RFC Errata
RFC 7748, "Elliptic Curves for Security", January 2016
Source of RFC: IRTF
Errata ID: 7879
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Nawras Hussein Sabbry
Date Reported: 2024-04-02
Section 5 says:
z_2 = E * (AA + a24 * E)
It should say:
z_2 = E * (BB + a24 * E)
Notes:
In the for loop on page 8, the variable AA should be replaced with BB in Z_2. This modification is necessary because the mathematical formula for point doubling on the Montgomery curve according to (https://en.wikipedia.org/wiki/Montgomery_curve#Montgomery_arithmetic) indicates that Z2n (equivalent to Z_2 in this case) is calculated as follows: Z2n = 4XnZn((Xn-Zn)^2 + ((A+2)/4)(4XnZn)). It is observed in this equation that the operation in the (Xn-Zn)^2 part involves subtraction similar to the variable B, while the operation in the variable A involves addition. Considering this discrepancy, it is suggested to substitute AA with BB for correctness.