summaryrefslogtreecommitdiffstats
path: root/doc/source/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'doc/source/crypto')
-rw-r--r--doc/source/crypto/ec25519.rst18
-rw-r--r--doc/source/crypto/fhmqvc.rst14
2 files changed, 11 insertions, 21 deletions
diff --git a/doc/source/crypto/ec25519.rst b/doc/source/crypto/ec25519.rst
index 48aadb7..caf109b 100644
--- a/doc/source/crypto/ec25519.rst
+++ b/doc/source/crypto/ec25519.rst
@@ -120,29 +120,23 @@ The two possible :math:`v` coordinates are:
.. math::
- \begin{align}
- v1 &= \texttt{0x20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9} \\
- v2 &= \texttt{0x5f51e65e475f794b1fe122d388b72eb36dc2b28192839e4dd6163a5d81312c14}
- \end{align}
+ v1 &= \texttt{0x20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9} \\
+ v2 &= \texttt{0x5f51e65e475f794b1fe122d388b72eb36dc2b28192839e4dd6163a5d81312c14}
Out of :math:`(u,v_1)` and :math:`(u,v_2)`, the point :math:`(u,v_1)` has been arbitrarily chosen to be used in fastd; using
the equivalence between Montgomery and twisted Edwards curves given by [BBJ+08]_
.. math::
- \begin{align}
- x &= \frac{u}{v} \\
- y &= \frac{u-1}{u+1}
- \end{align}
+ x &= \frac{u}{v} \\
+ y &= \frac{u-1}{u+1}
this leads to the coordinates
.. math::
- \begin{align}
- x &= \texttt{0x547c4350219f5e19dd26a3d6668b74346a8eb726eb2396e1228cfa397ffe6bd4} \\
- y &= \texttt{0x6666666666666666666666666666666666666666666666666666666666666658}
- \end{align}
+ x &= \texttt{0x547c4350219f5e19dd26a3d6668b74346a8eb726eb2396e1228cfa397ffe6bd4} \\
+ y &= \texttt{0x6666666666666666666666666666666666666666666666666666666666666658}
which specify the generator point :math:`G` that is used by fastd's ``ec25519-fhmqvc``. Like :math:`(u,v_1)` on
the Montgomery curve, the point :math:`G = (x, y)` on the twisted Edwards curve has the order
diff --git a/doc/source/crypto/fhmqvc.rst b/doc/source/crypto/fhmqvc.rst
index aa6f0cc..e3af6d4 100644
--- a/doc/source/crypto/fhmqvc.rst
+++ b/doc/source/crypto/fhmqvc.rst
@@ -75,11 +75,9 @@ following definitions for these functions:
.. math::
- \begin{align}
- d|e &= \text{SHA256}(Y|X|\hat{B}|\hat{A}) \\
- K_1 &= \textit{KDF}_1(\sigma,\hat{A},\hat{B},X,Y) = \text{HKDF-SHA256}(\texttt{0x00}^{32}, \sigma, \hat{A}|\hat{B}|X|Y, 32) \\
- K_2 &= \textit{KDF}_2(\sigma,\hat{A},\hat{B},X,Y) = \text{HKDF-SHA256}(K_1, \sigma, \hat{A}|\hat{B}|X|Y|\textit{method}, *)
- \end{align}
+ d|e &= \text{SHA256}(Y|X|\hat{B}|\hat{A}) \\
+ K_1 &= \textit{KDF}_1(\sigma,\hat{A},\hat{B},X,Y) = \text{HKDF-SHA256}(\texttt{0x00}^{32}, \sigma, \hat{A}|\hat{B}|X|Y, 32) \\
+ K_2 &= \textit{KDF}_2(\sigma,\hat{A},\hat{B},X,Y) = \text{HKDF-SHA256}(K_1, \sigma, \hat{A}|\hat{B}|X|Y|\textit{method}, *)
where :math:`V|W` designates the concatenation of the binary strings :math:`V` and :math:`W` and
@@ -96,10 +94,8 @@ as
.. math::
- \begin{align}
- d = \bar{H}(X|Y|\hat{A}|\hat{B}) \\
- e = \bar{H}(Y|X|\hat{A}|\hat{B})
- \end{align}
+ d &= \bar{H}(X|Y|\hat{A}|\hat{B}) \\
+ e &= \bar{H}(Y|X|\hat{A}|\hat{B})
fastd uses a single 256 bit hash :math:`\text{SHA256}(Y|X|\hat{B}|\hat{A})` instead and cuts it into two 128 bit pieces
which are used as :math:`d` and :math:`e`. This optimization allows reusing the SHA256 implementation that is already used for