Thanks for reporting, Michael! For the record, the Edwards module is still experimental code written by Tobias Markmann and not fully integrated with the rest of the library. I plan to help with this and perform a partial rewrite of the library in July (no classes) to reduce complexity. Constant-time behavior will be one of the goals. I wish I was more aware of side channels in 2007 when I started coding, but I guess that's the way things are.
Best, -- Diego Aranha On Thu, Jun 18, 2015 at 3:53 PM Michael Hamburg <[email protected]> wrote: > Ah. Also RELIC implements hashing to the curve, but probably not the way > you want. For prime-order curves they use hunt-and-pack, which works but > isn’t constant time. For Edwards curves they use g^hash, which is going to > outright break most protocols that use this primitive. I’m filing a bug > against that. > > — Mike > > On Jun 18, 2015, at 11:45 AM, Michael Hamburg <[email protected]> wrote: > > Hi Frank, > > My library supports hashing to the curve, as do Snowshoe [*] and > Libelligator [+], and not much else that I’m aware of. Especially if you > want it to be constant time and/or fast. I’d bet that some of the other > fancy libraries like PBC and MIRACL have it though. > > I somehow misread your original message as “hashing points”. > > Cheers, > — Mike > > [*] https://github.com/catid/snowshoe by Christopher A Taylor > > It’s pretty fast and uses a 254-bit field. It doesn’t export point > operations, but since it’s an Edwards curve it should be reasonably safe to > use the internal APIs. > > [+] https://github.com/Yawning/libelligator > > I found this by Googling. It looks to be based on Donna. > > On Jun 18, 2015, at 11:01 AM, Frank Wang <[email protected]> wrote: > > Hi Mike, > > Well, I want a way to translate a n-bit message to a point on the curve. > My understanding is that it's easiest to hash it to the curve, but I could > just be confused. > > Does your library not support hashing to the curve? > > Frank > > On Thu, Jun 18, 2015 at 1:50 PM, Mike Hamburg <[email protected]> wrote: > >> Wait, do you want to hash messages to the curve, or just be able to hash >> curve points? The former is kind of a niche feature, though you could >> implement it yourself if the library doesn't support it. >> >> Sent from my phone. Please excuse brevity and typos. >> >> On Jun 18, 2015, at 10:38, Frank Wang <[email protected]> wrote: >> >> Hi Thomas, >> >> Yes. Sorry, my goal right now is that I have a key revocation scheme that >> I want to implement, involving elliptic curve addition, subtraction, and >> scalar multiplication (as well as hashing messages to the curve). I would >> like reasonable performance (so C does seem good) because I'm benchmarking >> it against AES. However, I'm willing to trade off some performance for ease >> of use. >> >> TweetNacl seems to be designed primarily for ECDH and EC signatures >> rather than a general purpose elliptic curve library. I'm exploring >> alternatives. >> >> Frank >> >> On Thu, Jun 18, 2015 at 1:34 PM, Thomas DuBuisson < >> [email protected]> wrote: >> >>> Frank, >>> A lot of recommendations are pouring in about C and Java libraries, on >>> top of which I'm tempted to recommend my own in Cryptol or one of the >>> Sage version out there, but none of us have heard about your actual >>> goal and needs. Could you say more about how this code will be used >>> and what you hope to achieve? >>> >>> Thomas >>> >>> On Wed, Jun 17, 2015 at 2:16 PM, Frank Wang <[email protected]> wrote: >>> > Hi, >>> > >>> > I am working on a research project at MIT, and I need to use elliptic >>> curves >>> > (or a group where DDH is hard, but elliptic curves seem like the best >>> way to >>> > go) to implement a cryptographic scheme. I've been trying to search for >>> > general Curve25519 and Ed25519 libraries where I can just do add and >>> scalar >>> > multiply as well as hash messages to points. The best library I've come >>> > across so far is tweetnacl, which has the add and scalar multiply >>> operation >>> > for Ed25519, but it's a bit difficult to use, and I end up modifying >>> the >>> > library to do subtraction of points. >>> > >>> > I have yet to find a good library that allows me to just do operations >>> on >>> > Ed25519 or Curve25519. Does such a library exist? If not, any tips on >>> what I >>> > should do? Should I just use another curve library that is better >>> supported? >>> > If so, any suggestions? >>> > >>> > Thanks, >>> > Frank >>> > >>> > _______________________________________________ >>> > Curves mailing list >>> > [email protected] >>> > https://moderncrypto.org/mailman/listinfo/curves >>> > >>> >> >> _______________________________________________ >> Curves mailing list >> [email protected] >> https://moderncrypto.org/mailman/listinfo/curves >> >> > > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves > > > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves >
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
