<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Aug 31, 2018 at 1:41 PM Viktor Dukhovni <<a href="mailto:cryptography@dukhovni.org">cryptography@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
> On Aug 31, 2018, at 12:05 PM, Phillip Hallam-Baker <<a href="mailto:phill@hallambaker.com" target="_blank">phill@hallambaker.com</a>> wrote:<br>
> <br>
> The way that I drafted the spec, it requires the number of bits to be a multiple of 8 and the prime to be the largest prime that is smaller than the next power of two. Thus, folk can apply the spec to secrets of any length without re-writing the spec.<br>
> <br>
> I am considering changing this to require the number of bits to be a multiple of 32 and giving the primes for use with up to 512 bits.<br>
<br>
For $2^{32k+1}-n$ prime with $n$ minimal, the values are:<br>
<br>
• 2^33 - 9<br>
• 2^65 - 49<br>
• 2^97 - 141<br>
• 2^129 - 25<br>
• 2^161 - 159<br>
• 2^193 - 31<br>
• 2^225 - 49<br>
• 2^257 - 93<br>
• 2^289 - 493<br>
• 2^321 - 9<br>
• 2^353 - 139<br>
• 2^385 - 265<br>
• 2^418 - 29<br>
• 2^449 - 241<br>
• 2^481 - 273<br>
• 2^513 - 445<br>
<br>
[ via "x=33;x=x+32;x<=513;x*1000 + (1 SHL x) - B(1 SHL x)" plugged into<br>
<a href="https://www.alpertron.com.ar/ECM.HTM" rel="noreferrer" target="_blank">https://www.alpertron.com.ar/ECM.HTM</a> ]<br></blockquote><div><br></div><div class="gmail_default" style="font-size:small">Awesome thanks!</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Writing these docs is a real bear and being able to ask folk for answers to this type of thing allows me to keep focused on the other bits.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">While we are at it, if someone could recommend a good algorithm implementable in C# for point addition on Montgomery curves, that would be very helpful. I found this:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default"><a href="https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html">https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html</a><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The reason this is needed is that I am using the key combination and result combination properties of DH systems to support Recryption and key combination. <br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Right now I am using Ed448 for encryption because the libraries define point addition. I do not have code that implements point addition for Montgomery curves.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I have something close to code but it needs generic functions that are common in numeric tools like Mathematica but are not found in C or python which is what I need for a spec</div><div class="gmail_default" style="font-size:small"><br></div></div></div></div>