fix comments in generated code too

30544252 · Michael Hamburg · 4a133be2 · 30544252 · 30544252 · 30544252
Commit 30544252 authored Sep 04, 2017 by Michael Hamburg
--- a/aux/ristretto/ristretto.sage
+++ b/aux/ristretto/ristretto.sage
@@ -278,15 +278,11 @@ class Decaf_1_1_Point(QuotientEdwardsPoint):
        
        if self.cofactor==8 and negative(x*y*self.isoMagic):
            x,y = self.torque()
-        
-        isr2 = isqrt(a*(y^2-1)) * sqrt(a*d-1)
-        
+            
        sr = xsqrt(1-a*x^2)
-        assert sr in [isr2*x*y,-isr2*x*y]
-        
-        altx = 1/isr2*self.isoMagic
-        if negative(altx): s = (1+x*y*isr2)/(a*x)
-        else:              s = (1-x*y*isr2)/(a*x)
+        altx = x*y*self.isoMagic / sr
+        if negative(altx): s = (1+sr)/x
+        else:              s = (1-sr)/x
        
        return self.gfToBytes(s,mustBePositive=True)
        
@@ -297,11 +293,11 @@ class Decaf_1_1_Point(QuotientEdwardsPoint):
        s = cls.bytesToGf(s,mustBePositive=True)
        
        if s==0: return cls()
-        isr = isqrt(s^4 + 2*(a-2*d)*s^2 + 1)
-        altx = 2*s*isr*cls.isoMagic
-        if negative(altx): isr = -isr
+        t = xsqrt(s^4 + 2*(a-2*d)*s^2 + 1)
+        altx = 2*s*cls.isoMagic/t
+        if negative(altx): t = -t
        x = 2*s / (1+a*s^2)
-        y = (1-a*s^2) * isr
+        y = (1-a*s^2) / t
        
        if cls.cofactor==8 and (negative(x*y*cls.isoMagic) or y==0):
            raise InvalidEncodingException("x*y is invalid: %d, %d" % (x,y))
@@ -455,7 +451,7 @@ class IsoEd448Point(RistrettoPoint):
    @classmethod
    def base(cls):
        return cls(  # RFC has it wrong
-         -345397493039729516374008604150537410266655260075183290216406970281645695073672344430481787759340633221708391583424041788924124567700732,
+         345397493039729516374008604150537410266655260075183290216406970281645695073672344430481787759340633221708391583424041788924124567700732,
            -363419362147803445274661903944002267176820680343659030140745099590306164083365386343198191849338272965044442230921818680526749009182718
        )
            
@@ -464,7 +460,6 @@ class TwistedEd448GoldilocksPoint(Decaf_1_1_Point):
    d = F(-39082)
    a = F(-1)
    qnr = -1
-    magic = isqrt(a*d-1)
    cofactor = 4
    encLen = 56
    isoMagic = IsoEd448Point.magic
@@ -478,14 +473,13 @@ class Ed448GoldilocksPoint(Decaf_1_1_Point):
    d = F(-39081)
    a = F(1)
    qnr = -1
-    magic = isqrt(a*d-1)
    cofactor = 4
    encLen = 56
    isoMagic = IsoEd448Point.magic
    
    @classmethod
    def base(cls):
-        return -2*cls( # FIXME: make not negative
+        return 2*cls(
 224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710, 298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660
        )


--- a/aux/ristretto/ristretto.tex
+++ b/aux/ristretto/ristretto.tex
@@ -65,7 +65,12 @@ $$(x,y) = \left(\frac{u}{v}\cdot\frac{\sqrt{a-d}}{2},\ \ \frac{u-1}{u+1}\right)$

 If $M = (u,v)$ is a point on the Montgomery curve, then the $u$-coordinate of $2M$ is $(u^2-1)^2 / (4v^2)$ is necessarily square.  It follows that if $(x,y)$ is a point on $E_{a,d}$, and $a-d$ is square, then $(1+y)/(1-y)$ is also square.

-\todo{Nega montgomery}
+Likewhise, when $d-a$ is square in \F, $E_{a,d}$ is isomorphic to the Montgomery curve
+$$v^2 = u\cdot\left(u^2 - 2\cdot\frac{a+d}{a-d}\cdot u + 1\right)$$
+by the map
+$$(u,v) = \left(\frac{y+1}{y-1},\ \ \frac{y+1}{y-1}\cdot\frac1x\cdot\frac{2}{\sqrt{d-a}}\right)$$
+with inverse
+$$(x,y) = \left(\frac{u}{v}\cdot\frac{\sqrt{d-a}}{2},\ \ \frac{1+u}{1-u}\right)$$

 \section{Lemmas}
 First, we characterize the 2-torsion and 4-torsion groups.\\

--- a/src/GENERATED/c/p25519/f_generic.c
+++ b/src/GENERATED/c/p25519/f_generic.c
@@ -106,14 +106,14 @@ void gf_strong_reduce (gf a) {
    assert(word_is_zero(carry + scarry_0));
 }

-/** Add two gf elements */
+/** Subtract two gf elements d=a-b */
 void gf_sub (gf d, const gf a, const gf b) {
    gf_sub_RAW ( d, a, b );
    gf_bias( d, 2 );
    gf_weak_reduce ( d );
 }

-/** Subtract d = a-b */
+/** Add two field elements d = a+b */
 void gf_add (gf d, const gf a, const gf b) {
    gf_add_RAW ( d, a, b );
    gf_weak_reduce ( d );

--- a/src/GENERATED/c/p448/f_generic.c
+++ b/src/GENERATED/c/p448/f_generic.c
@@ -106,14 +106,14 @@ void gf_strong_reduce (gf a) {
    assert(word_is_zero(carry + scarry_0));
 }

-/** Add two gf elements */
+/** Subtract two gf elements d=a-b */
 void gf_sub (gf d, const gf a, const gf b) {
    gf_sub_RAW ( d, a, b );
    gf_bias( d, 2 );
    gf_weak_reduce ( d );
 }

-/** Subtract d = a-b */
+/** Add two field elements d = a+b */
 void gf_add (gf d, const gf a, const gf b) {
    gf_add_RAW ( d, a, b );
    gf_weak_reduce ( d );