[byuu]

Very interesting! I've been working on implementing (Ed,Curve)25519 recently.

It's been really fascinating to learn how to use hyperelliptic.org/EFD and turn the pure optimized voodoo of DJB's C implementations into minimalist C++ code.

Here is my current progress: http://hastebin.com/raw/vohusotobe

After separating the math operations on the prime field (2^255-19) into its own type, I was able to reduce Curve25519 to a 30-line class, that's still (hopefully) safe from side-channel leaks and ~90% as fast as the original C version was. Ed's about three times that size on account of all the hashing that's involved, and building a table for scalar multiply over the constant B.

However, there's still a very clear gap in my knowledge of how it all actually works. The math is so far beyond my current knowledge that I don't really have any understanding of its potential weaknesses. The best I can do so far is compare and confirm test vectors against the official implementation, and rely on the work of others in verifying the strength and security of the curve itself.

I'll definitely try and go through this set the next time I have downtime.