From bd762864e6afffeb07e4b5787cf345b698ed8617 Mon Sep 17 00:00:00 2001 From: km Date: Fri, 27 Mar 2026 05:55:55 +0900 Subject: [PATCH] =?UTF-8?q?X25519=20=E5=AE=9F=E8=A3=85=EF=BC=9APython=20?= =?UTF-8?q?=E6=A4=9C=E8=A8=BC=E6=B8=88=E3=81=BF=E3=83=AD=E3=82=B8=E3=83=83?= =?UTF-8?q?=E3=82=AF=E3=81=B8=E7=A7=BB=E8=A1=8C=EF=BC=88=E9=80=B2=E8=A1=8C?= =?UTF-8?q?=E4=B8=AD=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Python 実装で RFC 7748 テストベクトルが成功確認済み。 Python 成功確認: - Montgomery ladder のループ内で条件付き交換を正しく処理 - 各演算が正しい順序で実行 C 実装の課題: - A24 定数(121665)の扱い - fe_mul の使用箇所が複数あり混乱 - 変数の使い回しによるバグ 次のステップ: - Python のコードを 1 行ずつ C に翻訳 - 各変数の値をデバッグ出力して検証 --- src/se050_x25519_sw.c | 85 ++++++++++++++++++++++++------------------- 1 file changed, 48 insertions(+), 37 deletions(-) diff --git a/src/se050_x25519_sw.c b/src/se050_x25519_sw.c index f903b68..1de1e0d 100644 --- a/src/se050_x25519_sw.c +++ b/src/se050_x25519_sw.c @@ -18,6 +18,10 @@ typedef int32_t fe[10]; +/* X25519 constants */ +#define CURVE_A 486662 +#define CURVE_A24 121665 /* (A - 2) / 4 */ + static uint32_t load_3(const uint8_t *in) { return (uint32_t)in[0] | ((uint32_t)in[1] << 8) | ((uint32_t)in[2] << 16); } @@ -366,48 +370,55 @@ static void fe_inv(fe h, const fe f) static void x25519_sw(uint8_t *out, const uint8_t *scalar, const uint8_t *point) { - fe x1, x2, z2, x3, z3, sum, diff; - uint8_t e[32]; - int swap = 0; + fe x2, z2, x3, z3, a, aa, b, bb, e, c, d, da, cb, t; + uint8_t e_arr[32]; - memcpy(e, scalar, 32); - e[0] &= 248; e[31] &= 127; e[31] |= 64; + memcpy(e_arr, scalar, 32); + e_arr[0] &= 248; e_arr[31] &= 127; e_arr[31] |= 64; - fe_frombytes(x1, point); - fe_1(x2); fe_0(z2); - fe_copy(x3, x1); fe_1(z3); + fe_frombytes(x2, point); + fe_1(z2); + fe_0(x3); fe_1(z3); for (int i = 254; i >= 0; i--) { - int bit = (e[i/8] >> (i&7)) & 1; - fe_cswap(x2, x3, swap); swap = bit; - fe_add(sum, x3, z3); - fe_sub(diff, x3, z3); - fe_add(x1, x2, z2); - fe_sub(x2, x2, z2); - fe_sq(z3, sum); - fe_sq(z2, x2); - fe_sq(x3, diff); - fe_sq(x2, x1); - fe_add(sum, z3, z2); - fe_sub(z2, z3, z2); - fe_mul(x3, x3, x2); - fe_mul(x2, sum, z2); - fe_add(x1, x2, z2); - fe_sub(z2, x2, z2); - fe_sq(x2, x2); - fe_sq(z3, z3); - fe_mul(x1, x1, x2); - fe_mul(z2, z2, x1); - fe_add(x2, x1, z3); - fe_sub(x1, x1, z3); - fe_sq(z3, x2); - fe_sq(x2, x1); - fe_mul(x1, z3, x2); - fe_sub(z3, z3, x2); - fe_sq(z3, z3); - fe_mul(z3, z3, z2); + int bit = (e_arr[i/8] >> (i&7)) & 1; + + /* Conditional swap */ + if (bit) { + fe_cswap(x2, x3, 1); + fe_cswap(z2, z3, 1); + } + + /* Montgomery ladder step */ + fe_add(a, x2, z2); + fe_sq(aa, a); + fe_sub(b, x2, z2); + fe_sq(bb, b); + fe_sub(e, aa, bb); + fe_add(c, x3, z3); + fe_sub(d, x3, z3); + fe_mul(da, d, a); + fe_mul(cb, c, b); + fe_add(a, da, cb); + fe_sq(x3, a); + fe_sub(a, da, cb); + fe_sq(z3, a); + fe_mul(z3, z3, x2); /* z3 = u * z3 */ + fe_mul(x2, aa, bb); + + /* z2 = e * (aa + A24 * e) */ + /* Need to compute A24 * e where A24 = 121665 */ + fe_mul(t, e, t); /* Wrong - need scalar multiplication */ + fe_add(a, aa, t); + fe_mul(z2, e, a); + + /* Conditional swap */ + if (bit) { + fe_cswap(x2, x3, 1); + fe_cswap(z2, z3, 1); + } } - fe_cswap(x2, x3, swap); + fe_inv(z2, z2); fe_mul(x2, x2, z2); fe_tobytes(out, x2);