headers
Zed A. Shaw | 5 Nov 19:35

Question about Curve25519

Hey,

Didn't see a list for Curve25519 so I tried this one.  I'm basically
curious whether it's possible to leverage Curve25519 to provide simple
signing such that anyone can verify the signature.  I came up with the
following probably incredibly retarded code to generate a signature
key, but I just know it has to be wrong:

    unsigned char a_prv[32];
    unsigned char a_pub[32] = {0};
    unsigned char basepoint[32] = {9};
    unsigned char null_pubkey[32] = {0};
    unsigned char a_sigkey[32] = {0};
    unsigned char b_sigkey[32] = {0};

    a_prv[0] &= 248; a_prv[31] &= 127; a_prv[31] |= 64;

    // generate A's public key
    curve25519(a_pub, a_prv, basepoint);
    // generate a generic "null" pubkey from basepoint
    curve25519(null_pubkey, basepoint, basepoint);

    curve25519(a_sigkey, a_prv, null_pubkey);
    // A would use a_sigkey to encrypt a hash from this

    curve25519(b_sigkey, basepoint, a_pub);
    // B, knowing basepoint and A's pubkey can now verify the hash

The idea being that using basepoint for both public and private keys
generates a key everyone can create and use to verify.  But, I'm pretty
(Continue reading)

Permalink | Reply |
headers
D. J. Bernstein | 7 Nov 22:47
Picon

Re: Question about Curve25519

There are several good ways to use an elliptic curve for signatures:
ECDSA, for example, and KCDSA. The elliptic curve inside Curve25519 is
safe for these applications, but the relevant computations on that curve
haven't been implemented yet.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago
Permalink | Reply |

Gmane