Differing interpretation of non canonical points between donna and ref

[CodesInChaos]

The reference implementation parses points as 256 bit integers which it reduces modulo 2^255-19. Your code masks out the last bit. So it interprets (non canonical) keys where the last bit is set differently.

I think replacing F(9, 28, 6, 0x1ffffff); with F(9, 28, 6, 0x3ffffff); should fix it.

Some test vectors from the implementation I use:

AlicePublicKey = {
     0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
     0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
     0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
     0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a
 }

should be equivalent to

 AlicePublicKey2 = {
    0x72, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
    0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
    0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
    0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0xea
 }

and

FrankPublicKey0 = {
    0x25,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
}

should be equivalent to

FrankPublicKey = {
    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
}

[agl]

Sorry I missed the notification on this.

I believe this should be fixed with
commit 81b6dcb

[CodesInChaos]

There is an ongoing discussion about this issue on the curves@moderncrypto list:

https://moderncrypto.org/mail-archive/curves/2014/thread.html#183

Most participants prefer ignoring the bit. Personally I prefer ignoring the bit, but care more about interoperability than about the difference between these choices.

• Ref and Ref10 in SUPERCOP have switched to ignoring the bit
• It's unknown what NaCl will do
• LibSodium has switched to ignoring