The final SP800-186 outlines mappings between Twisted Edwards and Montgomery curves, and between Montgomery and Weierstrass curves.
These mappings are defined in Appendix B. Relationships Between Curve Models.
There are two types of mappings outlined:
- Standard maps between curves on these different models (both in B.1 and B.2), and
- Specific maps between Edwards25519 and Curve25519 (and E448 and Curve448) in B.1, and between Curve25519 and W-25519 (and Curve448 and W-448) in B.2
It's also mentioned that:
"Implementations may take advantage of these mappings to carry out elliptic curve group operations that were originally defined for a twisted Edwards curve on the corresponding Montgomery curve, or vice-versa, and translating the result back to the original curve to potentially allow code reuse." [B.1]
"This mapping can be used to implement elliptic curve group operations that were originally defined for a twisted Edwards curve or for a Montgomery curve using group operations on the corresponding elliptic curve in short-Weierstrass form and translating the result back to the original curve to potentially allow for code reuse." [B.2]
What is not clear to me and what I would like to understand is whether they're recommending or imposing the specific mappings for code reuse for the 25519 and 448 curves, or whether both the standard and specific mappings are OK for that purpose.
For instance, if I have a Weierstrass curve implementation that I want to reuse for Curve25519:
- During the internal mapping/conversion in & out, do I have to map to W-25519 using the specific maps because that is the approved curve, or
- Can I choose to use the standard maps (which will result in a different Weierstrass curve than W-25519 being used) and remain in compliance with SP800-186?
And finally, other than the compliance concerns above, are there any security implications for choosing to use the standard vs. specific mappings for the 25519 or 448 curves in code reuse?
Thank you very much in advance!
