RFC Errata
RFC 7748, "Elliptic Curves for Security", January 2016
Source of RFC: IRTF
Errata ID: 5651
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Pierre Laurent
Date Reported: 2019-03-11
Rejected by: Stanislav Smyshlyaev
Date Rejected: 2020-12-15
Section 5 says:
z_2 = E * (AA + a24 * E)
It should say:
z_2 = E * (BB + a24 * E)
Notes:
When BB is used, the point multiplication of the second test vector
P = (0x13a415c749d54cfc3e3cc06f10e7db312cae38059d95b7f4d3116878120f21e5, 0x1)
by scalar k
0x4dba18799e16a42cd401eae021641bc1f56a7d959126d25a3c67b4d1d4e96648
gives the expected point
[k]P = (0x5779ac7a64f7f8e652a19f79685a598bf873b8b45ce4ad7a7d90e87694decb95, 0x1)
The implementation based on AA gives the unexpected point
[k]P = (0x3884d5c22af664f822cb3dd728b03c9fac1e1d78c772a74f05546566bd7bed9c, 1)
--VERIFIER NOTES--
It is proposed to modify the algorithm description for calculation of z_2. However, after checking the original algorithm independently, it was confirmed that the expected numbers are obtained. Therefore, the existing text of RFC does not have any errors here.