0000: 65 64 32 35 35 31 39 20 66 72 6f 6d 20 44 61 6e ed25519 from Dan
0010: 20 42 65 72 6e 73 74 65 69 6e 20 65 74 20 61 6c Bernstein et al
0020: 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d .===============
0030: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ================
0040: 3d 0a 0a 46 6f 72 20 61 73 79 6d 6d 65 74 72 69 =..For asymmetri
0050: 63 20 63 72 79 70 74 6f 67 72 61 70 68 79 2c 20 c cryptography,
0060: 49 20 75 73 65 20 5b 65 64 32 35 35 31 39 5d 28 I use [ed25519](
0070: 68 74 74 70 73 3a 2f 2f 65 64 32 35 35 31 39 2e https://ed25519.
0080: 63 72 2e 79 70 2e 74 6f 2f 29 20 66 72 6f 6d 0a cr.yp.to/) from.
0090: 44 61 6e 20 42 65 72 6e 73 74 65 69 6e 20 65 74 Dan Bernstein et
00a0: 20 61 6c 2e 20 20 54 68 69 73 20 69 73 20 61 20 al. This is a
00b0: 76 61 72 69 61 6e 74 20 6f 66 20 68 69 73 20 63 variant of his c
00c0: 75 72 76 65 32 35 35 31 39 20 73 79 73 74 65 6d urve25519 system
00d0: 20 74 68 61 74 20 69 73 0a 76 65 72 79 20 75 73 that is.very us
00e0: 65 66 75 6c 20 66 6f 72 20 73 69 67 6e 61 74 75 eful for signatu
00f0: 72 65 73 3b 20 74 68 65 20 63 75 72 76 65 20 68 res; the curve h
0100: 61 73 20 61 20 64 69 66 66 65 72 65 6e 74 20 73 as a different s
0110: 68 61 70 65 20 28 45 64 77 61 72 64 73 20 66 6f hape (Edwards fo
0120: 72 6d 29 2c 20 61 6e 64 0a 74 68 65 20 61 6c 67 rm), and.the alg
0130: 6f 72 69 74 68 6d 73 20 61 72 65 20 62 65 74 74 orithms are bett
0140: 65 72 20 74 75 6e 65 64 2c 20 73 69 6e 63 65 20 er tuned, since
0150: 45 64 77 61 72 64 73 20 66 6f 72 6d 20 68 61 73 Edwards form has
0160: 20 70 72 6f 70 65 72 74 69 65 73 20 74 68 61 74 properties that
0170: 0a 73 69 6d 70 6c 69 66 69 65 73 20 74 75 6e 69 .simplifies tuni
0180: 6e 67 20 28 69 74 20 69 73 20 6d 6f 72 65 20 72 ng (it is more r
0190: 65 67 75 6c 61 72 29 2e 0a 0a 45 6c 6c 69 70 74 egular)...Ellipt
01a0: 69 63 20 43 75 72 76 65 20 43 72 79 70 74 6f 67 ic Curve Cryptog
01b0: 72 61 70 68 79 20 69 73 20 61 20 6d 6f 72 65 20 raphy is a more
01c0: 63 6f 6d 70 6c 69 63 61 74 65 64 20 76 61 72 69 complicated vari
01d0: 61 6e 74 20 6f 66 20 74 68 65 20 64 69 73 63 72 ant of the discr
01e0: 65 74 65 0a 6c 6f 67 61 72 69 74 68 6d 20 70 72 ete.logarithm pr
01f0: 6f 62 6c 65 6d 20 74 68 61 6e 20 52 53 41 2e 20 oblem than RSA.
0200: 20 54 68 65 20 66 69 65 6c 64 20 75 73 65 64 20 The field used
0210: 68 65 72 65 20 69 73 20 61 20 63 75 72 76 65 2c here is a curve,
0220: 20 61 6e 64 20 61 6e 0a 61 64 64 69 74 69 6f 6e and an.addition
0230: 20 6f 70 65 72 61 74 69 6f 6e 20 69 73 20 64 65 operation is de
0240: 66 69 6e 65 64 20 74 68 61 74 20 69 73 20 73 69 fined that is si
0250: 6d 69 6c 61 72 20 74 6f 20 61 6e 20 61 64 64 69 milar to an addi
0260: 74 69 6f 6e 20 6f 66 20 70 6f 69 6e 74 73 20 6f tion of points o
0270: 6e 20 61 0a 63 6c 6f 63 6b 20 28 77 68 65 72 65 n a.clock (where
0280: 20 79 6f 75 20 74 75 72 6e 20 50 32 20 62 79 20 you turn P2 by
0290: 74 68 65 20 61 6e 67 6c 65 20 6f 66 20 74 68 65 the angle of the
02a0: 20 6e 65 75 74 72 61 6c 20 65 6c 65 6d 65 6e 74 neutral element
02b0: 20 74 6f 20 50 31 29 3b 20 74 68 65 0a 64 69 66 to P1); the.dif
02c0: 66 65 72 65 6e 63 65 20 66 72 6f 6d 20 61 64 64 ference from add
02d0: 69 6e 67 20 74 77 6f 20 61 6e 67 6c 65 73 20 69 ing two angles i
02e0: 6e 20 63 61 72 74 65 73 69 61 6e 20 63 6f 6f 72 n cartesian coor
02f0: 64 69 6e 61 74 65 73 20 69 73 20 74 68 65 20 63 dinates is the c
0300: 75 72 76 65 0a 70 61 72 61 6d 65 74 65 72 20 64 urve.parameter d
0310: 3b 20 74 68 61 74 27 73 20 61 6c 6c 2e 20 20 54 ; that's all. T
0320: 68 69 73 20 6f 70 65 72 61 74 69 6f 6e 20 77 6f his operation wo
0330: 72 6b 73 20 75 6e 69 66 6f 72 6d 6c 79 20 66 6f rks uniformly fo
0340: 72 20 6e 65 75 74 72 61 6c 0a 65 6c 65 6d 65 6e r neutral.elemen
0350: 74 2c 20 66 6f 72 20 64 6f 75 62 6c 69 6e 67 20 t, for doubling
0360: 61 6e 64 20 66 6f 72 20 6e 65 67 61 74 69 76 65 and for negative
0370: 20 65 6c 65 6d 65 6e 74 73 3b 20 74 68 65 20 63 elements; the c
0380: 75 72 76 65 20 69 73 20 73 79 6d 6d 65 74 72 69 urve is symmetri
0390: 63 20 74 6f 20 62 6f 74 68 0a 78 20 61 6e 64 20 c to both.x and
03a0: 79 20 61 78 69 73 2e 20 20 41 64 64 69 6e 67 20 y axis. Adding
03b0: 74 77 6f 20 70 6f 69 6e 74 73 20 72 65 71 75 69 two points requi
03c0: 72 65 73 20 73 65 76 65 72 61 6c 20 6d 75 6c 74 res several mult
03d0: 69 70 6c 69 63 61 74 69 6f 6e 73 20 6f 76 65 72 iplications over
03e0: 20 74 68 65 0a 63 6f 6f 72 64 69 6e 61 74 65 20 the.coordinate
03f0: 66 69 65 6c 64 2c 20 77 68 69 63 68 20 69 73 20 field, which is
0400: 61 20 6d 6f 64 75 6c 6f 20 70 72 69 6d 65 20 66 a modulo prime f
0410: 69 65 6c 64 2e 20 20 54 68 69 73 20 70 72 69 6d ield. This prim
0420: 65 20 69 73 20 5f 32 5e 32 35 35 2d 31 39 5f 2c e is _2^255-19_,
0430: 0a 77 68 69 63 68 20 67 69 76 65 73 20 74 68 65 .which gives the
0440: 20 6e 61 6d 65 20 6f 66 20 74 68 65 20 63 75 72 name of the cur
0450: 76 65 2e 0a 0a 41 73 20 74 68 65 72 65 20 69 73 ve...As there is
0460: 20 61 6e 20 61 64 64 69 74 69 6f 6e 2c 20 74 68 an addition, th
0470: 65 72 65 20 69 73 20 61 6c 73 6f 20 61 20 73 63 ere is also a sc
0480: 61 6c 61 72 20 6d 75 6c 74 69 70 6c 69 63 61 74 alar multiplicat
0490: 69 6f 6e 20 28 72 65 70 65 61 74 65 64 0a 61 64 ion (repeated.ad
04a0: 64 69 74 69 6f 6e 29 3b 20 61 73 20 74 68 65 20 dition); as the
04b0: 61 64 64 69 74 69 6f 6e 20 69 73 20 61 20 6d 75 addition is a mu
04c0: 6c 74 69 70 6c 69 63 61 74 69 6f 6e 20 6f 76 65 ltiplication ove
04d0: 72 20 74 68 65 20 63 6f 6f 72 64 69 6e 61 74 65 r the coordinate
04e0: 20 66 69 65 6c 64 2c 20 74 68 65 0a 73 63 61 6c field, the.scal
04f0: 61 72 20 6d 75 6c 74 69 70 6c 69 63 61 74 69 6f ar multiplicatio
0500: 6e 20 69 73 20 28 66 72 6f 6d 20 74 68 65 20 70 n is (from the p
0510: 6f 69 6e 74 20 6f 66 20 63 6f 6d 70 6c 65 78 69 oint of complexi
0520: 74 79 29 20 61 6e 20 65 78 70 6f 6e 65 6e 74 69 ty) an exponenti
0530: 61 74 69 6f 6e 20 6f 76 65 72 0a 74 68 65 20 63 ation over.the c
0540: 6f 6f 72 64 69 6e 61 74 65 20 66 69 65 6c 64 2e oordinate field.
0550: 20 20 54 68 65 20 69 6e 76 65 72 73 65 20 70 72 The inverse pr
0560: 6f 62 6c 65 6d 20 74 68 75 73 20 69 73 20 61 20 oblem thus is a
0570: 67 65 6e 65 72 69 63 20 64 69 73 63 72 65 74 65 generic discrete
0580: 0a 6c 6f 67 61 72 69 74 68 6d 20 70 72 6f 62 6c .logarithm probl
0590: 65 6d 2e 20 20 55 6e 6c 69 6b 65 20 52 53 41 2c em. Unlike RSA,
05a0: 20 74 68 65 72 65 20 69 73 20 6e 6f 20 64 65 73 there is no des
05b0: 69 67 6e 65 64 20 69 6e 20 73 68 6f 72 74 63 75 igned in shortcu
05c0: 74 2c 20 52 53 41 20 69 73 0a 61 6c 73 6f 20 62 t, RSA is.also b
05d0: 72 6f 6b 65 6e 20 69 66 20 79 6f 75 20 63 61 6e roken if you can
05e0: 20 66 61 63 74 6f 72 20 61 20 6c 61 72 67 65 20 factor a large
05f0: 6e 75 6d 62 65 72 20 69 6e 74 6f 20 74 77 6f 20 number into two
0600: 70 72 69 6d 65 73 2e 20 20 54 68 65 0a 66 61 63 primes. The.fac
0610: 74 6f 72 69 6e 67 20 69 6e 74 6f 20 70 72 69 6d toring into prim
0620: 65 73 20 69 73 20 63 6f 6e 73 69 64 65 72 61 62 es is considerab
0630: 6c 79 20 73 69 6d 70 6c 65 72 20 74 68 61 6e 20 ly simpler than
0640: 69 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 6c it was originall
0650: 79 20 65 78 70 65 63 74 65 64 2c 0a 77 68 69 63 y expected,.whic
0660: 68 20 6d 65 61 6e 73 20 74 68 61 74 20 52 53 41 h means that RSA
0670: 20 73 65 63 75 72 69 74 79 20 6e 6f 77 20 72 65 security now re
0680: 71 75 69 72 65 73 20 6c 6f 6e 67 20 6b 65 79 73 quires long keys
0690: 2c 20 61 6e 64 20 6c 6f 6e 67 65 72 20 6b 65 79 , and longer key
06a0: 73 20 64 6f 6e 27 74 0a 72 65 73 75 6c 74 20 69 s don't.result i
06b0: 6e 20 61 64 65 71 75 61 74 65 6c 79 20 62 65 74 n adequately bet
06c0: 74 65 72 20 73 65 63 75 72 69 74 79 20 28 33 30 ter security (30
06d0: 30 30 20 62 69 74 73 20 69 73 20 31 32 38 20 62 00 bits is 128 b
06e0: 69 74 20 73 65 63 75 72 69 74 79 2c 20 62 75 74 it security, but
06f0: 20 66 6f 72 0a 32 35 36 20 62 69 74 73 20 73 65 for.256 bits se
0700: 63 75 72 69 74 79 20 79 6f 75 20 6e 65 65 64 20 curity you need
0710: 61 20 31 35 30 30 30 20 62 69 74 20 6b 65 79 20 a 15000 bit key
0720: e2 80 94 20 74 68 61 74 27 73 20 61 20 66 61 63 — that's a fac
0730: 74 6f 72 20 6f 66 20 35 29 2e 20 20 53 6f 0a 66 tor of 5). So.f
0740: 61 72 2c 20 6e 6f 20 73 68 6f 72 74 63 75 74 20 ar, no shortcut
0750: 74 6f 20 62 72 65 61 6b 20 45 43 43 20 68 61 73 to break ECC has
0760: 20 62 65 65 6e 20 66 6f 75 6e 64 20 28 61 66 74 been found (aft
0770: 65 72 20 32 30 20 79 65 61 72 73 21 29 2c 20 73 er 20 years!), s
0780: 75 70 70 6f 73 65 64 20 74 68 65 0a 70 61 72 61 upposed the.para
0790: 6d 65 74 65 72 73 20 6f 66 20 74 68 65 20 63 75 meters of the cu
07a0: 72 76 65 20 61 72 65 20 67 6f 6f 64 2e 0a 0a 54 rve are good...T
07b0: 68 65 72 65 20 61 72 65 20 77 65 61 6b 20 63 75 here are weak cu
07c0: 72 76 65 73 20 77 68 69 63 68 20 68 61 76 65 20 rves which have
07d0: 6f 6e 6c 79 20 61 20 73 6d 61 6c 6c 20 6e 75 6d only a small num
07e0: 62 65 72 20 6f 66 20 70 6f 69 6e 74 73 20 6f 6e ber of points on
07f0: 20 74 68 65 6d 2e 0a 20 46 6f 72 74 75 6e 61 74 them.. Fortunat
0800: 65 6c 79 2c 20 44 61 6e 20 42 65 72 6e 73 74 65 ely, Dan Bernste
0810: 69 6e 20 64 69 64 20 63 68 61 72 61 63 74 65 72 in did character
0820: 69 7a 65 20 68 69 73 20 63 75 72 76 65 2c 20 73 ize his curve, s
0830: 6f 20 69 74 27 73 20 6b 6e 6f 77 6e 20 74 6f 0a o it's known to.
0840: 62 65 20 73 74 72 6f 6e 67 2e 20 20 54 68 65 20 be strong. The
0850: 6e 75 6d 62 65 72 20 6f 66 20 70 6f 69 6e 74 73 number of points
0860: 20 6f 6e 20 74 68 65 20 63 75 72 76 65 20 5f 6c on the curve _l
0870: 5f 20 69 73 20 61 6c 73 6f 20 61 20 6b 6e 6f 77 _ is also a know
0880: 6e 0a 70 72 69 6d 65 20 28 74 68 69 73 20 6e 75 n.prime (this nu
0890: 6d 62 65 72 20 69 73 20 6e 65 65 64 65 64 20 74 mber is needed t
08a0: 6f 20 63 61 6c 63 75 6c 61 74 65 20 74 68 65 20 o calculate the
08b0: 6d 6f 64 75 6c 75 73 20 66 6f 72 20 6d 75 6c 74 modulus for mult
08c0: 69 70 6c 79 69 6e 67 20 73 63 61 6c 61 72 73 29 iplying scalars)
08d0: 2c 0a 69 74 20 69 73 20 5f 32 5e 32 35 32 20 2b ,.it is _2^252 +
08e0: 20 32 37 37 34 32 33 31 37 37 37 37 33 37 32 33 277423177773723
08f0: 35 33 35 33 35 38 35 31 39 33 37 37 39 30 38 38 5353585193779088
0900: 33 36 34 38 34 39 33 5f 2e 0a 0a 49 20 75 73 65 3648493_...I use
0910: 20 65 64 32 35 35 31 39 20 66 6f 72 20 62 6f 74 ed25519 for bot
0920: 68 20 44 69 66 66 69 65 20 48 65 6c 6c 6d 61 6e h Diffie Hellman
0930: 20 6b 65 79 20 65 78 63 68 61 6e 67 65 20 61 6e key exchange an
0940: 64 20 66 6f 72 20 73 69 67 6e 61 74 75 72 65 73 d for signatures
0950: 2e 0a 20 53 65 63 72 65 74 20 6b 65 79 73 20 61 .. Secret keys a
0960: 72 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 re generated by
0970: 75 73 69 6e 67 20 32 35 36 20 72 61 6e 64 6f 6d using 256 random
0980: 20 62 69 74 73 2c 20 77 69 74 68 20 61 20 66 65 bits, with a fe
0990: 77 20 6f 66 20 74 68 65 6d 0a 73 65 74 20 74 6f w of them.set to
09a0: 20 64 65 64 69 63 61 74 65 64 20 76 61 6c 75 65 dedicated value
09b0: 73 20 74 6f 20 6d 61 6b 65 20 69 74 20 6d 6f 64 s to make it mod
09c0: 20 5f 6c 5f 2e 20 20 54 68 69 73 20 6d 65 61 6e _l_. This mean
09d0: 73 20 79 6f 75 20 63 61 6e 20 75 73 65 0a 61 6e s you can use.an
09e0: 79 20 72 61 6e 64 6f 6d 20 6e 75 6d 62 65 72 20 y random number
09f0: 61 73 20 73 65 63 72 65 74 2e 20 20 46 6f 72 20 as secret. For
0a00: 6e 6f 74 61 74 69 6f 6e 2c 20 49 20 77 72 69 74 notation, I writ
0a10: 65 20 74 68 65 20 73 63 61 6c 61 72 0a 6d 75 6c e the scalar.mul
0a20: 74 69 70 6c 69 63 61 74 69 6f 6e 20 77 69 74 68 tiplication with
0a30: 20 74 68 65 20 73 63 61 6c 61 72 20 6f 6e 20 74 the scalar on t
0a40: 68 65 20 6c 65 66 74 20 73 69 64 65 20 69 6e 20 he left side in
0a50: 70 61 72 65 6e 73 2e 20 20 54 68 65 20 70 75 62 parens. The pub
0a60: 6c 69 63 20 6b 65 79 0a 69 73 20 64 65 72 69 76 lic key.is deriv
0a70: 65 64 20 66 72 6f 6d 20 74 68 65 20 73 65 63 72 ed from the secr
0a80: 65 74 20 6b 65 79 0a 0a 5f 70 6b 3d 28 73 6b 29 et key.._pk=(sk)
0a90: 5c 2a 62 61 73 65 5f 0a 0a 23 23 20 44 69 66 66 \*base_..## Diff
0aa0: 69 65 20 48 65 6c 6c 6d 61 6e 20 4b 65 79 20 45 ie Hellman Key E
0ab0: 78 63 68 61 6e 67 65 20 23 23 0a 0a 46 6f 72 20 xchange ##..For
0ac0: 44 69 66 66 69 65 20 48 65 6c 6c 6d 61 6e 20 6b Diffie Hellman k
0ad0: 65 79 20 65 78 63 68 61 6e 67 65 2c 20 74 68 65 ey exchange, the
0ae0: 20 69 64 65 6e 74 69 74 79 20 5f 28 73 6b 32 29 identity _(sk2)
0af0: 5c 2a 70 6b 31 20 3d 20 28 73 6b 31 29 5c 2a 70 \*pk1 = (sk1)\*p
0b00: 6b 32 5f 20 6f 72 0a 0a 5f 28 73 6b 31 29 5c 2a k2_ or.._(sk1)\*
0b10: 28 73 6b 32 29 5c 2a 62 61 73 65 20 3d 20 28 73 (sk2)\*base = (s
0b20: 6b 32 29 5c 2a 28 73 6b 31 29 5c 2a 62 61 73 65 k2)\*(sk1)\*base
0b30: 5f 0a 0a 69 73 20 75 73 65 64 20 28 61 63 74 75 _..is used (actu
0b40: 61 6c 6c 79 20 77 69 74 68 20 2d 70 6b 2c 20 61 ally with -pk, a
0b50: 73 20 74 68 65 20 65 78 70 61 6e 73 69 6f 6e 20 s the expansion
0b60: 75 73 65 64 20 66 72 6f 6d 20 73 69 67 6e 61 74 used from signat
0b70: 75 72 65 20 67 65 6e 65 72 61 74 69 6e 67 0a 61 ure generating.a
0b80: 6c 73 6f 20 6e 65 67 61 74 65 73 20 74 68 65 20 lso negates the
0b90: 70 75 62 6c 69 63 20 6b 65 79 29 2e 20 20 45 61 public key). Ea
0ba0: 63 68 20 73 69 64 65 20 6d 75 6c 74 69 70 6c 69 ch side multipli
0bb0: 65 73 20 74 68 65 20 6f 74 68 65 72 27 73 20 70 es the other's p
0bc0: 75 62 6c 69 63 20 6b 65 79 0a 77 69 74 68 20 69 ublic key.with i
0bd0: 74 73 20 6f 77 6e 20 73 65 63 72 65 74 20 6b 65 ts own secret ke
0be0: 79 3b 20 74 68 65 20 72 65 73 75 6c 74 69 6e 67 y; the resulting
0bf0: 20 70 72 6f 64 75 63 74 20 69 73 20 63 6f 6d 70 product is comp
0c00: 72 65 73 73 65 64 20 28 6f 6e 6c 79 20 78 0a 63 ressed (only x.c
0c10: 6f 6f 72 64 69 6e 61 74 65 29 2c 20 61 6e 64 20 oordinate), and
0c20: 74 68 65 6e 20 75 73 65 64 20 61 73 20 73 68 61 then used as sha
0c30: 72 65 64 20 73 65 63 72 65 74 2e 20 20 44 61 6e red secret. Dan
0c40: 20 42 65 72 6e 73 74 65 69 6e 20 75 73 65 73 20 Bernstein uses
0c50: 61 20 68 61 73 68 0a 66 75 6e 63 74 69 6f 6e 20 a hash.function
0c60: 74 6f 20 64 65 72 69 76 65 20 74 77 6f 20 70 73 to derive two ps
0c70: 65 75 64 6f 2d 72 61 6e 64 6f 6d 20 76 61 6c 75 eudo-random valu
0c80: 65 73 20 6f 75 74 20 6f 66 20 74 68 65 20 73 65 es out of the se
0c90: 63 72 65 74 3b 20 49 20 64 6f 6e 27 74 20 64 6f cret; I don't do
0ca0: 20 74 68 69 73 0a 66 6f 72 20 74 68 65 20 6b 65 this.for the ke
0cb0: 79 20 70 61 69 72 2e 20 20 54 68 65 20 6d 61 69 y pair. The mai
0cc0: 6e 20 72 65 61 73 6f 6e 20 69 73 20 e2 80 9c 6e n reason is “n
0cd0: 6f 74 68 69 6e 67 20 75 70 20 6d 79 20 73 6c 65 othing up my sle
0ce0: 65 76 65 e2 80 9d 2c 20 44 61 6e 0a 42 65 72 6e eve”, Dan.Bern
0cf0: 73 74 65 69 6e 20 64 6f 65 73 6e 27 74 20 65 78 stein doesn't ex
0d00: 70 6c 61 69 6e 20 77 68 79 20 68 65 27 73 20 64 plain why he's d
0d10: 6f 69 6e 67 20 69 74 2c 20 73 6f 20 74 68 69 73 oing it, so this
0d20: 20 74 68 69 6e 67 20 63 61 6e 27 74 20 67 6f 20 thing can't go
0d30: 69 6e 2e 0a 0a 54 68 65 20 65 64 32 35 35 31 39 in...The ed25519
0d40: 20 63 75 72 76 65 20 69 73 20 69 73 6f 6d 6f 72 curve is isomor
0d50: 70 68 20 74 6f 20 74 68 65 20 63 75 72 76 65 32 ph to the curve2
0d60: 35 35 31 39 20 63 75 72 76 65 2c 20 73 6f 20 74 5519 curve, so t
0d70: 68 65 20 63 72 79 70 74 6f 67 72 61 70 68 79 0a he cryptography.
0d80: 69 73 20 6a 75 73 74 20 61 73 20 73 74 72 6f 6e is just as stron
0d90: 67 2e 20 20 49 20 70 72 65 66 65 72 20 74 6f 20 g. I prefer to
0da0: 68 61 76 65 20 6f 6e 6c 79 20 6f 6e 65 20 73 65 have only one se
0db0: 74 20 6f 66 20 70 72 69 6d 69 74 69 76 65 73 20 t of primitives
0dc0: 66 6f 72 0a 73 69 67 6e 61 74 75 72 65 73 20 61 for.signatures a
0dd0: 6e 64 20 6b 65 79 20 65 78 63 68 61 6e 67 65 2c nd key exchange,
0de0: 20 77 68 69 63 68 20 61 6c 73 6f 20 61 6c 6c 6f which also allo
0df0: 77 73 20 74 6f 20 75 73 65 20 6f 6e 6c 79 20 6f ws to use only o
0e00: 6e 65 20 73 65 63 72 65 74 20 6b 65 79 20 66 6f ne secret key fo
0e10: 72 0a 62 6f 74 68 2e 20 20 48 61 76 69 6e 67 20 r.both. Having
0e20: 6f 6e 6c 79 20 61 20 33 32 20 62 79 74 65 20 73 only a 32 byte s
0e30: 65 63 72 65 74 20 6b 65 79 20 65 2e 67 2e 20 61 ecret key e.g. a
0e40: 6c 6c 6f 77 73 20 79 6f 75 20 74 6f 20 77 72 69 llows you to wri
0e50: 74 65 20 69 74 20 6f 6e 20 61 0a 70 69 65 63 65 te it on a.piece
0e60: 20 6f 66 20 70 61 70 65 72 2c 20 61 6e 64 20 73 of paper, and s
0e70: 74 6f 72 65 20 69 74 20 73 6f 6d 65 77 68 65 72 tore it somewher
0e80: 65 20 73 61 66 65 2e 2e 2e 20 66 61 72 20 61 77 e safe... far aw
0e90: 61 79 20 66 72 6f 6d 20 61 6e 79 20 65 6c 65 63 ay from any elec
0ea0: 74 72 6f 6e 69 63 73 2c 0a 6f 6e 20 61 20 6d 65 tronics,.on a me
0eb0: 64 69 75 6d 20 74 68 61 74 20 6c 61 73 74 73 20 dium that lasts
0ec0: 66 6f 72 20 63 65 6e 74 75 72 69 65 73 2e 0a 0a for centuries...
0ed0: 23 23 20 53 69 67 6e 61 74 75 72 65 73 20 23 23 ## Signatures ##
0ee0: 0a 0a 46 6f 72 20 73 69 67 6e 61 74 75 72 65 73 ..For signatures
0ef0: 2c 20 49 20 63 6f 6d 70 75 74 65 20 61 20 68 61 , I compute a ha
0f00: 73 68 20 6f 66 20 74 68 65 20 6d 65 73 73 61 67 sh of the messag
0f10: 65 20 6f 72 20 66 69 6c 65 20 75 73 69 6e 67 0a e or file using.
0f20: 5b 4b 65 63 63 61 6b 5d 28 68 74 74 70 3a 2f 2f [Keccak](http://
0f30: 6b 65 63 63 61 6b 2e 6e 6f 65 6b 65 6f 6e 2e 6f keccak.noekeon.o
0f40: 72 67 2f 29 2e 20 20 54 68 65 20 4b 65 63 63 61 rg/). The Kecca
0f50: 6b 20 73 74 61 74 65 20 69 73 20 6e 6f 77 0a 75 k state is now.u
0f60: 73 65 64 20 74 77 69 63 65 2c 20 73 6f 20 74 77 sed twice, so tw
0f70: 6f 20 63 6f 70 69 65 73 20 68 61 76 65 20 74 6f o copies have to
0f80: 20 62 65 20 6d 61 64 65 2e 0a 0a 46 69 72 73 74 be made...First
0f90: 2c 20 49 20 61 62 73 6f 72 62 20 74 68 65 20 73 , I absorb the s
0fa0: 65 63 72 65 74 20 6b 65 79 2c 20 61 6e 64 20 64 ecret key, and d
0fb0: 69 66 66 75 73 65 20 74 68 65 20 73 74 61 74 65 iffuse the state
0fc0: 20 66 6f 72 20 61 6e 6f 74 68 65 72 20 72 6f 75 for another rou
0fd0: 6e 64 2e 0a 20 54 68 65 20 66 69 72 73 74 20 36 nd.. The first 6
0fe0: 34 20 62 79 74 65 73 20 6f 66 20 74 68 65 20 4b 4 bytes of the K
0ff0: 65 63 63 61 6b 20 73 74 61 74 65 20 69 73 20 74 eccak state is t
1000: 68 65 20 70 73 65 75 64 6f 2d 72 61 6e 64 6f 6d he pseudo-random
1010: 20 6e 75 6d 62 65 72 0a 5f 6b 3a 3d 68 61 73 68 number._k:=hash
1020: 28 61 62 73 6f 72 62 28 73 6b 2c 73 74 61 74 65 (absorb(sk,state
1030: 29 29 5f 2c 20 64 65 74 65 72 6d 69 6e 69 73 74 ))_, determinist
1040: 69 63 20 66 6f 72 20 6d 65 73 73 61 67 65 20 61 ic for message a
1050: 6e 64 20 73 65 63 72 65 74 20 6b 65 79 2e 20 20 nd secret key.
1060: 46 6f 72 0a 45 43 44 53 41 2c 20 74 68 69 73 20 For.ECDSA, this
1070: 69 73 20 73 75 67 67 65 73 74 65 64 20 74 6f 20 is suggested to
1080: 62 65 20 61 20 72 61 6e 64 6f 6d 20 6e 75 6d 62 be a random numb
1090: 65 72 3b 20 61 73 20 4b 65 63 63 61 6b 20 69 73 er; as Keccak is
10a0: 20 61 20 50 52 46 2c 20 74 68 69 73 0a 64 65 74 a PRF, this.det
10b0: 65 72 6d 69 6e 69 73 74 69 63 20 70 73 65 75 64 erministic pseud
10c0: 6f 2d 72 61 6e 64 6f 6d 20 6e 75 6d 62 65 72 20 o-random number
10d0: 69 73 20 6a 75 73 74 20 61 73 20 67 6f 6f 64 2e is just as good.
10e0: 20 20 49 74 20 69 73 20 67 75 61 72 61 6e 74 65 It is guarante
10f0: 65 64 20 74 68 61 74 0a 66 6f 72 20 64 69 66 66 ed that.for diff
1100: 65 72 65 6e 74 20 6d 65 73 73 61 67 65 73 20 6b erent messages k
1110: 20 69 73 20 64 69 66 66 65 72 65 6e 74 20 28 63 is different (c
1120: 6f 6c 6c 69 73 69 6f 6e 20 6c 65 66 74 20 61 73 ollision left as
1130: 69 64 65 29 2e 20 20 4e 6f 77 20 64 65 72 69 76 ide). Now deriv
1140: 65 0a 61 20 70 6f 69 6e 74 20 5f 72 5f 20 6f 6e e.a point _r_ on
1150: 20 74 68 65 20 63 75 72 76 65 3a 0a 0a 5f 72 3d the curve:.._r=
1160: 28 6b 29 5c 2a 62 61 73 65 5f 0a 0a 43 6f 6d 70 (k)\*base_..Comp
1170: 72 65 73 73 20 5f 72 5f 20 28 61 20 70 6f 69 6e ress _r_ (a poin
1180: 74 29 2c 20 61 6e 64 20 61 70 70 65 6e 64 20 28 t), and append (
1190: 6f 70 65 72 61 74 6f 72 20 5c 7c 5c 7c 29 20 74 operator \|\|) t
11a0: 68 65 20 70 75 62 6c 69 63 20 6b 65 79 0a 74 6f he public key.to
11b0: 20 5f 72 5f 2c 20 74 6f 20 63 6f 6d 70 75 74 65 _r_, to compute
11c0: 20 61 6e 6f 74 68 65 72 20 68 61 73 68 20 72 6f another hash ro
11d0: 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 63 6f 6e und on the secon
11e0: 64 20 63 6f 70 79 20 6f 66 20 74 68 65 0a 4b 65 d copy of the.Ke
11f0: 63 63 61 6b 20 73 74 61 74 65 3a 20 5f 7a 3d 68 ccak state: _z=h
1200: 61 73 68 28 61 62 73 6f 72 62 28 72 5c 7c 5c 7c ash(absorb(r\|\|
1210: 70 6b 2c 73 74 61 74 65 29 29 5f 2e 20 20 54 68 pk,state))_. Th
1220: 65 6e 20 63 6f 6d 70 75 74 65 20 74 68 65 0a 73 en compute the.s
1230: 65 63 6f 6e 64 20 70 61 72 61 6d 65 74 65 72 20 econd parameter
1240: 6f 66 20 74 68 65 20 73 69 67 6e 61 74 75 72 65 of the signature
1250: 2c 20 5f 28 73 29 3d 28 7a 5c 2a 73 6b 2b 6b 29 , _(s)=(z\*sk+k)
1260: 5f 20 28 74 68 69 73 20 69 73 20 61 20 73 63 61 _ (this is a sca
1270: 6c 61 72 2c 0a 69 2e 65 2e 20 6d 6f 64 20 5f 6c lar,.i.e. mod _l
1280: 5f 29 2e 20 20 54 68 65 20 73 69 67 6e 61 74 75 _). The signatu
1290: 72 65 20 63 6f 6e 73 69 73 74 73 20 6f 66 20 5f re consists of _
12a0: 72 5f 2c 20 5f 73 5f 2c 20 61 6e 64 0a 74 61 6b r_, _s_, and.tak
12b0: 65 73 20 61 20 6d 65 72 65 20 36 34 20 62 79 74 es a mere 64 byt
12c0: 65 73 2e 0a 0a 46 6f 72 20 76 65 72 69 66 69 63 es...For verific
12d0: 61 74 69 6f 6e 2c 20 74 68 65 20 72 65 63 65 69 ation, the recei
12e0: 76 65 72 20 63 6f 6d 70 75 74 65 73 20 7a 20 61 ver computes z a
12f0: 67 61 69 6e 20 28 73 61 6d 65 20 61 73 20 61 62 gain (same as ab
1300: 6f 76 65 3a 20 68 61 73 68 20 74 68 65 0a 6d 65 ove: hash the.me
1310: 73 73 61 67 65 20 69 6e 74 6f 20 4b 65 63 63 61 ssage into Kecca
1320: 6b 20 73 74 61 74 65 2c 20 61 6e 64 20 61 62 73 k state, and abs
1330: 6f 72 62 20 5f 72 5c 7c 5c 7c 70 6b 5f 2c 20 66 orb _r\|\|pk_, f
1340: 6f 6c 6c 6f 77 65 64 20 62 79 20 61 6e 6f 74 68 ollowed by anoth
1350: 65 72 20 68 61 73 68 20 72 6f 75 6e 64 29 2c 0a er hash round),.
1360: 61 6e 64 20 74 68 65 6e 20 63 6f 6d 70 75 74 65 and then compute
1370: 73 0a 0a 5f 72 3a 3d 28 73 29 5c 2a 62 61 73 65 s.._r:=(s)\*base
1380: 20 2d 20 28 7a 29 5c 2a 70 6b 20 3d 20 28 7a 5c - (z)\*pk = (z\
1390: 2a 73 6b 29 5c 2a 62 61 73 65 20 2b 20 28 6b 29 *sk)\*base + (k)
13a0: 5c 2a 62 61 73 65 20 2d 20 28 7a 29 5c 2a 28 73 \*base - (z)\*(s
13b0: 6b 29 5c 2a 62 61 73 65 5f 0a 0a 41 73 20 5f 28 k)\*base_..As _(
13c0: 7a 5c 2a 73 6b 29 5c 2a 62 61 73 65 3d 28 7a 29 z\*sk)\*base=(z)
13d0: 5c 2a 28 73 6b 29 5c 2a 62 61 73 65 5f 2c 20 74 \*(sk)\*base_, t
13e0: 68 65 20 72 65 6d 61 69 6e 64 65 72 20 69 73 0a he remainder is.
13f0: 5f 28 6b 29 5c 2a 62 61 73 65 5f 2e 20 20 49 66 _(k)\*base_. If
1400: 20 74 68 69 73 20 65 71 75 61 6c 73 20 74 6f 20 this equals to
1410: 74 68 65 20 5f 72 5f 20 70 61 72 74 20 6f 66 20 the _r_ part of
1420: 74 68 65 0a 73 69 67 6e 61 74 75 72 65 2c 20 74 the.signature, t
1430: 68 65 20 73 69 67 6e 61 74 75 72 65 20 69 73 20 he signature is
1440: 76 61 6c 69 64 2e 0a 0a 53 69 67 6e 69 6e 67 20 valid...Signing
1450: 61 20 6d 65 73 73 61 67 65 20 69 73 20 63 6f 6e a message is con
1460: 73 69 64 65 72 61 62 6c 79 20 66 61 73 74 65 72 siderably faster
1470: 20 74 68 61 6e 20 76 65 72 69 66 79 69 6e 67 20 than verifying
1480: 69 74 2c 20 62 65 63 61 75 73 65 0a 74 68 65 20 it, because.the
1490: 6d 6f 73 74 20 65 78 70 65 6e 73 69 76 65 20 66 most expensive f
14a0: 75 6e 63 74 69 6f 6e 20 66 6f 72 20 73 69 67 6e unction for sign
14b0: 69 6e 67 20 69 73 20 74 68 65 20 5f 28 6b 29 5c ing is the _(k)\
14c0: 2a 62 61 73 65 5f 20 73 63 61 6c 61 72 0a 70 72 *base_ scalar.pr
14d0: 6f 64 75 63 74 3b 20 69 74 27 73 20 6f 6e 6c 79 oduct; it's only
14e0: 20 31 30 25 20 73 6c 6f 77 65 72 20 74 68 61 6e 10% slower than
14f0: 20 67 65 6e 65 72 61 74 69 6e 67 20 61 20 6b 65 generating a ke
1500: 79 70 61 69 72 2e 20 20 54 68 69 73 20 69 73 0a ypair. This is.
1510: 61 63 63 65 6c 65 72 61 74 65 64 20 77 69 74 68 accelerated with
1520: 20 61 20 70 72 65 63 6f 6d 70 75 74 65 64 20 74 a precomputed t
1530: 61 62 6c 65 2e 20 20 56 65 72 69 66 79 69 6e 67 able. Verifying
1540: 20 69 73 20 61 62 6f 75 74 20 61 73 20 65 78 70 is about as exp
1550: 65 6e 73 69 76 65 0a 61 73 20 61 20 44 69 66 66 ensive.as a Diff
1560: 69 65 20 48 65 6c 6c 6d 61 6e 20 6b 65 79 20 65 ie Hellman key e
1570: 78 63 68 61 6e 67 65 2c 20 62 65 63 61 75 73 65 xchange, because
1580: 20 68 65 72 65 20 74 68 65 20 64 6f 6d 69 6e 61 here the domina
1590: 6e 74 20 74 69 6d 69 6e 67 20 69 73 0a 5f 28 7a nt timing is._(z
15a0: 29 5c 2a 70 6b 5f 2e 20 20 54 68 65 72 65 20 69 )\*pk_. There i
15b0: 73 20 61 6c 73 6f 20 73 6f 6d 65 20 70 72 65 63 s also some prec
15c0: 6f 6d 70 75 74 61 74 69 6f 6e 2c 20 62 75 74 20 omputation, but
15d0: 69 74 20 74 61 6b 65 73 20 61 62 6f 75 74 0a 74 it takes about.t
15e0: 68 72 65 65 20 74 69 6d 65 73 20 61 73 20 6c 6f hree times as lo
15f0: 6e 67 20 69 6e 20 74 6f 74 61 6c 2e 0a 0a 23 23 ng in total...##
1600: 20 45 70 68 65 6d 65 72 61 6c 20 4b 65 79 20 45 Ephemeral Key E
1610: 78 63 68 61 6e 67 65 20 23 23 0a 0a 46 6f 72 20 xchange ##..For
1620: 6b 65 79 20 65 78 63 68 61 6e 67 65 2c 20 49 20 key exchange, I
1630: 75 73 65 20 6d 79 20 6f 77 6e 20 76 61 72 69 61 use my own varia
1640: 6e 74 20 6f 66 20 65 70 68 65 6d 65 72 61 6c 20 nt of ephemeral
1650: 6b 65 79 20 65 78 63 68 61 6e 67 65 3a 0a 46 69 key exchange:.Fi
1660: 72 73 74 2c 20 65 61 63 68 20 73 69 64 65 20 67 rst, each side g
1670: 65 6e 65 72 61 74 65 73 20 61 20 72 61 6e 64 6f enerates a rando
1680: 6d 20 6b 65 79 70 61 69 72 2c 20 61 6e 64 20 65 m keypair, and e
1690: 78 63 68 61 6e 67 65 73 20 74 68 65 20 70 75 62 xchanges the pub
16a0: 6c 69 63 0a 6b 65 79 73 2e 20 20 54 68 65 20 73 lic.keys. The s
16b0: 68 61 72 65 64 20 73 65 63 72 65 74 20 5f 28 73 hared secret _(s
16c0: 6b 32 29 5c 2a 70 6b 31 3d 28 73 6b 31 29 5c 2a k2)\*pk1=(sk1)\*
16d0: 70 6b 32 5f 20 69 73 20 6e 6f 77 20 75 73 65 64 pk2_ is now used
16e0: 20 74 6f 0a 65 6e 63 72 79 70 74 20 61 6e 64 20 to.encrypt and
16f0: 65 78 63 68 61 6e 67 65 20 74 68 65 20 63 6f 6e exchange the con
1700: 73 74 61 6e 74 20 70 75 62 6c 69 63 20 6b 65 79 stant public key
1710: 73 20 6f 66 20 62 6f 74 68 20 73 69 64 65 73 2c s of both sides,
1720: 20 68 69 64 69 6e 67 0a 69 6d 70 6f 72 74 61 6e hiding.importan
1730: 74 20 6d 65 74 61 64 61 74 61 20 66 72 6f 6d 20 t metadata from
1740: 65 76 65 73 64 72 6f 70 70 65 72 73 2e 20 20 41 evesdroppers. A
1750: 6e 6f 74 68 65 72 20 73 68 61 72 65 64 20 73 65 nother shared se
1760: 63 72 65 74 0a 5f 28 73 6b 62 29 5c 2a 70 6b 61 cret._(skb)\*pka
1770: 3d 28 73 6b 61 29 5c 2a 70 6b 62 5f 20 69 73 20 =(ska)\*pkb_ is
1780: 67 65 6e 65 72 61 74 65 64 2c 20 61 6e 64 20 63 generated, and c
1790: 6f 6e 63 61 74 65 6e 61 74 65 64 20 74 6f 20 74 oncatenated to t
17a0: 68 65 0a 66 69 72 73 74 20 73 68 61 72 65 64 20 he.first shared
17b0: 73 65 63 72 65 74 3b 20 74 68 69 73 20 70 6c 75 secret; this plu
17c0: 73 20 61 20 72 61 6e 64 6f 6d 20 61 6e 64 20 75 s a random and u
17d0: 6e 69 71 75 65 20 69 6e 69 74 69 61 6c 69 7a 61 nique initializa
17e0: 74 69 6f 6e 0a 76 65 63 74 6f 72 20 69 73 20 74 tion.vector is t
17f0: 68 65 20 73 74 61 72 74 69 6e 67 20 70 6f 69 6e he starting poin
1800: 74 20 74 6f 20 67 65 6e 65 72 61 74 65 20 70 65 t to generate pe
1810: 72 2d 62 6c 6f 63 6b 20 6b 65 79 73 2e 20 20 54 r-block keys. T
1820: 68 65 0a 61 64 76 61 6e 74 61 67 65 20 6f 76 65 he.advantage ove
1830: 72 20 61 20 73 69 67 6e 61 74 75 72 65 20 61 73 r a signature as
1840: 20 75 73 65 64 20 69 6e 20 73 74 61 6e 64 61 72 used in standar
1850: 64 20 45 43 44 48 45 20 69 73 20 62 6f 74 68 20 d ECDHE is both
1860: 74 69 6d 65 20 28 6e 6f 0a 73 69 67 6e 69 6e 67 time (no.signing
1870: 20 6e 65 65 64 65 64 2c 20 61 6e 64 20 76 65 72 needed, and ver
1880: 69 66 69 63 61 74 69 6f 6e 20 69 73 20 73 6c 69 ification is sli
1890: 67 68 74 6c 79 20 6d 6f 72 65 20 65 78 70 65 6e ghtly more expen
18a0: 73 69 76 65 20 74 68 61 6e 20 6b 65 79 0a 65 78 sive than key.ex
18b0: 63 68 61 6e 67 65 29 2c 20 61 6e 64 20 64 61 74 change), and dat
18c0: 61 20 74 72 61 6e 73 6d 69 74 74 65 64 20 e2 80 a transmitted
18d0: 94 20 6f 6e 6c 79 20 74 68 65 20 70 75 62 6c 69 only the publi
18e0: 63 20 6b 65 79 20 6e 65 65 64 73 20 74 6f 20 67 c key needs to g
18f0: 6f 20 74 6f 0a 74 68 65 20 6f 74 68 65 72 20 73 o to.the other s
1900: 69 64 65 2e 0a 0a 23 23 20 52 65 70 6f 73 69 74 ide...## Reposit
1910: 6f 72 79 20 23 23 0a 0a 54 6f 20 69 6d 70 6c 65 ory ##..To imple
1920: 6d 65 6e 74 20 74 68 65 20 6e 65 63 65 73 73 61 ment the necessa
1930: 72 79 20 63 68 61 6e 67 65 73 20 28 61 64 64 20 ry changes (add
1940: 73 63 61 6c 61 72 20 6d 75 6c 74 69 70 6c 69 63 scalar multiplic
1950: 61 74 69 6f 6e 20 77 69 74 68 20 e2 80 9c 63 6f ation with “co
1960: 6e 73 74 61 6e 74 e2 80 9d 0a 65 78 65 63 75 74 nstant”.execut
1970: 69 6f 6e 20 74 69 6d 65 20 66 6f 72 20 74 68 65 ion time for the
1980: 20 44 48 45 2c 20 69 2e 65 2e 20 6e 6f 20 73 65 DHE, i.e. no se
1990: 63 72 65 74 20 64 65 70 65 6e 64 65 6e 74 20 6f cret dependent o
19a0: 70 65 72 61 74 69 6f 6e 29 2c 20 49 20 63 6c 6f peration), I clo
19b0: 6e 65 64 0a 66 6c 6f 6f 64 62 65 72 72 79 27 73 ned.floodberry's
19c0: 20 65 64 32 35 35 31 39 2d 64 6f 6e 6e 61 20 63 ed25519-donna c
19d0: 6f 64 65 20 61 6e 64 20 61 64 64 65 64 20 61 75 ode and added au
19e0: 74 6f 63 6f 6e 66 20 73 74 75 66 66 20 66 6f 72 toconf stuff for
19f0: 20 62 75 69 6c 64 20 70 72 6f 63 65 73 73 2c 20 build process,
1a00: 73 6f 0a 79 6f 75 20 6e 65 65 64 20 61 0a 0a 67 so.you need a..g
1a10: 69 74 20 63 6c 6f 6e 65 20 5b 68 74 74 70 73 3a it clone [https:
1a20: 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 66 6f 72 //github.com/for
1a30: 74 68 79 34 32 2f 65 64 32 35 35 31 39 2d 64 6f thy42/ed25519-do
1a40: 6e 6e 61 2e 67 69 74 5d 28 68 74 74 70 73 3a 2f nna.git](https:/
1a50: 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 66 6f 72 74 /github.com/fort
1a60: 68 79 34 32 2f 65 64 32 35 35 31 39 2d 64 6f 6e hy42/ed25519-don
1a70: 6e 61 2e 67 69 74 29 0a 0a 61 6e 64 20 74 6f 20 na.git)..and to
1a80: 63 6f 6d 70 69 6c 65 26 69 6e 73 74 61 6c 6c 20 compile&install
1a90: 69 74 2c 20 6a 75 73 74 20 72 75 6e 20 60 2e 2f it, just run `./
1aa0: 61 75 74 6f 67 65 6e 2e 73 68 20 26 26 20 6d 61 autogen.sh && ma
1ab0: 6b 65 20 26 26 20 73 75 64 6f 20 6d 61 6b 65 0a ke && sudo make.
1ac0: 69 6e 73 74 61 6c 6c 60 2e 20 20 54 6f 20 69 6e install`. To in
1ad0: 73 74 61 6c 6c 20 33 32 20 62 69 74 20 6c 69 62 stall 32 bit lib
1ae0: 61 72 69 65 73 20 6f 6e 20 61 20 36 34 20 62 69 aries on a 64 bi
1af0: 74 20 73 79 73 74 65 6d 2c 20 72 75 6e 20 60 61 t system, run `a
1b00: 75 74 6f 67 65 6e 2e 73 68 60 0a 77 69 74 68 20 utogen.sh`.with
1b10: 60 43 43 3d 22 67 63 63 20 2d 6d 33 32 22 60 0a `CC="gcc -m32"`.