Expand description
X448 key-exchange algorithm.
This module implements the X448 primitive, as defined by RFC 7748. The primitive takes as input two 56-byte values, the first being the representation of a point on Curve448 (a Montgomery curve) or on the quadratic twist of Curve448, and the second being a scalar (a big integer). The scalar is internally “clamped” (some bits are set to specific values), then the point is multiplied by the scalar, and the output point is reencoded into 56 bytes.
The x448() function implements exactly the process described in
RFC 7748 (section 5). The x448_base() function is an optimization
of the specific case of the input point being the conventional
generator point on Curve448; x448_base() is fully compatible
with x448(), but also substantially faster.
The x448() function does NOT filter out any value from its input;
any input sequence of 56 bytes is accepted, even if it encodes a
low-order curve point. As per RFC 7748 requirements, the top point
bit (most significant bit of the last byte) is ignored. As for
scalars, the clamping process ensures that the integer used for the
multiplication is a multiple of 4, at least 2^447, and lower than
2^448; the two least significant bits of the first byte, and the
most significant bit of the last byte, are ignored.
Functions
- X448 function (from RFC 7748), general case.
- Specialized version of X448, when applied to the conventional generator point (u = 9).