-rw-r--r-- 3244 lib25519-20220426/CONTRIBUTORS raw
Curve25519 design, X25519 design: Daniel J. Bernstein. "Curve25519: new
Diffie-Hellman speed records." Pages 207–228 in Public key
cryptography—PKC 2006, 9th international conference on theory and
practice in public-key cryptography, New York, NY, USA, April 24–26,
2006, proceedings, edited by Moti Yung, Yevgeniy Dodis, Aggelos Kiayias,
Tal Malkin, Lecture Notes in Computer Science 3958, Springer, 2006, ISBN
3-540-33851-9. (The 32-bit implementations from that paper are not
included in lib25519.)
crypto_dh/x25519/ref10: Copied from public-domain
supercop/crypto_scalarmult/curve25519/ref10 code by Daniel J. Bernstein.
Tweaked in lib25519 to provide crypto_dh instead of crypto_scalarmult
(which is done as a separate wrapper in SUPERCOP), and to return void
instead of int (these functions never fail in lib25519).
crypto_sign/x25519/ref10 is similarly copied from SUPERCOP. SUPERCOP
releases: https://bench.cr.yp.to/supercop.html
crypto_dh/x25519/donna_c64: Copied from public-domain
supercop/crypto_scalarmult/curve25519/donna_c64 code by Adam Langley.
Tweaked in lib25519 to provide crypto_dh instead of crypto_scalarmult,
and to return void instead of int.
crypto_dh/x25519/amd64*: Copied from public-domain
supercop/crypto_scalarmult/curve25519/amd64* code by
Daniel J. Bernstein, Niels Duif, Tanja Lange, lead: Peter Schwabe,
Bo-Yin Yang. Tweaked in lib25519 to provide crypto_dh instead of
crypto_scalarmult, to return void instead of int, and to use consts.c
(for easy PIC) instead of consts.S.
crypto_sign/ed25519/amd64*: Copied from public-domain
supercop/crypto_sign/ed25519/amd64* code by Daniel J. Bernstein,
Niels Duif, Tanja Lange, lead: Peter Schwabe, Bo-Yin Yang. Tweaked in
lib25519 to return void from sign_keypair and sign, to use consts.c
instead of consts.S, and to eliminate some compiler warnings (window
size 64 in amd64-64-24k/sc25519.h; #ifdef SMALLTABLES around ecd).
crypto_dh/x25519/sandy2x: Copied from public-domain
supercop/crypto_scalarmult/curve25519/sandy2x code by Tung Chou.
Tweaked in lib25519 to provide crypto_dh instead of crypto_scalarmult,
to return void instead of int, and to use consts.c instead of consts.S.
crypto_sign/ed25519/nath-maa/fe25519_{mul,nsquare}.S: Kaushik Nath and
Palash Sarkar, "Efficient arithmetic in (pseudo-)Mersenne prime order
fields", Advances in Mathematics of Communications 16 (2022), pages
303–348. Original release:
https://github.com/kn-cs/pmp-farith/tree/master/gf-p2-255-19/SL
crypto_sign/ed25519/nath-maa/ge25519_base.S: New code in lib25519 from
Kaushik Nath. Other ed25519/nath-maa code is from amd64-64-24k.
crypto_hash*/sha512/*: Copied from public-domain
supercop/crypto_hash*/sha512/* code by Daniel J. Bernstein. Tweaked in
lib25519 to have crypto_hash() return void instead of int.
lib25519-speed.c: Portions based on public-domain benchmarking software
in SUPERCOP by Daniel J. Bernstein.
lib25519-test.c: Portions based on public-domain testing software in
SUPERCOP by Daniel J. Bernstein. The symmetric-cryptography code in
lib25519-test.c for generating pseudorandom test inputs and hashing test
outputs is adapted from TweetNaCl, a public-domain library by
Daniel J. Bernstein, Wesley Janssen, Tanja Lange, and Peter Schwabe.