Nettle release plans

This is an attempt at defining a development target for Nettle-3.1, inspired by similar pages for recent GMP releases. [Last updated 2015-03-19]

This really ought to be done before release

Try to get this done before release


Leave for some later release!

Plans for nettle-3.1

Interface changes

Review public functions in ecc.h, move some to ecc-internal.h, to enable sane support for other types of curves.

New features

Add support for curve25519. What about the "x25519" name?

Update chacha-poly1305 to the current draft.

Add support for Ed25519 signatures.

Interface tweaks. EdDSA, Curve25519, base64.

Add larger "safe" curves, e.g., M-383, curve41417 and E-521.

Add functions for converting ECC points to and from ANSI x9.62.

Use side-channel silent GMP functions for RSA and DSA. May require additional interface changes, to use mpn functions.

Make it possible to build nettle and hogweed using mini-gmp.

Side-channel silent mem_equalp.


Support for using AES acceleration.

Assembly optimizations for ARMv8 (64-bit).

Further optimizations of curve25519 and EdDSA, in particular, radix 51 modp operations, and more efficient point addition.


Use more functions from GMP-6 and later, when available: mpn_sec_add_1, mpn_sec_tabselect, mpn_sec_invert, mpn_cnd_swap, ...


Document curve25519.

Document EdDSA.

Build system

Support for fat binaries on ARM and x86_64, selecting code at runtime depending on cpu capabilities.

Fix the handling of optional C source files with make dist.

Stop using the nonstandard .po extension.

Reconsider assembly make rules, going back to an .asm.o: rule might work better with Solaris' make.

Update AX_CREATE_STDINT_H to the latest version.


Since xenofarm isn't up and running, do some manual testing:

Changes under consideration for later releases

These are some other changes under consideration.

Interface changes

For Merkle-Damgaard hash functions, separate the state and the buffering. E.g., when using them for HMAC keyed "inner" and "outer" states, we now get three buffers but we only need one.

Reorganize private key operations. Need to support RSA with and without blinding, and DSA according to spec and some deterministic variant (like putty or RFC6979), and possibly also smartcard versions where the private key is not available to the library. And without an explosion of the number of functions.