Re: [Cfrg] Efficient side channel resistance for X25519..

Dan Brown <> Sun, 10 November 2019 14:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D0C78120096 for <>; Sun, 10 Nov 2019 06:56:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9WpyTMGvyXp7 for <>; Sun, 10 Nov 2019 06:56:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A0112120074 for <>; Sun, 10 Nov 2019 06:56:39 -0800 (PST)
Received: from pps.filterd ( []) by ( with SMTP id xAAEqs6Q027226; Sun, 10 Nov 2019 09:56:37 -0500
Received: from ( []) by with ESMTP id 2w5skabe9x-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 10 Nov 2019 09:56:36 -0500
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([::1]) with mapi id 14.03.0415.000; Sun, 10 Nov 2019 09:56:35 -0500
From: Dan Brown <>
To: "" <>, "" <>, "" <>
CC: "" <>
Thread-Topic: [Cfrg] Efficient side channel resistance for X25519..
Thread-Index: AQHVlygo0okM68e5IkeAudIlID7HXqeDh0GAgAA29ACAAMGSLQ==
Date: Sun, 10 Nov 2019 14:56:35 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_810C31990B57ED40B2062BA10D43FBF501E82D65XMB116CNCrimnet_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-10_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1910280000 definitions=main-1911100149
Archived-At: <>
Subject: Re: [Cfrg] Efficient side channel resistance for X25519..
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Nov 2019 14:56:42 -0000

Recovering y at end of Montgomery ladder is something I heard about from Scott Vanstone, so it is likely published.

Tried to work it out: no square roots needed, but possibly a field inversion is.  Got a mess, which probably simplifies, especially in projective coords.

Can look later this week.

Sent with BlackBerry Work (
From: Phillip Hallam-Baker <>
Sent: Nov 9, 2019 5:24 PM
To: "Riad S. Wahby" <>rg>; Mike Hamburg <>
Subject: Re: [Cfrg] Efficient side channel resistance for X25519..

cc'd Mike himself in the hope he might take pity on us here... :-)

Seems to me that this should be possible. But the argument is a little more abbreviated than I can follow.

" This means that it is enough to compute ±1/ √ au0u1u2. This will allow us to determine av0/u0 to adjust the sign of the square root. It will allow us to check whether av2/u2 is negative, in which case we should output 1/ √ au2 instead of p u2/a. Furthermore, the input point s0 is p u0/a, and the modified Montgomery ladder state contains either √ au1 or √ au2, depending on the last bit of the ladder. This allows us to compute p u2/a or its inverse from the ladder state and 1/ √ au0u1u2 with no additional field exponents. In the actual computation, u1 and u2 are given in projective form, but this does not greatly complicate matters because the equations are nearly homogeneous."

My implementation of the ladder already has these values...

                var x_3rt = (DA + CB);
                x_3 = (x_3rt * x_3rt).Mod(P);

                var z_3rt = (DA - CB);
                z_3 = (x_1 * (z_3rt * z_3rt)).Mod(P);

The paper suggests that the sign of the y point is somehow encoded there... but how?

On Sat, Nov 9, 2019 at 2:07 PM Riad S. Wahby <<>> wrote:
Phillip Hallam-Baker <<>> wrote:
> I can make the code work but I am not a number theorist so if anyone could
> help, I would appreciate it.

This is more like a vague memory than a clear answer (sorry):

In Mike Hamburg's Decaf paper (<>)nl6Nk-6lIiqOWu-lNE&e=>), Appx. B
describes a method of recovering the y-coordinate while avoiding
an extra square-root computation, essentially by remembering some
intermediate values during the ladder computation.

I haven't thought at all about whether a similar trick can be used
in the non-Decaf context, but it might be worth taking a look.

(As a general comment---and from your email, it appears we're in
agreement---masking via randomization is good, but probably it's
best to think of it as insurance: a masked implementation that's
non-constant-time is toast in the face of randomness failures.)


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.