I have developed a compact at the same time high performance library for curve25519/ed25519 and I have placed it in the public domain. It support DH key exchange as well as ed25519 keygen, sign and verify. The implementation is constant-time, supports blinding, bulk-verify and more. The library is available as portable-C as well as ASM for Intel-x64 CPUs. It outperforms curve25519-donna by a factor of 3.6 to 11 depending on the target. You may have a look at the source code hosted at: https://github.com/msotoodeh/curve25519. I was wondering if OpenSSH is a suitable home for this library? Thanks, Mehdi.
I haven't looked at the code... and I'm not qualified to look at assembly and crypto code, so I won't comment on that, but you are not exactly clear on the license on the code. In your readme you first state 'All rights reserved' ... then claim the code is in 'the public domain'. Looking into the headings on the source-code, I see a BSD like license-text: Redistribution and use in source and binary forms, with or without modification, are permitted provided that source code retains the above copyright notice and following disclaimer. But otherwise... well done on building a fast cypher Mark On Wed, Jun 10, 2015 at 5:16 AM, Mehdi Sotoodeh <mehdisotoodeh at gmail.com> wrote:> > I have developed a compact at the same time high performance library for > curve25519/ed25519 and I have placed it in the public domain. It supportDH> key exchange as well as ed25519 keygen, sign and verify. Theimplementation> is constant-time, supports blinding, bulk-verify and more. > > The library is available as portable-C as well as ASM for Intel-x64 CPUs. > It outperforms curve25519-donna by a factor of 3.6 to 11 depending on the > target. > > You may have a look at the source code hosted at: > https://github.com/msotoodeh/curve25519. > > I was wondering if OpenSSH is a suitable home for this library? > > > Thanks, Mehdi. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Mark Janssen -- maniac(at)maniac.nl Unix / Linux Open-Source and Internet Consultant Maniac.nl Sig-IO.nl Vps.Stoned-IT.com
Mehdi Sotoodeh wrote:> I have developed a compact at the same time high performance library for > curve25519/ed25519 and I have placed it in the public domain.Since public domain is not recognized worldwide it would be much better to claim your copyright but publish the code under a very permissive license. BSD-2 is a good fit for something you want to propose for BSD projects. I like MIT too. //Peter
Hi Mark, Thanks for taking the time and pointing out the inconsistencies of the license terms. You are right and I have not paid enough attention on it. This can be changed easily to meet openssh requirements. I am considering a cleanup round to get rid of duplicates and some reorganization of files. I welcome reviews and appreciate comments. Regards mehdi. Sent from my iPad> On Jun 10, 2015, at 3:11 AM, Mark Janssen <maniac.nl at gmail.com> wrote: > > I haven't looked at the code... and I'm not qualified to look at assembly and crypto code, so I won't comment on that, but you are not exactly clear on the license on the code. In your readme you first state 'All rights reserved' ... then claim the code is in 'the public domain'. Looking into the headings on the source-code, I see a BSD like license-text: > > Redistribution and use in source and binary forms, with or without > modification, are permitted provided that source code retains the > above copyright notice and following disclaimer. > > But otherwise... well done on building a fast cypher > > Mark > > > On Wed, Jun 10, 2015 at 5:16 AM, Mehdi Sotoodeh <mehdisotoodeh at gmail.com> wrote: > > > > I have developed a compact at the same time high performance library for > > curve25519/ed25519 and I have placed it in the public domain. It support DH > > key exchange as well as ed25519 keygen, sign and verify. The implementation > > is constant-time, supports blinding, bulk-verify and more. > > > > The library is available as portable-C as well as ASM for Intel-x64 CPUs. > > It outperforms curve25519-donna by a factor of 3.6 to 11 depending on the > > target. > > > > You may have a look at the source code hosted at: > > https://github.com/msotoodeh/curve25519. > > > > I was wondering if OpenSSH is a suitable home for this library? > > > > > > Thanks, Mehdi. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > -- > Mark Janssen -- maniac(at)maniac.nl > Unix / Linux Open-Source and Internet Consultant > Maniac.nl Sig-IO.nl Vps.Stoned-IT.com
On Tue, 9 Jun 2015, Mehdi Sotoodeh wrote:> I have developed a compact at the same time high performance library for > curve25519/ed25519 and I have placed it in the public domain. It support DH > key exchange as well as ed25519 keygen, sign and verify. The implementation > is constant-time, supports blinding, bulk-verify and more. > > The library is available as portable-C as well as ASM for Intel-x64 CPUs. > It outperforms curve25519-donna by a factor of 3.6 to 11 depending on the > target.Great work! Unfortunately I'm don't feel qualified to review crypto primitives for correctness - this is why we went with reference implementations for curve25519/ed25519. You should see about getting your implementation into NaCl or libsodium. We should see about making it possible to use libsodium for some crypto... -d
On 2015-06-10, Mehdi Sotoodeh <mehdisotoodeh at gmail.com> wrote:> I have developed a compact at the same time high performance library for > curve25519/ed25519 and I have placed it in the public domain. It support DH > key exchange as well as ed25519 keygen, sign and verify. The implementation > is constant-time, supports blinding, bulk-verify and more.^^^^^^^^^^^^^ I'm skeptical of this claim. The ecp_Cmp() function is blatantly not constant-time, and strewn about the source there are various unbalanced if(...) branches and while(...) loops with a variable number of iterations. -- Christian "naddy" Weisgerber naddy at mips.inka.de
Hi, The main advantage of your contribution is a speed increase. The disadvantage is that your implementation has not been reviewed for security by experts yet, and thus is not as reliable as the reference implementation. I believe OpenSSH (and libssh from my pov) is not the right place to introduce experimental cryptographic code. The speed increase advantage is not very relevant to SSH, because the key exchange happens only once per session (on average), and we were using much slower algorithms till last year (DH and ECDH), that nobody ever complained about. You should probably try to get that code to be part of OpenSSL. I Believe cryptographic implementations should go in crypto libs, and we should bundle/maintain as little crypto code as possible in crypto consuming projects. Aris Le 10/06/15 05:16, Mehdi Sotoodeh a ?crit :> I have developed a compact at the same time high performance library for > curve25519/ed25519 and I have placed it in the public domain. It support DH > key exchange as well as ed25519 keygen, sign and verify. The implementation > is constant-time, supports blinding, bulk-verify and more. > > The library is available as portable-C as well as ASM for Intel-x64 CPUs. > It outperforms curve25519-donna by a factor of 3.6 to 11 depending on the > target. > > You may have a look at the source code hosted at: > https://github.com/msotoodeh/curve25519. > > I was wondering if OpenSSH is a suitable home for this library? > > > Thanks, Mehdi. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On Sat, Jun 13, 2015 at 1:21 PM, Aris Adamantiadis <aris at 0xbadc0de.be> wrote:> Hi, > > The main advantage of your contribution is a speed increase. The > disadvantage is that your implementation has not been reviewed for security > by experts yet, and thus is not as reliable as the reference implementation. > I believe OpenSSH (and libssh from my pov) is not the right place to > introduce experimental cryptographic code. The speed increase advantage is > not very relevant to SSH, because the key exchange happens only once per > session (on average), and we were using much slower algorithms till last > year (DH and ECDH), that nobody ever complained about. > > You should probably try to get that code to be part of OpenSSL. I BelieveOr LibreSSL :)