[Cryptech Tech] Curve 25519 in use cases?

Bernd Paysan bernd at net2o.de
Wed Mar 4 15:53:44 UTC 2015

Previous message (by thread): [Cryptech Tech] Curve 25519 in use cases?
Next message (by thread): [Cryptech Tech] NXP buys Freescale
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Dienstag, 3. März 2015, 23:50:33 schrieb Daniel Kahn Gillmor:
> On Mon 2015-03-02 10:39:51 +0100, Joachim Strömbergson wrote:
> > In what use cases do we see Curve 25519. And how is the algorithm being
> > used - DH only?
> 
> in OpenPGP, we currently only have EdDSA mechanisms propoesd (and
> implemented) by Werner Koch, and *not* yet DH.
> 
> https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp
> 
> fwiw, i'd like to see EC DH added for 25519 soon too, but it isn't
> spec'ed out yet.

There are two versions of Curve25519, the montgommery ladder, usually called 
Curve25519, and the Edwards curve, Ed25519.  libnacl has a DH algorithm for 
Curve25519, which is just shared_secret=pk1*sk2=pk2*sk1 (* the scalar product 
of the curve).  DH for Ed25519 is just the same scalar product; what you need 
for that is a constant-time scalar product to avoid leaking bits of the 
secret.

I've added a constant-time scalar product to ed25519-donna in my github fork:

https://github.com/forthy42/ed25519-donna/blob/master/ed25519-donna-impl-base.h

Search for ge25519_scalarmult...

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*

Previous message (by thread): [Cryptech Tech] Curve 25519 in use cases?
Next message (by thread): [Cryptech Tech] NXP buys Freescale
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list