Curve-renaming

[ineiti]

After discussion with @Daeinar , there seems to be a need to clean up the group/-directory (again). As this is a backward-incompatible change, I don't know how and when this change should go in. But we should discuss it...

The question came up with ByzGen about our use of Curve25519. This curve can be represented in two different ways:

• Twisted Edward Curve: https://tools.ietf.org/html/rfc8032
• Montgomery Curve: https://tools.ietf.org/html/rfc7748

The two representations are isogenic, which means that you can get from one representation to the other with a change of coordinates.

The two (three) curve25519 implementation in kyber are as follows:

• Ed25519 in group/ed25519 is either constant-time, or variable-time, Twisted Edwards Curve implementation
• Curve25519 in group/curve25519 is a variable-time, Twisted Edwards Curve implementation

As of 2019, it seems that a consensus is materializing, where Edwards25519 refers to the Twisted Edwards representation, while Curve25519 refers to the Montgomery representation.

Additionally, the nist package holds only the p256 curve.

This is why we propose to:

• Keep Ed25519 as is
• Change the name of Curve25519, or remove it, and keep only the additional curves in there
• Change the nist package to p256
• Add a Montgomery representation of Curve25519 to the repo and call this one Curve25519

[pierluca]

Following #528, it's my understanding that the renaming has happened and the only missing element is adding the Montgomery representation of Curve25519. I'll create a separate issue mentioning this one.