Two days ago, BCT user Jesse James, also known as DoctorEvil, finished his review of the implementation of Curve25519 in Nxt.

Jesse James may be known to some, as he has already uncovered a security flaw in Nxt and reported it instead of taking advantage of it.

Here is the summary of his review, again with the relevant links from Jesse James:

“I spent some quality time reviewing the core crypto NXT relies on. As part of my review I re-implemented the relevant algorithms https://gist.github.com/doctorevil/9521126 using a different approach in a different language to make sure I understood everything deeply. Although the implementation NXT uses doesn’t follow certain algorithm specifications to the letter, the deviations noted (motivated by simplicity and/or performance) seemed reasonable and in general nothing stuck out as a red flag. There was one bug in the signature generation function (that NXT is aware of and currently working around) for which I’ve provided a patch (or more precisely tweaked BloodyRookie’s proposed patch). It should be should be safe for devs to incorporate this patch at their convenience.

Review: https://gist.github.com/doctorevil/9521116

Code: https://gist.github.com/doctorevil/9521126 “

I have had difficulty making this post, as describing the importance is outside my competence, so I decided to ask one of our resident technical people, chanc3r, who is also a member of the Nxt Infrastructure Committee to explain it to me.

Here is what he mailed back to me:

Like many other crypto’s SHA-256 of a ‘brain wallet passphrase’ are used to generate the private key for a given account..

In the case of NXT, Curve25519+EC-KDSA as originally designed by Daniel Bernstein is additionally used by NXT to generate the public key for the account.

The original implementation of Curve25519 in x86 assembler has been lost and NXT originally used a port from C to Java to implement the Curve25519 encryption, the accuracy of the C-port was unknown due to th missing assembler sources.

It has been a source of concern that there is no direct link between the original Curve25519 specification paper and the Java implementation used within NXT.

Therefore the NXT community commissioned an audit of the current implementation against the original specification written by Dr Bernstein.

The results of this audit by Jesse James are now available, a summary of this is shown below and the full audit report can be found here https://gist.github.com/doctorevil/9521116

1. The choice of NXT developers of this cryptographic scheme is suitable for this purpose.

2. The implementation has a number of valid deviations/improvements from the original Curve25519 specification

3. NXT is immune as a result of this implementation to signature malleability.

4. The audit included a new Curve25519 implementation in Python from the original papers, this implementation and the NXT Java implementation agree exactly on key output when tested verifying the accuracy of the NXT Curve25519 implementation.

In summary the implementation of Curve25519 is an accurate translation of the specification of its designer Dr Daniel Bernstein and is a suitable choice for the use-cases that NXT requires.