Re: [Cfrg] Montgomery yet again (was Re: Adoption of draft-agl-cfrgcurve-00 as a RG document)

Paul Lambert <> Fri, 09 January 2015 18:25 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5875A1A8860 for <>; Fri, 9 Jan 2015 10:25:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yr0lFu3itF3n for <>; Fri, 9 Jan 2015 10:25:55 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4321A1A882E for <>; Fri, 9 Jan 2015 10:25:55 -0800 (PST)
Received: from pps.filterd ( []) by (8.14.5/8.14.5) with SMTP id t09IPl1V015969; Fri, 9 Jan 2015 10:25:53 -0800
Received: from ([]) by with ESMTP id 1rs21r125w-3 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 09 Jan 2015 10:25:52 -0800
Received: from ([]) by ([::1]) with mapi; Fri, 9 Jan 2015 10:24:36 -0800
From: Paul Lambert <>
To: Watson Ladd <>, Joppe Bos <>
Date: Fri, 09 Jan 2015 10:24:34 -0800
Thread-Topic: [Cfrg] Montgomery yet again (was Re: Adoption of draft-agl-cfrgcurve-00 as a RG document)
Thread-Index: AdAsOYUdzjLQK4SXTCqrcrCQu1lMrg==
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-01-09_07:2015-01-09,2015-01-09,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1501090157
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] Montgomery yet again (was Re: Adoption of draft-agl-cfrgcurve-00 as a RG document)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Jan 2015 18:25:58 -0000

On 1/9/15, 7:37 AM, "Watson Ladd" <> wrote:

>(Replace this email with the discussions had in May on teleconference,
>and over this summer as shown in "Progress on curve recommendations
>for TLS WG", 
>and the ensuing discussion. The last note is from
> If
>you've read these, you don't need to read this email )
>On Fri, Jan 9, 2015 at 8:59 AM, Joppe Bos <> wrote:
>> Hi all,
>> The current version of the draft contains methods for parameter
>> (section 6) and a single recommended curve (section 7).
>> IMO the natural approach would be to first agree upon a parameter
>> procedure (one draft) and subsequently, when a large portion of the
>> community agrees that this selection procedure is sound, use this
>> to select new curves (another draft). Currently, we are changing the
>> selection procedure to match an existing curve. If we want curve25519
>> because it is fast and widely deployed then we should state this
>>clearly and
>> refrain from modifying the selection procedures because this might have
>> negative impact on the potential selection of curves in the future.
>How does the existence of a selection procedure that gives Curve25519
>and particular choice of an isogeny equal "changing the selection
>procedure to match an existing curve?" In fact, there are good reasons
>to favor the particular twist security criteria and use the given
>isogeny in any case.
>> Please find below some comments on the current version of the draft.
>> Section 7:
>> - The specification of the parameters is done either in formula form
>>(p), in
>> decimal (d) or a formula + hexadecimal (order). Maybe use the same
>> (e.g. either decimal or hexadecimal) everywhere to avoid confusion?
>> - For completeness it might be good to give the corresponding (short)
>> Weierstrass form of the curve(s).
>Not sure why we want forms that won't be used. I agree we should
>explain the isogeny in more detail.
>> Section 8-10:
>> These sections are curve25519 specific, this should be stated much
>> Section 8:
>> As far as my understanding goes there was no consensus on the wire
>>format of
>> field elements.
>> This section states that "when transmitting field elements in the
>> Diffie-Hellman protocol below, they MUST be encoded as an array of
>>bytes, x,
>> in little-endian order". Maybe some notation got confused here, what is
>> x-coordinate? The only x defined are on the Edwards curve while I think
>> the Montgomery curve is meant (the u-coordinate from section 7). This
>> be fixed or stated clearer to avoid confusion.
>Good catch!
>> Section 9:
>> - It is not entirely clear to me why such low-level details are
>>provided in
>> this draft. Is it expected from the CFRG to deliver implementation
>> for algorithms or just a specification of curves plus related info
>>(such as
>> wire formats)? If we want to provide such low-level details then why not
>> also state how to implement the field arithmetic?
>Paul Lambert argued that we need implementation details, and I think he's

Thanks - yes.  Section 9 is my favorite section :-)  I amy be an
extremist, but the closer algorithms are to real code the better Š with
and emphasis on readable code over optimizations.

The CFRG should not fall into the trap of just defining the parameters
associated with a curve.  We are clearly now very focused on algorithms
using the curve parameters that have specific security properties.

As a systems designer, if we consider the object model, the methods
associated with the data are of critical importance.  The details of the
methods now must go beyond just interoperability, they must include the
detailed steps to describe both optimizations and the demonstration of
constant time performance.

One of the failing now with the NIST curves is their lack of well
documented constant time implementations.  Yes - I know technical papers
abound that describes approaches.  What¹s published now as a Œcookbook
type¹ algorithm is:
There¹s also:


>Field arithmetic is going to look different on 32 and 64 bit
>platforms, and on some architectures might be very strange. Maybe it's
>worth it: I don't have strong feelings one way or the other. I do
>agree that side-channel free algorithms may be worth presenting,
>particularly as the textbook algorithms are not.
>> - Why is only the approach based on the Montgomery ladder stated in this
>> section? There is nothing wrong with the Montgomery ladder but it is
>>not the
>> best solution for all reasonable definitions of best. The implementer
>> the choice, as stated before on this list, to compute DH on (for
>> the corresponding Edwards or Weierstrass curve. Currently it looks as
>>if the
>> CFRG recommends to use the Montgomery ladder for all scenarios;
>> we know is suboptimal in terms of performance for higher security
>> Moreover, imagine the scenarios where people use (twisted) Edwards
>> for signatures. Then implementing DH using the Montgomery ladder implies
>> managing code for both the Montgomery and the twisted Edwards curve and,
>> following the reasoning expressed by some people on this list, a larger
>> base implies more room for errors which implies a less secure approach.
>> - This ladder implementation defines the usage of cswap ("due to the
>> existence of side-channels in commodity hardware"). Although this adds
>> protection this algorithm is not secure in many realistic threat models
>> (e.g. in hardware security). To me, it looks quite arbitrary to just
>> against one type of attack and not against a whole range of other
>> side-channel attacks. The threat model should depend on where the
>> implementation will be used and therefore it is up to the implementer to
>> make the appropriate design decisions and introduce the adequate
>> countermeasures.
>While the hardware threat model is "realistic", I don't see why we
>should ignore settings in which cache-based and timing-based attacks
>are of concern and DPA isn't, and I don't see why we should remove
>information about protections that are adequate to this setting,
>because they aren't for all settings. The setting this algorithm is
>designed for is rather common. Implementors are free to ignore it if
>they have the understanding and need for a more appropriate algorithm
>for their setting.
>Right now many implementations are not side channel secure at all. We
>keep hearing about the implementor having to do this and that and the
>other thing, and it's all their fault when it doesn't work. Well, has
>anyone bothered to check if the implementor can do the job? I have,
>and the results are pretty ugly. We should err on the side of
>providing more assistance and guidance rather than chuck the plans
>over the wall, and come back to investigate the damage. There are real
>risks with using twisted Edwards form for DH that don't exist for
>ECDSA style signatures, or signatures that send r and s instead of R
>and s in Schnorr.
>As for complexity, we are discussing whether or not an additional 20
>lines of code (if that!) will make maintenance more difficult.
>Certainly, more test vectors and the like will need to be added, but
>that's true anyway for signatures and DH. I'm surprised that this
>argument is getting made: OpenSSH has adopted Curve25519 and Ed25519,
>without worrying about the increased code size. Likewise, implementors
>of TLS libraries haven't raised this as a major concern. It's true
>that x-coordinate only DH isn't compatible with some protocols like
>HMQV, but these are rather uncommon.
>Watson Ladd
>> Best regards,
>> Joppe
>> -----Original Message-----
>> From: Cfrg [] On Behalf Of Alexey Melnikov
>> Sent: Monday, January 05, 2015 8:15 PM
>> To:
>> Subject: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document
>> This message starts 2 weeks adoption call (ending on January 19th 2015)
>> as the starting point for the CFRG document which describes an
>>algorithm for
>> safe curve parameter generation for a particular security level and also
>> recommends a specific curve (2^255-19) for the 128-bit security level.
>> Please reply to this message or directly to CFRG chairs, stating
>>whether you
>> support (or not) adoption of this document. If you do not support
>> of this document, please state whether you support adoption of any
>> alternative document or whether you want a particular change be made to
>> document before adoption.
>> Chairs ask not to reiterate previously expressed technical opinions or
>> arguments. But clarifying questions on the adoption call are welcome.
>> While making your decision, please keep in mind
>> Alexey,
>> On behalf of CFRG chairs.
>> P.S. Editors of draft-black-rpgecc-01 and
>> draft-turner-thecurve25519function-01 can become co-editors of the
>> document, if they choose to do so. Email chairs directly if you are
>> or not willing to do so.
>> _______________________________________________
>> Cfrg mailing list
>> _______________________________________________
>> Cfrg mailing list
>"Those who would give up Essential Liberty to purchase a little
>Temporary Safety deserve neither  Liberty nor Safety."
>-- Benjamin Franklin
>Cfrg mailing list