org.bouncycastle.math.ec.rfc7748
Class X25519
java.lang.Object
org.bouncycastle.math.ec.rfc7748.X25519
- public abstract class X25519
- extends java.lang.Object
A low-level implementation of X25519 (RFC 7748).
Algorithm map.
generatePrivateKey(java.security.SecureRandom, byte[]) — 32 random bytes followed by
clampPrivateKey(byte[]) (RFC 7748 sec. 5 clamping: clear bits
254..255 then 0..2, set bit 254).
generatePublicKey(byte[], int, byte[], int) / scalarMultBase(byte[], int, byte[], int) —
computed as on the birationally-equivalent
curve via
Ed25519#scalarMultBaseYZ(Friend, byte[], int, int[], int[])
(a signed multi-comb in extended Edwards coordinates), then
converted to the curve25519 coordinate using the RFC
7748 sec. 4.1 birational map
where .
scalarMult(byte[], int, byte[], int, byte[], int) (key agreement) — Montgomery ladder on
XZ-only projective coordinates per RFC 7748 sec. 5, with
per-bit constant-time ; the
curve constant is precomputed from
. The final three doublings correspond to the
always-cleared low bits of the scalar; these clear the cofactor
to ensure a non-twist result.
calculateAgreement(byte[], int, byte[], int, byte[], int) — scalarMult(byte[], int, byte[], int, byte[], int) followed
by the RFC 7748 sec. 6.1 all-zero rejection.
Side-channel scope. Secret-scalar operations are written to be
constant-time at the Java level: the Montgomery ladder in
scalarMult(byte[], int, byte[], int, byte[], int) performs identical field operations per bit with
branchless ; scalarMultBase(byte[], int, byte[], int) routes through the
Ed25519 signed-comb, which walks all precomputed entries with mask-based
rather than a secret-indexed array load and applies
conditional negation by XOR-with-mask; the final modular inverse uses
constant-time . The all-zero rejection in
calculateAgreement(byte[], int, byte[], int, byte[], int) runs an OR-accumulator and only leaks the
RFC-mandated public rejection criterion. This is sufficient against a
remote network timing attacker but is not a substitute for a constant-time
native implementation against a co-located cache-line-resolution
adversary — JVM-level timing variance from JIT, GC and cache
eviction is not addressable in pure Java.
|
Method Summary |
static boolean |
calculateAgreement(byte[] k,
int kOff,
byte[] u,
int uOff,
byte[] r,
int rOff)
|
static void |
clampPrivateKey(byte[] k)
|
static void |
generatePrivateKey(java.security.SecureRandom random,
byte[] k)
|
static void |
generatePublicKey(byte[] k,
int kOff,
byte[] r,
int rOff)
|
static void |
precompute()
|
static void |
scalarMult(byte[] k,
int kOff,
byte[] u,
int uOff,
byte[] r,
int rOff)
|
static void |
scalarMultBase(byte[] k,
int kOff,
byte[] r,
int rOff)
|
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
POINT_SIZE
public static final int POINT_SIZE
- See Also:
- Constant Field Values
SCALAR_SIZE
public static final int SCALAR_SIZE
- See Also:
- Constant Field Values
X25519
public X25519()
calculateAgreement
public static boolean calculateAgreement(byte[] k,
int kOff,
byte[] u,
int uOff,
byte[] r,
int rOff)
clampPrivateKey
public static void clampPrivateKey(byte[] k)
generatePrivateKey
public static void generatePrivateKey(java.security.SecureRandom random,
byte[] k)
generatePublicKey
public static void generatePublicKey(byte[] k,
int kOff,
byte[] r,
int rOff)
precompute
public static void precompute()
scalarMult
public static void scalarMult(byte[] k,
int kOff,
byte[] u,
int uOff,
byte[] r,
int rOff)
scalarMultBase
public static void scalarMultBase(byte[] k,
int kOff,
byte[] r,
int rOff)