nisse@lysator.liu.se (Niels Möller) writes:
Things I'd like to do, besides optimizations:
- Switch from the plain Edwards curve to the twist used for Ed25519. Should be pretty a small change.
Done (but not yet pushed to the public repo). With only minor changes to the addition formulas, not yet using the new optimizations which become possible with this curve.
- Implement Ed25519 signatures.
This is the next thing to do, I think, before turning to optimizations. If anyone knows some eddsa25519 test vectors, that would be great. The paper doesn't include any.
- Make the ecdsa code work over curve25519. Not that I'd expect anyone to use ecdsa over that curve, but I think it's useful for validating the generality of the ecc interface, and maybe for benchmarking.
Works now, and with little impact on the normal use of ecdsa (for a while I feared it would add useless overhead for operatinos using the other curves, which I find inappropriate).
- Review the public interface, moving functions which depend on the type of curve out of ecc.h into ecc-internal.h.
Not started, but I'm getting a better idea of how it should look like.
Also, I think I'll replace
struct ecc_curve nettle_curve25519;
by
struct ecc_curve nettle_ed25519; /* or whatever name is appropriate */
since this curve is what's really implemented, and it's better defined. The spec for curve25519 doesn't define the sign of the generator (which is the sign of the y coordinate) so to provide ecc operations that involve the y coordiante as input or output, I have to choose a sign, and that can't be expected to interoperate with anything else anyway.
Regards, /Niels