JEP for X25519/X448 key agreement

Adam Petcher adam.petcher at
Thu Sep 14 16:59:51 UTC 2017

The JEP for X25519/X448 key agreement[1] is now available and ready to 
review. Please take a look and reply with any feedback you have.

The JEP contains a description of the proposed JCA API. We have 
discussed the API on this mailing list, and I have attempted to 
incorporate all the feedback I have received. Here is a description of 
the changes since the last discussion:

1) Multiple people requested more specific types for public/private keys 
for this algorithm. The latest API design mirrors the "EC" hierarchy and 
has both interfaces and spec classes for public and private keys. I also 
added the interface "XDHKey", which serves the same purpose as "ECKey".
2) The representation of public keys was changed from byte[] to a 
BigInteger which holds the u coordinate of the point. Private keys are 
still represented using byte[] due to complications related to pruning, 
and also because BigInteger doesn't provide a branch-free way to get the 
key into another representation (which is necessary for 
side-channel-resilient implementations).

The proposed API still lacks a standard way to specify arbitrary domain 
parameters, but I believe the API design could be extended to support 
this feature. I would prefer to add this API as a separate enhancement 
in the future, preferably in cooperation with someone who is developing 
a provider that supports this feature.


More information about the security-dev mailing list