Re: [Cfrg] On the use of Montgomery form curves for key agreement

Tanja Lange <> Wed, 03 September 2014 05:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 33FE11A8A40 for <>; Tue, 2 Sep 2014 22:27:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Mb4VbMUZhzl7 for <>; Tue, 2 Sep 2014 22:27:31 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 981701A8A44 for <>; Tue, 2 Sep 2014 22:27:30 -0700 (PDT)
Received: (qmail 15178 invoked from network); 3 Sep 2014 05:27:30 -0000
Received: from unknown (HELO ( by with SMTP; 3 Sep 2014 05:27:30 -0000
Received: (qmail 29763 invoked by uid 1000); 3 Sep 2014 05:27:04 -0000
Date: Wed, 03 Sep 2014 07:27:04 +0200
From: Tanja Lange <>
To: Brian LaMacchia <>
Message-ID: <>
References: <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.11
Cc: "" <>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Sep 2014 05:27:33 -0000

Dear Brian,
> Regarding the specific issue you raised concerning Microsoft’s TLS implementation, as you will recall Tanja first mentioned this issue to me during dinner i
I actually made this statement in public in the Q&A after my talk
when David McGrew asked about the ephemeral key case.

> As for your suggestion regarding a blanket prohibition on reuse of any ephemeral cryptographic keys across all IETF protocols, given the current environment that does indeed seem like a good idea to me.  I guess what we’d really want to do is have CFRG issue a BCP on this point, if that’s something the IRTF is allowed to do (I don’t know the answer to that process question).  Perhaps CFRG can take that issue up once the curve selection process has concluded.
What exactly do you think the security implications of key reuse are?
Defining ephemeral in a time-based manner ist quite normal; the important
thing to guarantee PFS is to delete the key afterwards, not whether it is
used for 1 connection or 10 seconds (with potentially 0 connections).

All the best