Daiki Ueno <u...@gnu.org> writes:
> From 8bc6e735d4b40cbab5e187a28e01b63a04ecd92b Mon Sep 17 00:00:00 2001
> From: Daiki Ueno <du...@redhat.com>
> Date: Fri, 23 Jun 2017 17:26:18 +0200
> Subject: [PATCH 2/4] Implement Curve448 primitives
>
> This patch adds the necessary primitives for "curve448", defined in
> RFC 7748. Those primitives are namely: addition, doubling, scalar
> multiplication of the generator or an arbitrary point, inversion, and
> square root.
At last, I've now merged this onto the curve448 branch.
I see you've made some chenges to the needed scratch space, if I
understand it correctly, you need to allow h_to_a_itch larger than
mul_itch or mul_g_itch. You increase the value of ECC_ECDSA_SIGN_ITCH
and add a new ECC_ECDSA_KEYGEN_ITCH. Can you comment on that?
The only reason ECDSA is affected at all by curve448, is that we have
tests for ecdsa over the curve25519 and curve448, even though that's not
the way these curves are intended to be used. Maybe that should just be
deleted.
Performance for the scalar multiplication primitives seem to be slower
than secp384 and slightly faster than secp521, and looking at point
addition, it's slower than secp521. I hope that will be improved a quite
a bit with an optimized mod operation for the curve448 prime.
> While the interface is similar to curve25519, the implementation is
> slightly different. For curve25519, the Pippenger tables are
> generated through the coordinates on the Montgomery curve. On the
> other hand, the tables for curve448 are directly generated from the
> coordinates on the corresponding Edwards curve ("edwards448").
This is no longer the case, since the handling curve 25519 was changed
early on, based on your patches back then.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
