Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS

Andrey Jivsov <> Fri, 24 January 2014 20:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 62D431A0047 for <>; Fri, 24 Jan 2014 12:07:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IEgK6i4g6nOM for <>; Fri, 24 Jan 2014 12:07:51 -0800 (PST)
Received: from ( [IPv6:2001:558:fe2d:44:76:96:27:212]) by (Postfix) with ESMTP id 990001A001A for <>; Fri, 24 Jan 2014 12:07:51 -0800 (PST)
Received: from ([]) by with comcast id Hrft1n0030QkzPwAEw7q3S; Fri, 24 Jan 2014 20:07:50 +0000
Received: from [] ([]) by with comcast id Hw6r1n00i4uhcbK8Nw6sye; Fri, 24 Jan 2014 20:07:50 +0000
Message-ID: <>
Date: Fri, 24 Jan 2014 12:01:38 -0800
From: Andrey Jivsov <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Michael Hamburg <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=q20121106; t=1390594070; bh=mO/9YyO+RqvPrT4lke/+x7ZqIuAuizoYYwtBW9QxOVw=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=pJJTabez6naw+mcXrOYoNUrXo0Dfr4nr+QndlUIy4HU66YxCCwjgjrPcV4s6hPLuu +MOhAV3IhMcEDcZy7Oajtuzu5Z0rCZWrzH2JeZHMPGzNzJ0pU4ryWRqL/E/p0Iy8kK MS4QqkIE+mzEkIsP1CPqOSsU+aBkoRtxu50v5TRcN0FnN3MCY+cSFI1kayAm8tYe8T fl4FnFg6aKOWHjm3M3twcSF8SUiFVyxYJqWSJTmPklkNmssdQBTWOFwsEPPprFA/3F yuJDhjm7K4OSZaTceb9l7/tSP0uvtRJj2eNBmbd/HXcZlwEktiZHQHX/ZsLes+XJIY cCHa1MXaiIg/g==
Subject: Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jan 2014 20:07:53 -0000

On 01/24/2014 10:44 AM, Michael Hamburg wrote:
> On Jan 23, 2014, at 10:31 PM, Andrey Jivsov <> wrote:
>> On 01/23/2014 06:08 PM, Michael Hamburg wrote:
>>> On Jan 23, 2014, at 4:59 PM, Andrey Jivsov <> wrote:
>>>> Wouldn't be another method?
>>>> Traditionally the problem was solved by carrying 1 bit and then finding a place to fit it in and defining what it means, etc. There is another way. One can adjust the private key to make the coordinate that we drop, x in this case, be the smallest of the two possibilities.
>>>> The nice feature of my proposal is that you can still also encode the bit if you wish so, as you proposed.
>>> This is interesting, but I think it works better with the Edwards x-coordinate instead of the Montgomery y-coordinate.  That is, it applies well to Watson’s (Montgomery x, Edwards x) representation.  This is because not every point you might want to transmit is a public key; it might be the product of something which does not support an easy negation, such as PAKE.  In this case, with your proposal, implementers have to send the sign bit, and we have two wire formats again.  But if the Edwards x-coordinate is used, you can also fast-adjust by adding the point of order 2, which maps EdX to -EdX.  (It maps EdY to -EdY and MontX to 1/MontX.)  If the protocol wipes out the cofactor (almost every protocol does for security reasons), then this is more likely to be acceptable than negating the point.
>>> Then again, any discussion like this is fraught with issues about alternative encodings for non-wire formats, implementation compatibility, uniqueness, covert channels, etc.  Might take some hashing out.
>>> Cheers,
>>> — Mike
>> It seems to me that it will be possible to find an option to tweak the private scalar in more complex protocols, while making this an internal adjustment.
>> For example, in
>> the PE is never sent out, so its generation doesn't change.
>> The Element is a point, which is very similar to a public key for our purpose. The Element is sent to the other peer and it needs to be "compliant". The element is generated from a random mask and PE; thus the mask can be adjusted appropriately so that the Element is "compliant" (then the 'scalar' is calculated with the appropriately adjusted mask).
> Dragonfly, SPEKE and ECDH don’t use addition, and don’t need y-coordinates at all.  They could use a Montgomery ladder and never compute or transmit those coordinates.
> Some systems, such as signatures, use addition but don’t send the results out on the wire.  Your technique works well for those.  You still need a point encoding before hashing, but compression has no value there anyway.
> But I can’t think of an obvious way to extend your approach to a protocol like SPAKE2 which requires sending a point out after addition.
I looked at this description of SPAKE2

I will use the additive notation. Assuming M=m*G, the SPAKE2 client 
sends the point (x+h(pass)m) G

It must be a compliant point. Let's say that the client must adjust (1) 
to (2)

    (x+h(pass)m)  (1)
    Ord - x - h(pass)m   (2)

Doing just that will not work because the server will be subtracting (in 
effect) h(pass)m and the server will not arrive at either x or Ord-x.

Here is what the client does instead.

The client adjusts the randomly generated x as

    x' = Ord - x - 2h(pass)m

and assumes x' and x'*G as the ephemeral keypair (corresponding to the 
g^x in the above email reference)

Now, with that private x' plugged into the equation (1), (1) is exactly 
(2), which we said is a compliant point. Then the value in (2) times G 
is sent out.

Performance-wise, the delta = Ord - 2h(pass)m by which the x may need to 
be adjusted is fixed for the user (provided that the M is fixed).

Hopefully, I can always get away with this technique, as long as a peer 
generates a random private-key-like scalar that I can adjust (by Ord in 
trivial cases, but potentially by other quantities as in SPAKE2).

This should work for your suggestions to use the Elligator map, assuming 
that I get the corresponding scalar.

I will need access to the private m for M=mG. I assumed it is sort of a 
user static public key.

The server side adjustments are similar.
> — Mike