1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-27 01:48:17 +00:00
trezor-firmware/curve25519-donna
2016-11-06 15:16:09 +01:00
..
curve25519-donna-32bit.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519-donna-64bit.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519-donna-common.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519-donna-portable-identify.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519-donna-portable.h undef ALIGN macro in curve25519 2016-11-06 15:16:09 +01:00
curve25519-donna-scalarmult-base.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519-donna-scalarmult-sse2.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519-donna-sse2.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519-donna.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519.c use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
curve25519.h use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00
README.md use curve25519-donna from floodyberry 2016-10-24 20:51:57 +02:00

curve25519 is an elliptic curve, developed by Dan Bernstein, for fast Diffie-Hellman key agreement. DJB's original implementation was written in a language of his own devising called qhasm. The original qhasm source isn't available, only the x86 32-bit assembly output.

This project provides performant, portable 32-bit & 64-bit implementations. All implementations are of course constant time in regard to secret data.

Performance

Compilers versions are gcc 4.6.3, icc 13.1.1, clang 3.4-1~exp1.

Counts are in thousands of cycles.

Note that SSE2 performance may be less impressive on AMD & older CPUs with slower SSE ops!

E5200 @ 2.5ghz, march=core2
Versiongcciccclang
64-bit SSE2 278k 265k 302k
64-bit 273k 271k 377k
32-bit SSE2 304k 289k 317k
32-bit 1417k 845k 981k
E3-1270 @ 3.4ghz, march=corei7-avx
Versiongcciccclang
64-bit 201k 192k 233k
64-bit SSE2 201k 201k 261k
32-bit SSE2 238k 225k 250k
32-bit 1293k 822k 848k

Compilation

No configuration is needed.

32-bit
gcc curve25519.c -m32 -O3 -c
64-bit
gcc curve25519.c -m64 -O3 -c
SSE2
gcc curve25519.c -m32 -O3 -c -DCURVE25519_SSE2 -msse2
gcc curve25519.c -m64 -O3 -c -DCURVE25519_SSE2

clang, icc, and msvc are also supported

Named Versions

Define CURVE25519_SUFFIX to append a suffix to public functions, e.g. -DCURVE25519_SUFFIX=_sse2 to create curve25519_donna_sse2 and curve25519_donna_basepoint_sse2.

Usage

To use the code, link against curve25519.o and:

#include "curve25519.h"

To generate a private/secret key, generate 32 cryptographically random bytes:

curve25519_key sk;
randombytes(sk, sizeof(curve25519_key));

Manual clamping is not needed, and it is actually not possible to use unclamped keys due to the code taking advantage of the clamped bits internally.

To generate the public key from the private/secret key:

curve25519_key pk;
curve25519_donna_basepoint(pk, sk);

To generate a shared key with your private/secret key and someone elses public key:

curve25519_key shared;
curve25519_donna(shared, mysk, yourpk);

And hash shared with a cryptographic hash before using, or e.g. pass shared through HSalsa20/HChacha as NaCl does.

Testing

Fuzzing against a reference implemenation is now available. See fuzz/README.

Building curve25519.c and linking with test.c will run basic sanity tests and benchmark curve25519_donna.

Papers

djb's curve25519 paper

License

Public Domain, or MIT