Expand description
X25519 Diffie-Hellman key agreement on Curve25519 (RFC 7748).
X25519 is the “EDDH” (Edwards/Montgomery Diffie-Hellman) pairing
around Curve25519 — a Montgomery curve over p = 2^255 - 19. It
is the ECDH variant used by TLS 1.3, Noise, Signal, WireGuard,
and most modern protocols that want a fixed, fast, audit-friendly
ECDH.
Unlike the short-Weierstrass curves exposed through the
super::curves::Curve trait, X25519 works entirely on the
u-coordinate (the x-coordinate of the Montgomery form). There
is no point addition, no compressed/uncompressed distinction, and
no branch on the y-coordinate — the Montgomery ladder operates on
projective (X:Z) pairs and returns a single 32-byte little-endian
u-coordinate.
§Side-channel posture
Per arcana/doc/sca/countermeasures/x25519_x448.rst:
| Threat | Status | Roadmap item |
|---|---|---|
| Cache-timing on Montgomery ladder | partial | T1-G — audit pass mirroring Weierstrass commit 76191c1 |
| SPA on Cortex-M0 (Weissbart-Picek-Batina 2021) | vulnerable | T1-G + T2-A (Z-rerand defeats their template attack) |
| DPA on field operations | vulnerable | T2-A — Z-rerandomization on (X : Z) |
| Template attacks | vulnerable | T2-A (alignment break) + T2-B (scalar blinding) |
| Invalid-curve attack on peer pubkey | covered | RFC 7748 twist security |
| Small-subgroup contributory check | partial | T2-K — confirm CT all-zero rejection |
Curve25519 is CT by construction (single u-coordinate, no
special cases for the neutral element), but the concrete
Rust implementation can still leak through the cswap mask
pattern (see super::field black_box shielding) and
through unmodelled cache-line accesses. The
weissbart2021_curve25519_ml_sca paper demonstrated
deep-learning template attacks on Cortex-M0 even against
random-delay defences; Z-rerandomization is the standard
answer.
§API
use arcana::ecc::x25519::{x25519_derive_public, x25519_ecdh};
// Alice and Bob each draw 32 random bytes as their secret key.
let alice_sk: [u8; 32] = /* rng */;
let bob_sk: [u8; 32] = /* rng */;
// Derive public keys.
let alice_pk = x25519_derive_public(&alice_sk);
let bob_pk = x25519_derive_public(&bob_sk);
// Exchange public keys, then each derives the shared secret.
let s_ab = x25519_ecdh(&alice_sk, &bob_pk);
let s_ba = x25519_ecdh(&bob_sk, &alice_pk);
assert_eq!(s_ab, s_ba);§Test vectors
The tests at the bottom of this file pin the two §5.2 primitive vectors and the §6.1 full Diffie-Hellman vector directly from RFC 7748. Any future regression in the ladder, the clamping, or the LE byte encoding fails against those bytes immediately.
Functions§
- x25519
- RFC 7748 §5
X25519(scalar, u). - x25519_
derive_ public - Derive the X25519 public key from a 32-byte secret key.
- x25519_
ecdh - X25519 Diffie-Hellman: derive a shared secret from our secret key and the peer’s public key.