Referenced the signed comb for EdDSA

author Loup Vaillant <loup@loup-vaillant.fr>

Fri, 10 Aug 2018 20:48:14 +0000 (22:48 +0200)

committer Loup Vaillant <loup@loup-vaillant.fr>

Fri, 10 Aug 2018 20:48:14 +0000 (22:48 +0200)
author Loup Vaillant <loup@loup-vaillant.fr>
Fri, 10 Aug 2018 20:48:14 +0000 (22:48 +0200)
committer Loup Vaillant <loup@loup-vaillant.fr>
Fri, 10 Aug 2018 20:48:14 +0000 (22:48 +0200)
diff --git a/src/monocypher.c b/src/monocypher.c

index 5a78439d01f71dd1336405436199b1afc871150c..40a7954e2aafdb61158512d6d2773d7fece21ee8 100644 (file)
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1742,13 +1742,15 @@ static const fe comb_T2[16] = {
  
  static void ge_scalarmult_base(ge *p, const u8 scalar[32])
  {
-    static const u8 half_mod_L[32] = {
+    // 5-bits signed comb, from Mike Hamburg's
+    // Fast and compact elliptic-curve cryptography (2012)
+    static const u8 half_mod_L[32] = { // 1 / 2 modulo L
          0xf7, 0xe9, 0x7a, 0x2e, 0x8d, 0x31, 0x09, 0x2c,
          0x6b, 0xce, 0x7b, 0x51, 0xef, 0x7c, 0x6f, 0x0a,
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
      };
-    static const u8 half_ones[32] = {
+    static const u8 half_ones[32] = { // (2^255 - 1) / 2 modulo L
          0x42, 0x9a, 0xa3, 0xba, 0x23, 0xa5, 0xbf, 0xcb,
          0x11, 0x5b, 0x9d, 0xc5, 0x74, 0x95, 0xf3, 0xb6,
          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
author	Loup Vaillant <loup@loup-vaillant.fr>
	Fri, 10 Aug 2018 20:48:14 +0000 (22:48 +0200)
committer	Loup Vaillant <loup@loup-vaillant.fr>
	Fri, 10 Aug 2018 20:48:14 +0000 (22:48 +0200)