crypto/curve25519.cc - Issue 12457004: Curve25519-donna changes.

Side by Side Diff: crypto/curve25519.cc

Issue 12457004: Curve25519-donna changes. (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/

Patch Set: Created 7 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "crypto/curve25519.h"

	6

	7 // Prototype for \|curve25519_donna\| function in

	8 // third_party/curve25519-donna/curve25519-donna.c

	9 extern "C" int curve25519_donna(uint8, const uint8, const uint8*);

	10

	11 namespace crypto {

	12

	13 namespace curve25519 {

	14

	15 void ScalarMult(const uint8* private_key,

	16 const uint8* peer_public_key,

	17 uint8* shared_key) {

	18 curve25519_donna(shared_key, private_key, peer_public_key);
	wtc 2013/03/06 21:26:44 agl: \|shared_key\| is the x coordinate of the resul agl: \|shared_key\| is the x coordinate of the result. As the output of ECDH key agreement, we need to specify how to serialize the x coordinate as a byte sequence. Do you know whether the byte sequence is in little-endian or big-endian order? The usual byte order for ECDH shared secret over a prime field is big-endian. See NIST SP 800-56A, Appendix C.1 and C.2. agl 2013/03/06 21:47:50 Curve25519 is specified in terms of byte strings, Show quoted text On 2013/03/06 21:26:44, wtc wrote: > As the output of ECDH key agreement, we need to specify how > to serialize the x coordinate as a byte sequence. Do you > know whether the byte sequence is in little-endian or > big-endian order? Curve25519 is specified in terms of byte strings, not numbers, so all implementations take and return the same sequence of bits. So the byte order is implicitly specified as in, say, SHA1. ramant (doing other things) 2013/03/08 00:10:15 Done. Show quoted text On 2013/03/06 21:47:50, agl wrote: > On 2013/03/06 21:26:44, wtc wrote: > > As the output of ECDH key agreement, we need to specify how > > to serialize the x coordinate as a byte sequence. Do you > > know whether the byte sequence is in little-endian or > > big-endian order? > > Curve25519 is specified in terms of byte strings, not numbers, so all > implementations take and return the same sequence of bits. So the byte order is > implicitly specified as in, say, SHA1. Done. ramant (doing other things) 2013/03/08 00:10:15 Added agl's comments to the file. Hope that is ok. Show quoted text On 2013/03/06 21:47:50, agl wrote: > On 2013/03/06 21:26:44, wtc wrote: > > As the output of ECDH key agreement, we need to specify how > > to serialize the x coordinate as a byte sequence. Do you > > know whether the byte sequence is in little-endian or > > big-endian order? > > Curve25519 is specified in terms of byte strings, not numbers, so all > implementations take and return the same sequence of bits. So the byte order is > implicitly specified as in, say, SHA1. Added agl's comments to the file. Hope that is ok. Done.
	19 }

	20

	21 // kBasePoint is the base point (generator) of the elliptic curve group.

	22 static const unsigned char kBasePoint[32] = {9};
	Ryan Sleevi 2013/03/06 21:18:32 Can you provide more comments explaining the sourc Can you provide more comments explaining the source/derivation of this parameter (which is 9 followed by 31 zeros). agl 2013/03/06 21:47:50 It's defined as a magic value by the API. (It happ Show quoted text On 2013/03/06 21:18:32, Ryan Sleevi wrote: > Can you provide more comments explaining the source/derivation of this parameter > (which is 9 followed by 31 zeros). It's defined as a magic value by the API. (It happens to be the little-endian version of '9'). I guess we can just cite the paper. ramant (doing other things) 2013/03/08 00:10:15 Done. Show quoted text On 2013/03/06 21:47:50, agl wrote: > On 2013/03/06 21:18:32, Ryan Sleevi wrote: > > Can you provide more comments explaining the source/derivation of this > parameter > > (which is 9 followed by 31 zeros). > > It's defined as a magic value by the API. (It happens to be the little-endian > version of '9'). I guess we can just cite the paper. Done.
	23

	24 void ScalarBaseMult(const uint8* private_key, uint8* public_key) {

	25 curve25519_donna(public_key, private_key, kBasePoint);

	26 }

	27

	28 void ConvertToPrivateKey(uint8* secret) {

	29 // This makes \|secret\| a valid scalar, as specified on

	30 // http://cr.yp.to/ecdh.html

	31 secret[0] &= 248;

	32 secret[31] &= 127;

	33 secret[31] \|= 64;
	Ryan Sleevi 2013/03/06 21:18:32 Does our version not support curve25519_clamp? At Does our version not support curve25519_clamp? At least reference the section where this is described, or ideally where/why in the paper it's described. agl 2013/03/06 21:47:50 _clamp has been removed from the API as I recall. Show quoted text On 2013/03/06 21:18:32, Ryan Sleevi wrote: > Does our version not support curve25519_clamp? _clamp has been removed from the API as I recall. Although this triplet of lines is harmless, it's also superfluous and can be removed. The clamping is performed inside the scalar-mult function. ramant (doing other things) 2013/03/08 00:10:15 Added a reference to the section in the paper. Do Show quoted text On 2013/03/06 21:18:32, Ryan Sleevi wrote: > Does our version not support curve25519_clamp? > > At least reference the section where this is described, or ideally where/why in > the paper it's described. Added a reference to the section in the paper. Done.
	34 }

	35

	36 } // namespace curve25519

	37

	38 } // namespace crypto

OLD	NEW

« crypto/curve25519.h ('K') | « crypto/curve25519.h ('k') | crypto/curve25519_unittest.cc » ('j') | crypto/curve25519_unittest.cc » ('J')