, Y1), and (k+1)*Pw3=(X2, Y2) with Wei448.-3: X 54121793865726175505902038600562190720650456678500106168173285986 99999531708218763586616425010404811083912084906688745035466757984 48968 (=0xbe9f5a23 51709e13 d5ad50c2 a27be8ee 1b051970 2580d5c3 c2de7f75 3010635e d89ef547 8b67dc54 16d63c5b 1cc1116f dd453515 71b39b48). Y 14962282101304548030627835311887275833718070818965306362006934455 59168773381983445709256615887526455657034051121085622763637035580 12661 (=0x34b2dcc4 92d6a940 e6249c14 122d0ba4 5dc040e9 3f060d8f a65fa300 eb3cc969 25188b59 2d31039c f7a8e14a 48320a32 efe9b42b 986afef5). X1 18808295916646645825216065847266150404062470629833854840155953858 63091795696773741607659794828181692381790403935750135247605982648 6547 (=0x069fdd7c 2ec1ecbf d3cd0e27 1e8110c6 d2e478f2 aa393928 64a5511e da0b8dc7 3834fd57 b5ef8527 361a8176 c6da44ee 63701c0c f49d7d13). Y1 12212945244064471634326466576257313927639904273911210953487761656 77684161144865373513143868308041748047828401098060667767703779846 85920 (=0x2b03e68e b61581c4 9f977443 3e1ddc63 976f8f1d cdb185ee 9c53328d b425973d 359bbc09 468645c4 0996a2c7 fda561be acb4d0b5 745ab760). X2 58672976485086436102048679093716482249296622848351051568512020319 97872083950108489407370832733527154843728068195507632886574086695 12670 (=0xcea6f66e e741e7b3 ee50acd4 bd6eacbf 821fab72 bf5fe85b 8f614af9 04aff677 15e820b9 e4bcc159 f67a97f3 2c176d2c d9b7cdeb f753f3de). Y2 63661899992109030051219177516378471383513217472497460517936503629 79522840238080543318627428149249774773108009447466292682661818280 41265 (=0xe0394408 ed2b4efb b6b6ac7e bc815516 fdf31a6e d32db3f9 54cd8ac1 c7ddf0cc e7507688 a70f219a 57eef863 49003560 66747ca3 00105a31). The representation of k andthe~~description~~compressed representations of Pw3 and k*Pw3in~~Appendix F.4). Note that this isogenous map (and its dual) primarily involves~~tight MSB/msb-order are given by repr(k) =0xdcb3bbb9 e42d7aca fe62052d 902123c7 0872b984 4c1e199f 7c5d37bd 1171102b c20a6352 d9c91886 29b685de 51441e84 3afe2665 5251aa80; repr(Pw3) =0x80 be9f5a23 51709e13 d5ad50c2 a27be8ee 1b051970 2580d5c3 c2de7f75 3010635e d89ef547 8b67dc54 16d63c5b 1cc1116f dd453515 71b39b48; repr(k*Pw3) =0x00 069fdd7c 2ec1ecbf d3cd0e27 1e8110c6 d2e478f2 aa393928 64a5511e da0b8dc7 3834fd57 b5ef8527 361a8176 c6da44ee 63701c0c f49d7d13, wherethe~~evaluation~~leftmost bitof~~three fixed polynomials involving~~the~~x-coordinate, which takes roughly 10 modular multiplications (or less than 1% relative incremental cost compared to~~leftmost octet indicatesthe~~cost of an elliptic curve scalar multiplication). M.3. Domain Parameters The parameters~~parityof the~~curve sec256k1 and~~Y-coordinate ofthe~~corresponding 3-isogenous curve sec256k1.m~~point of Wei448.-3 in question (which, in this case,are~~as indicated below. Here, the domain parameters~~one and zero, respectively, since Y is odd and Y1 is even). See Appendix H.1 and Appendix I for further detail on (squeezed) point compression. A randomized representation (t1, t2)of the~~curve secp256k1 are as specified~~point k*Pw3in~~[SEC2];~~tight MSB/ msb order is given by t1 450833060883286904091316612794941178576639837300736625958 696097131313213727115363096930063001237631586932727905179 306828042642854311987 (=0x9ec9ba07 3fb2bb5e 9dbee995 067ce094 63601ecd 325f0930 aea79cb8 745fa71d 4caa37ee f04fab67 ab2de747 4ac0a025 830f4828 429cf833) t2 339205723274519707955026734148022275762579914421865223818 363622725164496136165251928391223173879522521195772276587 373445978123589677750 (=0x7778c1f9 9d900633 d161d7ea a963ddad e9101d3f f4f04710 623d2a51 6ca10133 3db9ccc3 86df9271 fbb72740 77f79dd1 9aed0bfb e3bc72b6), where this representation is defined in Appendix K.5 and usesthe~~domain parameters~~mappingof~~secp256k1.m are "new". General parameters (for all curves): p 2^256-2^32-2^9-2^8-2^7-2^6-2^4-1 (=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe fffffc2f) h 1 n 11579208923731619542357098500868790785283756427907490438260516314 1518161494337 (=0xffffffff ffffffff ffffffff fffffffe baaedce6 af48a03b bfd25e8c d0364141) h1 23479460174521 (=0x1a 9bfcab89) n1 10131766773001318469008702396060356387381009972480920692566974370 31 (=0x099ee564 ea5d84f5 08913936 a761b0d5 d792a426 a7779817 ae2f5b67) Weierstrass curve-specific parameters (for secp256k1): a 0 (=0x00) b 7 (=0x07) GX 55066263022277343669578718895168534326250603453777594175500187360 389116729240 (=0x79be667e f9dcbbac 55a06295 ce870b07 029bfcdb 2dce28d9 59f2815b 16f81798) GY 32670510020758816978083085130507043184471273380659243275938904335 757337482424 (=0x483ada77 26a3c465 5da4fbfc 0e1108a8 fd17b448 a6855419 9c47d08f fb10d4b8) Weierstrass curve-specific parameters (for secp256k1.m): a 93991599167772749909245591943117186381494883464374162770646538702 960816911535 (=0xcfcd5c21 75e2ef7d ccdce737 770b7381 5a2f13c5 09035ca2 54a14ac9 f08974af) b 1771 (=0x06eb) GmX 26591621185618668069038227574782692264471832498547635565821216767 730887659845 (=0x3aca5300 959fa1d0 baf78dcf f77a616f 395e586d 67aced0a 88798129 0c279145) GmY 67622516283223102233819216063319565850973524550533340939716651159 860372686848 (=0x9580fce5 3a170f4f b744579f f3d62086 12cd6a23 3e2de237 f976c6a7 8611c800) M.4. Isogeny Details The isogeny~~Appendix K.3.1 with the default square root function. O.5. Example with Edwards448 Pe1=(x, y), k*Pe1=(x1, y1),and~~dual isogeny are both isogenies~~(k+1)*Pe1=(x2, y2)with~~degree l=3. Both are specified by a triple~~Edwards448: x 70320395893028961673046639985409870226249442701760956079298956688 26896600999421897751877804946848997852325361659665744287620719558 67733 (=0xf7acf3ca b79b29c2 aa44863d 9edaeca4 8c90ad84 e460df42 7dd9ab59 1bd8a844 07cb3419 59309b33 1e22bfa1 a2d37e10 e2e42a1f 170f0855). y 70628706854857281648863291487942166052137991441320055237644304464 58787938273165391464653528929699350754224243613996187734424074211 98773 (=0xf8c2f181 3bceee8e 085ecd70 d1b6aa4c ea9b95bd 8f36ab44 c79e9124 1ea625b7 f9f5ec57 89cc5af2 a2eb255a b252b874 509dc0d9 685841b5). x1 38125875041649701211705790554244713713134918749445854542272999596 74058986304488795258334978838809456257721496105769894880185657328 40277 (=0x864880b9 e1900c68 ba4a545a 6fe2b161 62dcc3b9 fa218e4b feba9828 5cee5193 f2c989f6 c3b94eb6 2914dce7 b4818e4d 8fc8d51f 05a13355). y1 11060653846610182753991162627427631707898421166839907726978369444 53337541552746428662176632660036639406375548888849623833963458813 1154 (=0x03e54af3 7f4cf5e6 5f1e2acd 5c4a4554 76adc652 b198ab2a 719e5aa9 ee749871 0193da82 ab6d000b f55836b1 0615653f 69514297 f4459f52). x2 15620503788413497044804517304021524439062374489822547728508337937 50606335270276724725939683726318058744384611584731365019896485812 8760 (=0x05806f71 95e85352 ef3960ac 1ff9cf6c 3c99e0ee 2e75edfc a133cafc 4a4b5fbf e4339859 c5fa123b 70ad2faf 7584ab9d 264540e7 7d560978). y2 40019917514121727463122190125689377890703570698337158159153510836 68442386516751945577468473801561261386285902585868517988506010293 44096 (=0x8cf44811 3cec6e07 d1bbe9f5 4062075c 6fec0ac5 31272dce 1f446aeb d895373d e312c18d 6a345755 2861e014 0cc23158 a46ace4c 9ca21b60). The representationof~~polynomials u, v, and w (resp. u', v',~~kand~~w')~~the compressed representationsof~~degree 3, 3,~~Pe1and~~1, respectively, with coefficients~~k*Pe1in~~GF(p). The coeffients~~tight LSB/lsb-order are given by repr(k) =0x01558a4a a6647f5c 2178228a 7ba16d94 6118939b 4ac65043 d4088e88 bdecba3e f9987832 219d4e10 e3c48409 b4a0467f 535eb427 9dddcd3b; repr(Pe1) =0xad821a16 9b03b90a 2e1d4a4d 5aa4d745 4f5a3391 ea37af9f eda46578 248979e3 22d56cf1 bda9d957 32556d8b 0eb37a10 717773dc 818f431f 01; repr(k*Pe1) =0x4af9a22f e9428a96 fca6a860 8d6c1aaf d000b6d5 415bc980 8e192e77 955a798e 54d5198d 4a63b56e 2aa2523a b35478fa 67af32fe cf52a7c0 01, where the rightmost bitof~~each~~the rightmost octet indicates the parityof~~these polynomials are specified~~the x-coordinate of the point of Edwards448 in question (which,inthis case, are both one, since x and x1 are odd). SeeAppendix~~M.4.1 (for the isogeny)~~H.3and~~in~~Appendix~~M.4.2 (for the dual isogeny). For each polynomial in variable x, the coefficients~~I for further detail on (squeezed) point compression. The scalar representation and (squeezed) point representation illustrated aboveare~~tabulated as sequence of coefficients of x^0, x^1, x^2, ...,~~fully consistent with the representations specifiedin~~hexadecimal format. M.4.1. Isogeny Parameters M.4.1.1. Coefficients of u(x) 0 0x54 1 0xa4d89db3ed06c81e6143ec2eca9f761d8d17260dc229e1da1f73f714506872a9 2 0xcc58ffccbd9febb4a66222c7d1311d988d88c0624bcd68ec4c758a8e67dfd99b 3 0x01 M.4.1.2. Coefficients~~[RFC8032]. Note that, contrary to [RFC7748], [RFC8032] requires unique representationsof~~v(x) 0 0x1c 1 0x94c7bc69befd17f2fae2e3ebf24df1f355d181fa1a8056103ba9baad4b40f029 2 0xb2857fb31c6fe18ef993342bb9c9ac64d44d209371b41d6272b04fd61bcfc851 3 0x01 M.4.1.3. Coefficients~~all elementsof~~w(x) 0 0xe62c7fe65ecff5da53311163e8988ecc46c4603125e6b476263ac546b3efeae5 1 0x01 M.4.2. Dual Isogeny Parameters M.4.2.1. Coefficients~~GF(p). A randomized representation (t1, t2)of~~u'(x) 0 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7 1 0x44cd5cd7ce55a801725891578fbe7356bd936355fd0e2f538797cecff7a37244 2 0x668d0011162006c3c889f4680f9a4b77d0d26a89e6bb87b13bd8d1cfdd600a41 3 0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c M.4.2.2. Coefficients~~the point k*Pe1 in tight LSB/ lsb order is given by t1 125390048858887400104074787879402833851854739339836093733 734638776755983021034212058415891288350265701101219981698 849086128138510420407 (=0xed921f3d 6ea4e452 dd06e783 782cbeb3 c5847a79 d9e6b993 bd387cf5 feeddafe af8c038d f2732362 92724d37 273eedfc f2ab2499 98a79434) t2 365268494484253132875102676783560666625109899133767696106 602723958322248430160651314075127005631031993354968950936 71875730862008188281 (=0x9ebc28c0 86176a1a c7f0cf71 ca5f2a8f 908bb27b e85c0bbd 1641c052 e542f7d3 88e18886 5afdca32 8df45408 8b6da28c 0bc09d83 309ebb30), where this representation is defined in Appendix K.5 and uses the mappingof~~v'(x) 0 0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c 1 0x519ba9c1f48f68054def6a410f0fa6e8b71c6c3b4a8958324681f6508c01fada 2 0xb34680088b100361e444fa3407cd25bbe8693544f35dc3d89dec68e76eb00338 3 0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84 M.4.2.3. Coefficients~~Appendix K.3.3 with the default square root function and underlying 4-isogenous mapping between Edwards448 and Curve448of~~w'(x) 0 0x4d7a804ce3901e71066ccbd44636539b2bb2df6c8e4be29d8d4fb028e43033de 1 0x01~~Appendix N.2.Author's Address Rene Struik Struik Security Consultancy Email: rstruik.ext@gmail.com