RFC Errata


RFC 7748, "Elliptic Curves for Security", January 2016

Source of RFC: IRTF

Errata ID: 7824
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Jose Luis Amador Moreno
Date Reported: 2024-02-27
Rejected by: Nick Sullivan
Date Rejected: 2026-01-28

Section 5.2 says: 

   Input scalar:
     203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c5
     38345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f
   Input scalar as a number (base 10):
     633254335906970592779259481534862372382525155
     252028961056404001332122152890562527156973881
     968934311400345568203929409663925541994577184
   Input u-coordinate:
     0fbcc2f993cd56d3305b0b7d9e55d4c1a8fb5dbb52f8e9a1e9b6201b
     165d015894e56c4d3570bee52fe205e28a78b91cdfbde71ce8d157db
   Input u-coordinate as a number (base 10):
     622761797758325444462922068431234180649590390
     024811299761625153767228042600197997696167956
     134770744996690267634159427999832340166786063
   Output u-coordinate:
     884a02576239ff7a2f2f63b2db6a9ff37047ac13568e1e30fe63c4a7
     ad1b3ee3a5700df34321d62077e63633c575c1c954514e99da7c179d

It should say:

   Input scalar:
     203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c5
     38345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f
   Input scalar as a number (base 10):
     633254335906970592779259481534862372382525155
     252028961056404001332122152890562527156973881
     968934311400345568203929409663925541994577184
   Input u-coordinate:
     1e37b1e6368991ebce5815bf6b567cedfec0d32246815a6707f02c4a
     61247656f5df569f02613cc5bcedf7a924424ff063c9c0aff5b395ae
   Input u-coordinate as a number (base 10):
     495683502945530038677307449626580741146441879
     406119444019011021926629134928724388368946852
     962833749157931574628774133988199037473470238
   Output u-coordinate:
     d34142faca68f7a3ddf805fa39cc706d5ab3f5633ceff5e6462b775d
     ef45f33083461dcf821cc3f0f74a813277e6895a35d958feef79a5bf

Notes:

Regarding Section 5.2, X448, second vector, the given input u-coordinate is not part of a valid point on the Montgomery form of Curve448.

I suggest replacing the point with a valid one: (2^447 + 100)*G

See the SageMath code (permalink): https://web.archive.org/web/20240227114733/https://pastebin.com/yAuzvEJG
--VERIFIER NOTES--
Rejected. The mathematical observation is correct: the u-coordinate is on the quadratic twist, not the main curve. However, RFC author Mike Hamburg confirmed on the CFRG list that this is intentional. X448 is designed to accept both curve and twist points without membership checking (Section 7). The test vector provides coverage for the twist case. Removing it would reduce test coverage.

CFRG list: http://mailarchive.ietf.org/arch/msg/cfrg/cAYh2Mj29xDEEbNAENbJynhksQk/

Report New Errata



Advanced Search