Re: [Cfrg] On the use of Montgomery form curves for key agreement

Andrey Jivsov <> Tue, 02 September 2014 21:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7B5761A0724 for <>; Tue, 2 Sep 2014 14:58:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7eULIOMQK-W8 for <>; Tue, 2 Sep 2014 14:58:37 -0700 (PDT)
Received: from ( [IPv6:2001:558:fe2d:43:76:96:30:80]) by (Postfix) with ESMTP id 47AC31A071F for <>; Tue, 2 Sep 2014 14:58:37 -0700 (PDT)
Received: from ([]) by with comcast id mE1h1o0031u4NiLA8Myd3j; Tue, 02 Sep 2014 21:58:37 +0000
Received: from [IPv6:::1] ([]) by with comcast id mMyb1o00f4uhcbK8hMyc82; Tue, 02 Sep 2014 21:58:36 +0000
Message-ID: <>
Date: Tue, 02 Sep 2014 14:58:35 -0700
From: Andrey Jivsov <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: Stephen Farrell <>,
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=q20140121; t=1409695117; bh=OLBkD7sv3vXOlmHGaB1trC6EAvPpkiIBzyK3nWTN5ik=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=QZPpJTH8GkOqSrIZUrhujq6bhmRiyfKZMzrsPBqeTE1nSKkzltGbFsrc907dFes3I usBMR77/NA0EXf+qRYx1el/MVQLzLXmJRqKtGAoDY5+elnVu/DFnZB2cDuZrQwnSc9 vTztqzZeXZIG50NZU62YfEq65Jg4gM9UQD44ttOnLNLLnpKSw/a0aVOD1oE/F5pgvP GEs6XSpHrTHpfz7Ajz0GOaMq9B2ivARzdcULlpwC1ApnEFVw/76QapP63qkhvFqlvC ksaj7WP/wm1gsej6eLW4LmNhTjtuUGlQGvKJxDjY7gPwCj45Z5rFN51nLghymnA1HU jZ84II97hc6XA==
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Sep 2014 21:58:38 -0000

On 09/02/2014 02:47 PM, Stephen Farrell wrote:
> Hiya,
> On 02/09/14 22:37, Andrey Jivsov wrote:
>> 10% penalty in dual-key uses
> I'm not clear what you mean by this, in terms of what protocol
> it would affect.
> Can you give me an example of such an IETF protocol? Without
> having thought much about it, I think there are always different
> codepoints allocated for DH and signatures, and I doubt we'd
> want the same private values shared anyway, so I'm not sure
> if that's a real or a theoretical issue.
A few examples of dual-key use and a bit braader question of whether 
would want to add points as oppose to only do scalar multiplication.

Some TLS server side fixed-base optimization will benefit from point 

While OpenPGP RFC 4880 has a concept of a "bundle of keys" things are 
easier when the top key can have both encryption and signing capability. 
There are products that add X.509 certs to PGP keys.

Signing a certificate request for a DH key to prove key possession.

Protocols for applications with space-saving requirements : keys on URLs 
or e-mail aliases, pre-generate keys "for everybody" to represent 
identities. Keys that are handled by humans (e.g. typed in base32 
encoding), etc