3

I am implementing a ECDH using Curve25519 to communicate two system. One system have library that use for weierstrass curve only, it can define with domain parameter like p, a, b, G_x, G_y. I have read and find that Curve25519 can converse to weierstrass, I can find that converse domain paramerter for Curve25519 here (https://tools.ietf.org/id/draft-ietf-lwig-curve-representations-02.html). After that, I need converse point from Curve25519 to weierstrass, I find the mapping is (u,v) -> (x, y) = (u + A/3, v) but I do not understand that. Example with base point of Curve25519, (u, v) = (0x9, 0x20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9), after converse in weierstrass, base point is (0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaad245a, 0x20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9), with A = 486662, B = 1. That seem not correct with mapping, so is that operator devision is not normal division. What exactly I need to converse point in form Curve25519 to weierstrass curve, thank you.

Tien Pham
  • 51
  • 2

2 Answers2

2

I'm not sure what is your question, I'm assuming you are not understanding why the mapping gives that particular result...

In ECC, all computations are carried out in a finite field. For Curve25519, all computations are done modulo $p = 2^{255}-19$.

To compute $u + A/3$, the division by three is actually $A$ multiplied by the inverse of $3$ modulo $p$. This inverse is the value that, when multiplied by 3, given 1 modulo $p$. This inverse is 0x5555555555555555555555555555555555555555555555555555555555555549; you can check that if you multiply this by $3$ and compute the remainder of the division by $p$ it will give $1$. Carring out the rest of the computation (always reducing modulo $p$) will give the expected result 0x2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad245a.

The modular inverse can be computed using the extended Euclidean algorithm or using Euler's theorem (which is computing the exponentiation by $p-2$).

Conrado
  • 6,614
  • 1
  • 30
  • 45
0

I am implementing a ECDH using Curve25519 to communicate two system. One system have library that use for weierstrass curve only, ...

Curve25519 is the underlaying curve designed for X25519 Diffie-Hellman function (details see RFC 7748), it's designed to be more easily to implement correctly than Weierstrass curves.

Curve25519 and secp256r1 (or any other SECG curves) are NOT designed to interoperate with each other, if you don't have support for one of them, use the other; or if both are missing what the other have, use finite-field Diffie-Hellman key exchange.

Community
  • 1
DannyNiu
  • 10,640
  • 2
  • 27
  • 64