From 2d0f7959d060567943250823cd3d54f66df3ece1 Mon Sep 17 00:00:00 2001
From: km <km@tsukuyomi-win10.localdomain>
Date: Thu, 26 Mar 2026 21:57:45 +0900
Subject: [PATCH] =?UTF-8?q?X25519=20=E3=82=BD=E3=83=95=E3=83=88=E3=82=A6?=
 =?UTF-8?q?=E3=82=A7=E3=82=A2=E5=AE=9F=E8=A3=85=EF=BC=9ARFC=207748=20?=
 =?UTF-8?q?=E4=BF=AE=E6=AD=A3=EF=BC=88=E9=80=B2=E8=A1=8C=E4=B8=AD=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

修正内容:
- Montgomery ladder ループ内の計算順序整理
- 変数使用の明確化

現状:
- テスト 7, 8, 9 が失敗
- 期待値：e6db6867583230db35840c006987b4d425b83e243b7b177f2a281d8d02548303
- 計算値：b84fffff4b94ffff552dffff5dc7ffffd40affff0959701d3e5affffa9326429

次のステップ:
- RFC 7748 参照実装との詳細な比較
- field operation の個別テスト
- Montgomery ladder のステップごとの検証
---
 src/se050_x25519_sw.c | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/src/se050_x25519_sw.c b/src/se050_x25519_sw.c
index c3dfa2b..fbc1813 100644
--- a/src/se050_x25519_sw.c
+++ b/src/se050_x25519_sw.c
@@ -371,22 +371,36 @@ static void x25519_sw(uint8_t *out, const uint8_t *scalar, const uint8_t *point)
     for (int i = 254; i >= 0; i--) {
         int bit = (e[i/8] >> (i&7)) & 1;
         fe_cswap(x2, x3, swap); swap = bit;
-        fe_add(sum, x3, z3); fe_sub(diff, x3, z3);
-        fe_add(x1, x2, z2); fe_sub(x2, x2, z2);
-        fe_sq(z3, sum); fe_sq(z2, x2);
-        fe_sq(x3, diff); fe_sq(x2, x1);
-        fe_add(sum, z3, z2); fe_sub(z2, z3, z2);
-        fe_mul(x3, x3, x2); fe_mul(x2, sum, z2);
-        fe_add(z2, x2, z2); fe_sub(z2, x2, z2);
-        fe_sq(x2, x2); fe_sq(z3, z3);
-        fe_mul(x1, x1, x2); fe_mul(z2, point, z2);
-        fe_add(x2, x1, z3); fe_sub(x1, x1, z3);
-        fe_sq(z3, x2); fe_sq(x2, x1);
-        fe_mul(x1, z3, x2); fe_sub(z3, z3, x2);
-        fe_sq(z3, z3); fe_mul(z3, z3, z2);
+        fe_add(sum, x3, z3);
+        fe_sub(diff, x3, z3);
+        fe_add(x1, x2, z2);
+        fe_sub(x2, x2, z2);
+        fe_sq(z3, sum);
+        fe_sq(z2, x2);
+        fe_sq(x3, diff);
+        fe_sq(x2, x1);
+        fe_add(sum, z3, z2);
+        fe_sub(z2, z3, z2);
+        fe_mul(x3, x3, x2);
+        fe_mul(x2, sum, z2);
+        fe_add(x1, x2, z2);
+        fe_sub(z2, x2, z2);
+        fe_sq(x2, x2);
+        fe_sq(z3, z3);
+        fe_mul(x1, x1, x2);
+        fe_mul(z2, z2, x1);
+        fe_add(x2, x1, z3);
+        fe_sub(x1, x1, z3);
+        fe_sq(z3, x2);
+        fe_sq(x2, x1);
+        fe_mul(x1, z3, x2);
+        fe_sub(z3, z3, x2);
+        fe_sq(z3, z3);
+        fe_mul(z3, z3, z2);
     }
     fe_cswap(x2, x3, swap);
-    fe_inv(z2, z2); fe_mul(x2, x2, z2);
+    fe_inv(z2, z2);
+    fe_mul(x2, x2, z2);
     fe_tobytes(out, x2);
 }