Expand description
X448 Diffie-Hellman key agreement on Curve448 (RFC 7748).
X448 is the 448-bit sibling of super::x25519: same Montgomery-
ladder structure, different field prime (p = 2^448 - 2^224 - 1),
different base-point u-coordinate (5 instead of 9), different
scalar clamping, and 56-byte little-endian encoding throughout
(not 32). It is the ECDH half of the RFC 8032 “Ed448 / X448” pair
and the higher-security tier of the Curve25519 / Curve448 family
used in TLS 1.3, Noise, and Signal’s future-proofing profiles.
§Side-channel posture
Same plan as super::x25519
(see arcana/doc/sca/countermeasures/x25519_x448.rst):
T1-G audit pass, T2-A Z-rerandomization on (X : Z), T2-B
scalar blinding. The implementation route is identical mutatis
mutandis on Curve448; the field arithmetic shares
super::field’s black_box-shielded mask selects.
§Constants (RFC 7748 §4.2)
| Parameter | Value |
|---|---|
| p | 2^448 - 2^224 - 1 |
| A | 156326 |
| a24 | (A - 2) / 4 = 39081 |
| Base u | 5 |
| Scalar bits | 448 (clamping sets bit 447, clears low 2 bits) |
§API
Mirror of the X25519 API with 56-byte arrays:
use arcana::ecc::x448::{x448_derive_public, x448_ecdh};
let alice_sk: [u8; 56] = /* rng */;
let bob_sk: [u8; 56] = /* rng */;
let alice_pk = x448_derive_public(&alice_sk);
let bob_pk = x448_derive_public(&bob_sk);
let s_ab = x448_ecdh(&alice_sk, &bob_pk);
let s_ba = x448_ecdh(&bob_sk, &alice_pk);
assert_eq!(s_ab, s_ba);§Test vectors
The tests at the bottom of this file pin the two primitive vectors from RFC 7748 §5.2 and the full Diffie-Hellman vector from §6.2 byte-exact. Together they exercise ladder, clamping, and LE encoding against the spec.
Functions§
- x448
- RFC 7748 §5
X448(scalar, u). - x448_
derive_ public - Derive the X448 public key from a 56-byte secret key.
- x448_
ecdh - X448 Diffie-Hellman: derive a shared secret from our secret key and the peer’s public key.