jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
465 Commits
2 Branches
1.6 MiB
Tree: 3d5962c330
ed448goldilocks/README.md

README.md 4.5 KiB
Raw Normal View History

working on the README
9 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. # Decaf elliptic curve library

  2. 

  3. This library is for elliptic curve research and practical application.

  4. It currently supports Ed448-Goldilocks and Curve25519.

  5. 

  6. ## Mailing lists

  7. 

  8. Because this is new software, please expect it to have bugs, perhaps

  9. even critical security bugs.  If you are using it, please sign up for

  10. updates:

  11. 

  12. * Security-critical announcements (very low volume, God willing): decaf-security@googlegroups.com

  13. * New version announcements (low volume): decaf-announce@googlegroups.com

  14. * Library discussion (potentially more volume): decaf-discuss@googlegroups.com

  15. 

  16. ## General elliptic curve operations.

  17. 

  18. This is a multi-purpose elliptic curve library.  There is a C library,

  19. and a set of C++ wrapper headers.  The C++ code consists entirely of

  20. inline calls, and has no compiled component.

  21. 

  22. The library implements a fairly complete suite of operations on the

  23. supported curves:

  24. 

  25. * Point and scalar serialization and deserialization.

  26. * Point addition, subtraction, doubling, and equality.

  27. * Point multiplication by scalars.  Accelerated double- and dual-scalar multiply.

  28. * Scalar addition, subtraction, multiplication, division, and equality.

  29. * Construction of precomputed tables from points.  Precomputed scalarmul.

  30. * Hashing to the curve with an Elligator variant.  Inverse of elligator

  31.    for steganography.  These are useful eg for PAKE.

  32. 

  33. Internally, the library uses twisted Edwards curves with the "decaf"

  34. technique to remove the curve's cofactor of 4 or 8.  More about that

  35. later.  The upshot is that systems using the "decaf" interface will

  36. be using a prime-order group, which mitigates one of the few

  37. disadvantages of Edwards curves.  However, this means that it is not

  38. able to implement systems which care about cofactor information.

  39. 

  40. The goal of this library is not only to follow best practices, but to

  41. make it easier for clients of the library to follow best practices.

  42. With a few well-marked exceptions, the functions in this library should

  43. be strongly constant-time: they do not allow secret data to flow to

  44. array indices, nor to control decisions except for a final failure

  45. check.  Furthermore, the C++ wrapping uses RAII to automatically clear

  46. sensitive data, and has interfaces designed to prevent certain mistakes.

  47. 

  48. ## CFRG cryptosystems.

  49. 

  50. The library additionally supports two cryptosystems defined by the

  51. Crypto Forum Research Group (CFRG): the X448/X25519 Diffie-Hellman

  52. functions, and the EdDSA signature scheme.  Future versions might

  53. support additional operations on these curves, such as precomputed

  54. signature verification or conversion of Ed25519 keys to Curve25519

  55. keys.  (Or they might not.  We'll see.)

  56. 

  57. ## Symmetric crypto and hashing

  58. 

  59. The Decaf library doesn't implement much symmetric crypto, but it does

  60. contain the hash functions required by the CFRG cryptosystems: SHA512,

  61. SHA-3 and SHAKE.

  62. 

  63. ## Internals

  64. 

  65. The "decaf" technique is described in https://eprint.iacr.org/2015/673

  66. While the title of that paper is "removing cofactors through point

  67. compression", it might be more accurate to say "through quotients and

  68. isogenies".  The internal representation of points is as "even" elements

  69. of a twisted Edwards curve with a=-1.  Using this subgroup removes a

  70. factor of 2 from the cofactor.  The remaining factor of 2 or 4 is

  71. removed with a quotient group: any two points which differ by an element

  72. of the 2- or 4-torsion subgroup are considered equal to each other.

  73. 

  74. When a point is written out to wire format, it is converted (by isogeny)

  75. to a Jacobi quartic curve, which is halfway between an Edwards curve

  76. and a Montgomery curve.  One of the 4 or 8 equivalent points on the

  77. Jacobi quartic is chosen (it is "distinguished" according to certain

  78. criteria, such as having a positive x-coordinate).  The x-coordinate of

  79. this point is written out.  The y-coordinate is not written out, but the

  80. decoder knows which of the two possible y-coordinates is correct because

  81. of the distinguishing rules.  See the paper for more details.

  82. 

  83. ## Licensing

  84. 

  85. Most of the source files here are by Mike Hamburg.  Those files are (c)

  86. 2014-2016 Cryptography Research, Inc (a division of Rambus). All of these

  87. files are usable under the MIT license contained in LICENSE.txt.

  88. 

  89. ## Caveats

  90. 

  91. As mentioned in the license, there is absolutely NO WARRANTY on any of this

  92. code.  This is an early release, and is likely to have security-critical

  93. bugs despite my best efforts.

  94. 

  95. I've attempted to protect against timing attacks and invalid point attacks,

  96. but as of yet I've made no attempt to protect against power analysis.

  97. 

  98. Cheers,

  99. -- Mike Hamburg