Curve25519 秘密共享系统

1. Curve25519基本定义

Curve25519 is a state-of-the-art Diffie-Hellman function suitable for a wide variety of applications.

Given a user’s 32-byte secret key, Curve25519 computes the user’s 32-byte public key. Given the user’s 32-byte secret key and another user’s 32-byte public key, Curve25519 computes a 32-byte secret shared by the two users. This secret can then be used to authenticate and encrypt messages between the two users.

• Here is the high-level view of Curve25519: Each Curve25519 user has a 32-byte secret key and a 32-byte public key. Each set of two Curve25519 users has a 32-byte shared secret used to authenticate and encrypt messages between the two users.

• Medium-level view: The following picture shows the data flow from secret keys through public keys to a shared secret. A hash of the shared secret Curve25519(a, Curve25519(b, 9)) is used as the key for a secret-key authentication system (to authenticate messages), or as the key for a secret-key authenticated-encryption system (to simultaneously encrypt and authenticate messages).
  

• Low-level view: The Curve25519 function is Fp-restricted x-coordinate scalar multiplication on E(Fp2 ), where p is the prime number 2²⁵⁵ − 19 and E is the elliptic curve y² = x³ + 486662x² + x.

2. Curve25519主要特性

• Extremely high speed. My software computes Curve25519 in just 832457 cycles on a Pentium III, 957904 cycles on a Pentium 4, 640838 cycles on a Pentium M, and 624786 cycles on an Athlon. Each of these numbers is a new speed record for high-security Diffie-Hellman functions.
• No time variability. Most speed reports in the cryptographic literature are for software without any protection against timing attacks. See [12], [51],and [50] for some successful attacks. Adding protection can dramatically slow down the computation. In contrast, my Curve25519 software is already immune to timing attacks, including hyperthreading attacks and other cachetiming attacks. It avoids all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings.
• Short secret keys. The Curve25519 secret key is only 32 bytes. This is typical for high-security Diffie-Hellman functions.
• Short public keys. The Curve25519 public key is only 32 bytes. Typical elliptic-curve-Diffie-Hellman functions use 64-byte public keys; those keys can be compressed to half size, as suggested by Miller in [46], but the time for decompression is quite noticeable and usually not reported.
• Free key validation. Typical elliptic-curve-Diffie-Hellman functions can be broken if users do not validate public keys; see, e.g., [14, Section 4.1] and [3]. The time for key validation is quite noticeable and usually not reported. In contrast, every 32-byte string is accepted as a Curve25519 public key.
• Short code. My software is very small. The compiled code, including all necessary tables, is around 16 kilobytes on each CPU, and can easily fit alongside other networking tools in the CPU’s instruction cache.

3. Curve25519算法实现

代码可见：https://github.com/floodyberry/supercop/tree/master/crypto_dh/curve25519
及 http://cr.yp.to/ecdh/curve25519-20050915.tar.gz

参考资料：
[1] https://github.com/floodyberry/supercop/blob/master/crypto_dh/curve25519/
[2] https://cr.yp.to/ecdh.html
[3] Curve25519论文