1 (edited by michymd 2017-06-01 03:41:20)

Topic: Curve25519 implementation

Hi,

I wanted to ask a question about the implementation of Curve25519. I have used wolfssl and the "donna" implementation https://code.google.com/archive/p/curve25519-donna/. I have used the same private key with the two libraries to generate the public key but got two different public keys. What are the differences in the implementation of this curves? How does wolfssl differ from the donna implementation and what are the security implications?

Thanks a lot.

Kind regards,
Michela

Share

Re: Curve25519 implementation

Hi Michela,

Which APIs are being used with wolfSSL to generate a public key from the private key? One thing to keep in mind is that wolfSSL's export/import curve25519 key functions use Big Endian format. It can optionally be selected big or little endian with *_ex functions

Regards,
Jacob

Share

Re: Curve25519 implementation

Hi Jacob,

thanks for replying.
What I did was to generate the key pair using wc_curve25519_make_key(..). Then printed the private key and used it to generate the public key using other libraries, among which the one I mention in the post that generates a different public key. I used yet another library with which I get the same public key generated with wolfSSL API. I'll try to use the *_ex function instead and see if I get the same public key.

Thanks,
Michela

Share

Re: Curve25519 implementation

Hi Jacob,

I inverted the bytes of the private key I obtain by using wolfSSL wc_curve25519_make_key(..), input that into another librariy and finally got the same public key! Thank you for mentioning the little/bin endian format smile

Regards,
Michela

Share

Re: Curve25519 implementation

That's great! Glad to help.

Thanks for asking the question. This will be a good resource for others that may encounter the same thing.

Regards,
Jacob

Share

Re: Curve25519 implementation

Hi Jacob,

is there an API that allows to compute a public key by providing a private key as input? I have had a look at the import functions and if I'm not wrong the import of the private key doesn't trigger the derivation of the public key.

Thanks,
Michela

Share

Re: Curve25519 implementation

Hi Michela,

That is correct. There currently is not API for generating a public key from a private key. Or an automated derivation of the public key from an imported private key. Will add this functionality to the desired feature list.

Can you share some about the project and use case?

Regards,
Jacob

Share

Re: Curve25519 implementation

Hi Jacob,

I wanted to recreate the key pair from the private key to perform a check of the endianness.
I was thinking that this key regeneration API could be also useful for checking the correctness of the imported key pair. When I import private/public key, if the key gets recreated, then a comparison between the recreated public key and the one passed in could signal an error in the imported key pair. I see this useful when performing tests.

I would have another question this time related to Ed25519 (should I open another topic for this?). I couldn't find in the source code any comment about the endianness of the exported keys. I have looked into the API code and what I could get from the maths operation is that the outputted keys should be big endian. Could you confirm that my understanding is correct?
In curve25519 case, import/export methods can be adapted to the desired endianness. Why that is not possible for ed25519?

Thank you very much for your help.

Regards,
Michela

Share

Re: Curve25519 implementation

Hi Michela,

Thank you for the information. It would be good to have the public key generation for testing purposes. Generation of public keys from private curve25519 keys has been added to the desired feature list.

The output for key generation of Ed25519 is in little endian. In the case of curve25519 there was some drafts out at the time of implementation that were using a big endian format. To have the curve25519 implementation interop with some of the early TLS curve25519 drafts the use of exporting/importing big endian keys was enabled.

Regards,
Jacob

Share