[Cryptech Tech] Regarding Curve25519 and IETF

[Bernd Paysan]

Am Dienstag, 16. Dezember 2014, 22:51:43 schrieb Joachim Strömbergson:
> Aloha!
> 
> Bernd Paysan wrote:
> > Microsoft's embrace&extend mechanism at work.
> 
> True, I was more thinking of their motivation towards others.
> 
> > The newer curves from DJB are all Edwards-only for good reasons.  So
> > dropping the Montgommery Curve25519 in favor of Ed25519 is a good
> > idea.  But that's not what they suggest here ;-).
> 
> Good points on Ed25519. Hopefully IETF decides on that in the end. And
> some of the stronger Ed-curves too.
> 
> For Cryptech, the use cases we have that use 25519-something all use
> Curve25519 I think. And they are really not the same curves and we
> therefore need support for Curve25519 first. Unless I misunderstand
> something here. I'm slowly learning and doing test implementation of
> curves to get a feeling for what kind of beasts they are. Right now
> mostly related to P-256.

Several protocols already use Curve25519, i.e. the Montgommery version of the 
curve.  The way to implement it is indeed implementing some supporting 
primitives (like add and mult on mod 2^255-19), and have a special purpose 
processor to implement Curve25519 on top of these hardware primitives.

And then also implement Ed25519, which uses the same primitives, to support 
signing (not possible with Curve25519), and possibly protocols that use 
Ed25519 for DH.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/