ECDH using Curve25519
gniibe at fsij.org
Wed Apr 16 02:50:39 CEST 2014
On 2014-04-15 at 16:14 +0200, Werner Koch wrote:
> from Peter Gutmann's arc as posted to cryptography last year.
Thanks, I'll use this.
> > Werner once suggested that using Ed25519 curve (as we already have
> > it's routine in libgcrypt). However, with the experience of writing
> The reason is that we already have this implementation, only one
> implementation would be needed, and it is not much slower than the
> Montgomery form. Thus for GNUnet we decided on using Ed25519 also for
> ECDH. However, there we don't need to comply with any existing
I see that reusing code of Ed25519 would be the shortest path. Even,
we could emulate Curve25519 computation by computing [n]Q with Ed25519
(converting its coordinate from/to Montgomery curve).
My concern is the ways towards different optimizations (in future) and
For both of EdDSA and ECDH, it calls the general function
gcry_mpi_ec_mul_point now. But it could be optimized, in different
ways, since it's fixed point for EdDSA, and it's not fixed point for
ECDH but ECDH only requires x-coordinate.
Speaking about API, the design intention and common practice around
Curve25519/Ed25519 are that Montgomery curve for ECDH and Edwards
curve for EdDSA. In this situation, it seems for me that it's
reasonable to imply ECDH-only when specifying Montgomery curve and
EdDSA-only when specifying Edwards curve.
Well, I'm going to play with libgcrypt. I'll back after I will finish
More information about the Gnupg-devel