Daiki Ueno ueno@gnu.org writes:
From 8bc6e735d4b40cbab5e187a28e01b63a04ecd92b Mon Sep 17 00:00:00 2001 From: Daiki Ueno dueno@redhat.com Date: Fri, 23 Jun 2017 17:26:18 +0200 Subject: [PATCH 2/4] Implement Curve448 primitives
This patch adds the necessary primitives for "curve448", defined in RFC 7748. Those primitives are namely: addition, doubling, scalar multiplication of the generator or an arbitrary point, inversion, and square root.
At last, I've now merged this onto the curve448 branch.
I see you've made some chenges to the needed scratch space, if I understand it correctly, you need to allow h_to_a_itch larger than mul_itch or mul_g_itch. You increase the value of ECC_ECDSA_SIGN_ITCH and add a new ECC_ECDSA_KEYGEN_ITCH. Can you comment on that?
The only reason ECDSA is affected at all by curve448, is that we have tests for ecdsa over the curve25519 and curve448, even though that's not the way these curves are intended to be used. Maybe that should just be deleted.
Performance for the scalar multiplication primitives seem to be slower than secp384 and slightly faster than secp521, and looking at point addition, it's slower than secp521. I hope that will be improved a quite a bit with an optimized mod operation for the curve448 prime.
While the interface is similar to curve25519, the implementation is slightly different. For curve25519, the Pippenger tables are generated through the coordinates on the Montgomery curve. On the other hand, the tables for curve448 are directly generated from the coordinates on the corresponding Edwards curve ("edwards448").
This is no longer the case, since the handling curve 25519 was changed early on, based on your patches back then.
Regards, /Niels