Description
After discussion with @Daeinar , there seems to be a need to clean up the group/-directory (again). As this is a backward-incompatible change, I don't know how and when this change should go in. But we should discuss it...
The question came up with ByzGen about our use of Curve25519. This curve can be represented in two different ways:
- Twisted Edward Curve: https://tools.ietf.org/html/rfc8032
- Montgomery Curve: https://tools.ietf.org/html/rfc7748
The two representations are isogenic, which means that you can get from one representation to the other with a change of coordinates.
The two (three) curve25519 implementation in kyber are as follows:
Ed25519ingroup/ed25519is either constant-time, or variable-time, Twisted Edwards Curve implementationCurve25519ingroup/curve25519is a variable-time, Twisted Edwards Curve implementation
As of 2019, it seems that a consensus is materializing, where Edwards25519 refers to the Twisted Edwards representation, while Curve25519 refers to the Montgomery representation.
Additionally, the nist package holds only the p256 curve.
This is why we propose to:
- Keep
Ed25519as is - Change the name of
Curve25519, or remove it, and keep only the additional curves in there - Change the
nistpackage top256 - Add a Montgomery representation of
Curve25519to the repo and call this oneCurve25519