ECDH using Curve25519

[NIIBE Yutaka]

On 2014-04-15 at 16:14 +0200, Werner Koch wrote:
> 1.3.6.1.4.1.3029.1.5.1
> 
> from Peter Gutmann's arc as posted to cryptography last year.

Thanks, I'll use this.

> > Werner once suggested that using Ed25519 curve (as we already have
> > it's routine in libgcrypt).  However, with the experience of writing
> 
> The reason is that we already have this implementation, only one
> implementation would be needed, and it is not much slower than the
> Montgomery form.  Thus for GNUnet we decided on using Ed25519 also for
> ECDH.  However, there we don't need to comply with any existing
> standards.

I see that reusing code of Ed25519 would be the shortest path.  Even,
we could emulate Curve25519 computation by computing [n]Q with Ed25519
(converting its coordinate from/to Montgomery curve).

My concern is the ways towards different optimizations (in future) and
libgcrypt's API.

For both of EdDSA and ECDH, it calls the general function
gcry_mpi_ec_mul_point now.  But it could be optimized, in different
ways, since it's fixed point for EdDSA, and it's not fixed point for
ECDH but ECDH only requires x-coordinate.

Speaking about API, the design intention and common practice around
Curve25519/Ed25519 are that Montgomery curve for ECDH and Edwards
curve for EdDSA.  In this situation, it seems for me that it's
reasonable to imply ECDH-only when specifying Montgomery curve and
EdDSA-only when specifying Edwards curve.

Well, I'm going to play with libgcrypt.  I'll back after I will finish
libgcrypt experiment.
--