Expand description
X25519 key-exchange algorithm.
This module implements the X25519 primitive, as defined by RFC 7748. The primitive takes as input two 32-byte values, the first being the representation of a point on Curve25519 (a Montgomery curve) or on the quadratic twist of Curve25519, and the second being a scalar (a big integer). The scalar is internally “clamped” (some bits are set to specific values), then the point is multiplied by the scalar, and the output point is reencoded into 32 bytes.
The x25519() function implements exactly the process described in
RFC 7748 (section 5). The x25519_base() function is an optimization
of the specific case of the input point being the conventional
generator point on Curve25519; x25519_base() is fully compatible
with x25519(), but also substantially faster.
The x25519() function does NOT filter out any value from its input;
any input sequence of 32 bytes is accepted, even if it encodes a
low-order curve point. As per RFC 7748 requirements, the top point
bit (most significant bit of the last byte) is ignored. As for
scalars, the clamping process ensures that the integer used for the
multiplication is a multiple of 8, at least 2^254, and lower than
2^255; the three least significant bits of the first byte, and two
most significant bits of the last byte, are ignored.
Functions
- X25519 function (from RFC 7748), general case.
- Specialized version of X25519, when applied to the conventional generator point (u = 9).