Re: curve25519 and eddsa

On Thu, 2015-02-26 at 11:03 +0100, Niels Möller wrote:

I've just pushed some documentation for the curve25519 and eddsa functions. This raises a few questions on the current interfaces.

1. Should ecc-curves.h really declare nettle_curve25519? Its' not needed for any of the documented functions, except for obscurities like doing ecdsa (not eddsa) over the curve. It could be moved to ecc-internal, or be marked as internal in some other way. Perhaps renaming to _nettle_ed25519 would be appropriate.

A symbol that is not used can only cause issues. Using however, _nettle_ed25519 would still export the symbol with the current ld script.

2. curve25519_mul should be changed to have a void return type (an earlier implementation failed for inputs which didn't correspond to points on the curve, but instead were points on its twist). But the current implementation, using the Montgomery ladder, doesn't care and computes a well defined result for all inputs.

No idea about this, do you think that a future re-implementation could need an error code?

3. struct ed25519_private_key and struct ed25519_public_key include compile-time constant limb arrays. At least for the public key, this will imply an ABI break if/when we switch to a base 2^51 representations for GF(2^255 - 19). So maybe switch to dynamic allocation for struct ed25519_public_key, or both structs?

I'm not familiar with the other representations, but could there be a one-size fits all structure?

regards, Nikos