*
* This is X448, as described in RFC7748, based on the elliptic curve defined
* in Mike Hamburg, `Ed448-Goldilocks, a new elliptic curve', EUROCRYPT 2016,
- * https://eprint.iacr.org/2015/625/.
+ * https://eprint.iacr.org/2015/625/. (The curve here is 4-isogenous to
+ * Hamburg's curve.)
*
* The RFC-specified operation is simpler than the Diffie--Hellman function
* described in Hamburg's paper, since it doesn't involve the `Decaf'
* cofactor elimination procedure. Indeed, it looks very much like X25519
* with Hamburg's curve slotted in in place of Bernstein's.
+ *
+ * The @x448@ function essentially performs incompatible cofactor
+ * multiplication on the elliptic curve %$E(k)$% containing points %$(x, y)$%
+ * in %$\proj^2(k)$% satisfying the Montgomery-form equation
+ *
+ * %$y^3 = x^3 + 156326 x^2 + x$% ,
+ *
+ * where $k = \gf{p}$, with $p = \phi^2 - \phi - 1$%, where
+ * %$\phi = 2^{224}$%. The curve has %$n = (p + 1) + {}$%
+ * %$28312320572429821613362531907042076847709625476988141958474579766324$%
+ * points; this is four times a prime %$\ell$%. The points with
+ * %$x$%-coordinate 5 have order %$\ell$%.
*/
/*----- Header files ------------------------------------------------------*/
~mdw / catacomb / blobdiff