Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Dmitry Baryshkov
nettle
Commits
c4256c67
Commit
c4256c67
authored
Feb 26, 2015
by
Niels Möller
Browse files
Documentation of curev25519 and eddsa.
parent
a3918292
Changes
2
Hide whitespace changes
Inline
Sidebyside
ChangeLog
View file @
c4256c67
20150226 Niels Möller <nisse@diamant.hack.org>
* nettle.texinfo: Document curve25519 and eddsa.
20150210 Niels Möller <nisse@lysator.liu.se>
* base64urlmeta.c (nettle_base64url): New file.
...
...
nettle.texinfo
View file @
c4256c67
...
...
@@ 4065,7 +4065,8 @@ curve discrete logarithm problem.
Nettle supports standard curves which are all of the form @math
{
y
^
2 =
x
^
3  3 x + b @pmod
{
p
}}
, i.e., the points have coordinates @math
{
(x,y)
}
,
both considered as integers modulo a specified prime @math
{
p
}
. Curves
are represented as a @code
{
struct ecc
_
curve
}
. Supported curves are
are represented as a @code
{
struct ecc
_
curve
}
. It also supports
curve25519, which uses a different form of curve. Supported curves are
declared in @file
{
<nettle/ecccurve.h>
}
, e.g., @code
{
nettle
_
secp
_
256r1
}
for a standardized curve using the 256bit prime @math
{
p = 2
^{
256
}

2
^{
224
}
+ 2
^{
192
}
+ 2
^{
96
}
 1
}
. The contents of these structs is not
...
...
@@ 4201,6 +4202,103 @@ random octets and store them at @code{dst}. For advice, see
@xref
{
Randomness
}
.
@end deftypefun
@subsubsection Curve25519
Curve25519 is an elliptic curve of Montgomery type, @math
{
y
^
2 = x
^
3 +
486662 x
^
2 + x @pmod
{
p
}}
, with @math
{
p = 2
^
255  19
}
. Montgomery curves
have the advantage of simple and efficient point addition based on the
xcoordinate only. This particular curve was proposed by D.~J.~Bernstein
in 2006, for fast DiffieHellman key exchange. The group generator is
defined by @math
{
x = 9
}
(there are actually two points with @math
{
x =
9
}
, differing by the sign of the ycoordinate, but that doesn't matter
for the curve25519 operations which work with the xcoordinate only).
The curve25519 functions are defined as operations on octet strings,
which are interpreted as xcoordinates in littleendian byte order.
@defvr Constant CURVE25519
_
SIZE
The size of the strings representing curve25519 points and scalars, 32.
@end defvr
@deftypefun void curve25519
_
mul
_
g (uint8
_
t *@var
{
q
}
, const uint8
_
t *@var
{
n
}
)
Computes @math
{
Q = N G
}
, where @math
{
G
}
is the group generator and
@math
{
N
}
is an integer. The input argument @var
{
n
}
and the output
argument @var
{
q
}
use a littleendian representation of the scalar and
the xcoordinate, respectively. They are both of size
@code
{
CURVE25519
_
SIZE
}
.
This function is intended to be compatible with the function
@code
{
crypto
_
scalar
_
mult
_
base
}
in the NaCl library.
@end deftypefun
@c FIXME: Change to void return type
@deftypefun int curve25519
_
mul (uint8
_
t *@var
{
q
}
, const uint8
_
t *@var
{
n
}
, const uint8
_
t *@var
{
p
}
)
Computes @math
{
Q = N P
}
, where @math
{
P
}
is an input point and @math
{
N
}
is an integer. The input arguments @var
{
n
}
and @var
{
p
}
and the output
argument @var
{
q
}
use a littleendian representation of the scalar and
the xcoordinates, respectively. They are all of size
@code
{
CURVE25519
_
SIZE
}
.
This function is intended to be compatible with the function
@code
{
crypto
_
scalar
_
mult
}
in the NaCl library.
@end deftypefun
@subsubsection EdDSA
EdDSA is a signature scheme proposed by D.~J.~Bernstein et al. in 2011.
It is defined using a ``Twisted Edwards curve'', of the form @math
{
x
^
2
+ y
^
2 = 1 + d x
^
2 y
^
2
}
. The specific signature scheme Ed25519 uses a
curve which is equivalent to curve25519: The two groups used differ only
by a simple change of coordinates, so that the discrete logarithm
problem is of equal difficulty in both groups.
Unlike other signature schemes in Nettle, the input to the EdDSA sign
and verify functions is the possibly large message itself, not a hash
digest. EdDSA is a variant of Schnorr signatures, where the message is
hashed together with other data during the signature process, providing
resilience to hashcollisions: A successful attack finding collisions in
the hash function does not automatically translate into an attack to
forge signatures. EdDSA also avoids the use of a randomness source by
generating the needed signature nonce from a hash of the private key and
the message, which means that the message is actually hashed twice when
creating a signature. If signing huge messages, it is possible to hash
the message first and pass the short message digest as input to the
signa and verify functions, however, the hash collision resilience is
then lost.
@defvr Constant ED25519
_
KEY
_
SIZE
The size of a private or public Ed25519 key, 32 octets.
@end defvr
@defvr Constant ED25519
_
SIGNATURE
_
SIZE
The size of an Ed25519 signature, 64 octets.
@end defvr
@deftp
{
Context struct
}
{
struct ed25519
_
private
_
key
}
@deftpx
{
Context struct
}
{
struct ed25519
_
public
_
key
}
These structs represent a private and public key, respectively, expanded
into an internal representation.
@end deftp
@deftypefun void ed25519
_
sha512
_
set
_
private
_
key (struct ed25519
_
private
_
key *@var
{
priv
}
, const uint8
_
t *@var
{
key
}
)
Expands a private key (@code
{
ED25519
_
KEY
_
SIZE
}
octets) into the internal
representation.
@end deftypefun
@deftypefun void ed25519
_
sha512
_
sign (const struct ed25519
_
private
_
key *@var
{
priv
}
, size
_
t @var
{
length
}
, const uint8
_
t *@var
{
msg
}
, uint8
_
t *@var
{
signature
}
)
Signs a message using the provided private key.
@end deftypefun
@deftypefun int ed25519
_
sha512
_
set
_
public
_
key (struct ed25519
_
public
_
key *@var
{
pub
}
, const uint8
_
t *@var
{
key
}
)
Expands a public key (@code
{
ED25519
_
KEY
_
SIZE
}
octets) into the internal
representation. Returns 1 on success, 0 on failure.
@end deftypefun
@deftypefun int ed25519
_
sha512
_
verify (const struct ed25519
_
public
_
key *@var
{
pub
}
, size
_
t @var
{
length
}
, const uint8
_
t *@var
{
msg
}
, const uint8
_
t *@var
{
signature
}
)
Verifies a message using the provided public key. Returns 1 if the
signature is valid, otherwise 0.
@end deftypefun
@node Randomness, ASCII encoding, Publickey algorithms, Reference
@comment nodename, next, previous, up
@section Randomness
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment