Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement barrett reduction for ed25519 exponent field #43

Closed
andres-erbsen opened this issue Aug 3, 2016 · 7 comments
Closed

Implement barrett reduction for ed25519 exponent field #43

andres-erbsen opened this issue Aug 3, 2016 · 7 comments
Labels
enhancement

Comments

@andres-erbsen
Copy link
Contributor

modulus m = 2^252 + 27742317777372353535851937790883648493, length k = 256, (precomputed mu = 1852673427797059126777135760139006525645217721299241702126143248052143860224795,) input a < 2^512. As in https://github.com/floodyberry/supercop/blob/master/crypto_sign/ed25519/ref/sc25519.c#L41.
@andres-erbsen andres-erbsen mentioned this issue Aug 3, 2016
Merged
@andres-erbsen
Copy link
Contributor Author

andres-erbsen commented Aug 3, 2016
edited
Loading

Or maybe we are mistaken to assume base b=2. Following HAC 14.42 as the code suggests, b=256, k=32 would make sense as well, and satisfy b^(k-1) < n < b^k.

@JasonGross
Copy link
Collaborator

Oh, hrm, interesting. I don't think I have anything that relies on b = 2, so it should be easy to generalize to any b > 1. The computation is q = (mu * (a >> (256 - 32)) >> (256 + 32)?

@andres-erbsen
Copy link
Contributor Author

The guess I have with b=256=2^8 would give 256^(32-1) = 2^(256-8) and 256^(32+1) = 2^(256+8), so q = (mu * (a >> (256 - 8)) >> (256 + 8).

@JasonGross
Copy link
Collaborator

Ugh, why are there so many variations on Barrett Reduction. Not only does this version split apart the shifts, it also does reduction modulo b^(k+1) early (which might be where the possibility of negative values comes from).

JasonGross referenced this issue in JasonGross/fiat-crypto Aug 3, 2016
@JasonGross
Add a generalized version of Barrett Reduction
22785ad 
In this version, we split up the integer division so that we are less
likely to overflow in intermediate computations.

This is still not the version in HAC 14.42; that version also does early
reduction modulo b^(k+1).

This is work towards #43
@JasonGross JasonGross mentioned this issue Aug 3, 2016
Merged
@JasonGross
Copy link
Collaborator

@andres-erbsen Is it acceptable to replace

(3) If r < 0 then r ← r + bᵏ⁺¹

with

(3) r ← r mod bᵏ⁺¹

? I think this would make the proofs much easier, and it seems like, by choosing k and b carefully with respect to the machine word size, you get this for free.

JasonGross referenced this issue in JasonGross/fiat-crypto Aug 4, 2016
@JasonGross
Implement Barrett Reduction following HAC 14.42
0d56b01 
From http://cacr.uwaterloo.ca/hac/about/chap14.pdf

This should take care of most of #43, at least the specification on Z
part of it.
@JasonGross JasonGross mentioned this issue Aug 4, 2016
Merged
JasonGross added a commit that referenced this issue Aug 4, 2016
@JasonGross
Add a generalized version of Barrett Reduction (#44)
f23858c 
In this version, we split up the integer division so that we are less
likely to overflow in intermediate computations.

This is still not the version in HAC 14.42; that version also does early
reduction modulo b^(k+1).

This is work towards #43
JasonGross added a commit that referenced this issue Aug 4, 2016
@JasonGross
Implement Barrett Reduction following HAC 14.42 (#45)
c29fa1a 
From http://cacr.uwaterloo.ca/hac/about/chap14.pdf

This should take care of most of #43, at least the specification on Z
part of it.
@JasonGross
Copy link
Collaborator

What needs to be done to complete this, on top of #69?

@JasonGross
Copy link
Collaborator

Closed by #77.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JasonGross @andres-erbsen