[curves] General Curve25519 and Ed25519 Libraries
Diego Aranha
dfaranha at gmail.com
Thu Jun 18 12:07:04 PDT 2015
Thanks for reporting, Michael!
For the record, the Edwards module is still experimental code written by
Tobias Markmann and not fully integrated with the rest of the library. I
plan to help with this and perform a partial rewrite of the library in July
(no classes) to reduce complexity. Constant-time behavior will be one of
the goals. I wish I was more aware of side channels in 2007 when I started
coding, but I guess that's the way things are.
Best,
--
Diego Aranha
On Thu, Jun 18, 2015 at 3:53 PM Michael Hamburg <mike at shiftleft.org> wrote:
> Ah. Also RELIC implements hashing to the curve, but probably not the way
> you want. For prime-order curves they use hunt-and-pack, which works but
> isn’t constant time. For Edwards curves they use g^hash, which is going to
> outright break most protocols that use this primitive. I’m filing a bug
> against that.
>
> — Mike
>
> On Jun 18, 2015, at 11:45 AM, Michael Hamburg <mike at shiftleft.org> wrote:
>
> Hi Frank,
>
> My library supports hashing to the curve, as do Snowshoe [*] and
> Libelligator [+], and not much else that I’m aware of. Especially if you
> want it to be constant time and/or fast. I’d bet that some of the other
> fancy libraries like PBC and MIRACL have it though.
>
> I somehow misread your original message as “hashing points”.
>
> Cheers,
> — Mike
>
> [*] https://github.com/catid/snowshoe by Christopher A Taylor
>
> It’s pretty fast and uses a 254-bit field. It doesn’t export point
> operations, but since it’s an Edwards curve it should be reasonably safe to
> use the internal APIs.
>
> [+] https://github.com/Yawning/libelligator
>
> I found this by Googling. It looks to be based on Donna.
>
> On Jun 18, 2015, at 11:01 AM, Frank Wang <frankw at mit.edu> wrote:
>
> Hi Mike,
>
> Well, I want a way to translate a n-bit message to a point on the curve.
> My understanding is that it's easiest to hash it to the curve, but I could
> just be confused.
>
> Does your library not support hashing to the curve?
>
> Frank
>
> On Thu, Jun 18, 2015 at 1:50 PM, Mike Hamburg <mike at shiftleft.org> wrote:
>
>> Wait, do you want to hash messages to the curve, or just be able to hash
>> curve points? The former is kind of a niche feature, though you could
>> implement it yourself if the library doesn't support it.
>>
>> Sent from my phone. Please excuse brevity and typos.
>>
>> On Jun 18, 2015, at 10:38, Frank Wang <frankw at mit.edu> wrote:
>>
>> Hi Thomas,
>>
>> Yes. Sorry, my goal right now is that I have a key revocation scheme that
>> I want to implement, involving elliptic curve addition, subtraction, and
>> scalar multiplication (as well as hashing messages to the curve). I would
>> like reasonable performance (so C does seem good) because I'm benchmarking
>> it against AES. However, I'm willing to trade off some performance for ease
>> of use.
>>
>> TweetNacl seems to be designed primarily for ECDH and EC signatures
>> rather than a general purpose elliptic curve library. I'm exploring
>> alternatives.
>>
>> Frank
>>
>> On Thu, Jun 18, 2015 at 1:34 PM, Thomas DuBuisson <
>> thomas.dubuisson at gmail.com> wrote:
>>
>>> Frank,
>>> A lot of recommendations are pouring in about C and Java libraries, on
>>> top of which I'm tempted to recommend my own in Cryptol or one of the
>>> Sage version out there, but none of us have heard about your actual
>>> goal and needs. Could you say more about how this code will be used
>>> and what you hope to achieve?
>>>
>>> Thomas
>>>
>>> On Wed, Jun 17, 2015 at 2:16 PM, Frank Wang <frankw at mit.edu> wrote:
>>> > Hi,
>>> >
>>> > I am working on a research project at MIT, and I need to use elliptic
>>> curves
>>> > (or a group where DDH is hard, but elliptic curves seem like the best
>>> way to
>>> > go) to implement a cryptographic scheme. I've been trying to search for
>>> > general Curve25519 and Ed25519 libraries where I can just do add and
>>> scalar
>>> > multiply as well as hash messages to points. The best library I've come
>>> > across so far is tweetnacl, which has the add and scalar multiply
>>> operation
>>> > for Ed25519, but it's a bit difficult to use, and I end up modifying
>>> the
>>> > library to do subtraction of points.
>>> >
>>> > I have yet to find a good library that allows me to just do operations
>>> on
>>> > Ed25519 or Curve25519. Does such a library exist? If not, any tips on
>>> what I
>>> > should do? Should I just use another curve library that is better
>>> supported?
>>> > If so, any suggestions?
>>> >
>>> > Thanks,
>>> > Frank
>>> >
>>> > _______________________________________________
>>> > Curves mailing list
>>> > Curves at moderncrypto.org
>>> > https://moderncrypto.org/mailman/listinfo/curves
>>> >
>>>
>>
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves
>>
>>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150618/275772c9/attachment.html>
More information about the Curves
mailing list