According to the original paper form Bernstein public/private keys and the shared symmetric key are stored in little-endian. However, the WolfSSL of WolfSSL supports both, little-endian and big-endian. What is the reason for this? May there be any security issues?
Asked
Active
Viewed 504 times
1 Answers
3
We want to answer "How many wolves are coming to attack?" by "twenty one" (big-endian), not "one twenty" (little-endian). That can be a matter of life and death, and perhaps natural selection of memes¹ made that the convention in many languages (German is an important exception). Big-endian is thus used in most human positional numeral systems.
When it comes to algorithms for exact addition of large integers, it's much easier to start with the low-order digits. Little-endian thus makes sense in some areas of computing, including making a desktop calculator, which was a motivating application of early microprocessors, and got Intel started in that business. That's why little-endian is sometime called the Intel convention.
In network routing according to packet destination address, the low-order bits of a destination address typically does not participate in the routing, and comes last is the destination address field. That could² me made even so slightly advantageous: having the high-order bits first allows to find the destination earlier. That's how I remember big-endian is called "network order".
In computing, the farther away from hardware, the more big-endian. Because predators.
In crypto, both still coexist, but there's a perceptible trend towards big-endianness. MD5 is little-endian (that made the very first collision exhibited wrong), SHA-1 and later hashes are big-endian. That's the NIST order. And ASN.1 integers are big-endian, thus it has won for many practical purposes.
Bernstein has an history of being a skilled low-level programmer of Intel-compatible CPUs (even recommending some), and generally opposes NIST. That's how I remember Curve25519 is nominally little-endian. OTOH, that's a mere convention that should be without cryptographic significance. When adding Curve25519 to something existing, it's possible to get it big endian (by accident or design), and keep/have that as an option.
¹ I know no evidence big-endianness went genetic!
² The tale of traders making special network equipment to crush the last nanoseconds of latency could use that. I can't pinpoint any network equipment, much less a modern one, that does. But I like the idea, and still hope something (a supercomputer cluster maybe) would use it.
fgrieu
- 149,326
- 13
- 324
- 622