Curve25519-donna changes.

crypto/curve25519.cc

Index: crypto/curve25519.cc
===================================================================
--- crypto/curve25519.cc	(revision 0)
+++ crypto/curve25519.cc	(revision 0)
@@ -0,0 +1,38 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "crypto/curve25519.h"
+
+// Prototype for |curve25519_donna| function in
+// third_party/curve25519-donna/curve25519-donna.c
+extern "C" int curve25519_donna(uint8*, const uint8*, const uint8*);
+
+namespace crypto {
+
+namespace curve25519 {
+
+void ScalarMult(const uint8* private_key,
+                const uint8* peer_public_key,
+                uint8* shared_key) {
+  curve25519_donna(shared_key, private_key, peer_public_key);

[wtc, 2013/03/06 21:26:44]

agl: |shared_key| is the x coordinate of the result.

As the output of ECDH key agreement, we need to specify how
to serialize the x coordinate as a byte sequence. Do you
know whether the byte sequence is in little-endian or
big-endian order?

The usual byte order for ECDH shared secret over a prime
field is big-endian. See NIST SP 800-56A, Appendix C.1 and
C.2.

[agl, 2013/03/06 21:47:50]

Curve25519 is specified in terms of byte strings, not numbers, so all
implementations take and return the same sequence of bits. So the byte order is
implicitly specified as in, say, SHA1.

[ramant (doing other things), 2013/03/08 00:10:15]

Done.

[ramant (doing other things), 2013/03/08 00:10:15]

Added agl's comments to the file. Hope that is ok.

Done.

+}
+
+// kBasePoint is the base point (generator) of the elliptic curve group.
+static const unsigned char kBasePoint[32] = {9};

[Ryan Sleevi, 2013/03/06 21:18:32]

Can you provide more comments explaining the source/derivation of this parameter
(which is 9 followed by 31 zeros).

[agl, 2013/03/06 21:47:50]

It's defined as a magic value by the API. (It happens to be the little-endian
version of '9'). I guess we can just cite the paper.

[ramant (doing other things), 2013/03/08 00:10:15]

Done.

+
+void ScalarBaseMult(const uint8* private_key, uint8* public_key) {
+  curve25519_donna(public_key, private_key, kBasePoint);
+}
+
+void ConvertToPrivateKey(uint8* secret) {
+  // This makes |secret| a valid scalar, as specified on
+  // http://cr.yp.to/ecdh.html
+  secret[0] &= 248;
+  secret[31] &= 127;
+  secret[31] |= 64;

[Ryan Sleevi, 2013/03/06 21:18:32]

Does our version not support curve25519_clamp?

At least reference the section where this is described, or ideally where/why in
the paper it's described.

[agl, 2013/03/06 21:47:50]

_clamp has been removed from the API as I recall.

Although this triplet of lines is harmless, it's also superfluous and can be
removed. The clamping is performed inside the scalar-mult function.

[ramant (doing other things), 2013/03/08 00:10:15]

Added a reference to the section in the paper.

Done.

+}
+
+}  // namespace curve25519
+
+}  // namespace crypto