Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS

Michael Hamburg <> Fri, 24 January 2014 18:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 179781A003B for <>; Fri, 24 Jan 2014 10:45:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MEH37o0ER9Y3 for <>; Fri, 24 Jan 2014 10:44:59 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 667261A0028 for <>; Fri, 24 Jan 2014 10:44:59 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTPSA id C1E703AA04; Fri, 24 Jan 2014 10:42:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=sldo; t=1390588957; bh=3q7hrDjQiOXSAIJKCqgTkmp8mxzJJg3qTVo4JSqQbXw=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=KEa3qHhksp621fN2VDaHmDkvKGz+tPZBV0pPKNEsbJn9P27zRg1p0C1GEGqtTyuL/ 8ToRCMwxeU2/GpF3kAIkDCh1F7ecYJW9JW9j40WGvqW/JaqNtzyqrsVIzvBcgFZBM3 qDfpvblHohhByJqcHUYbBQ0HiXkK6c5bvW2lIzuM=
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Michael Hamburg <>
In-Reply-To: <>
Date: Fri, 24 Jan 2014 10:44:57 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <>
To: Andrey Jivsov <>
X-Mailer: Apple Mail (2.1827)
Subject: Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jan 2014 18:45:01 -0000

On Jan 23, 2014, at 10:31 PM, Andrey Jivsov <> wrote:

> On 01/23/2014 06:08 PM, Michael Hamburg wrote:
>> On Jan 23, 2014, at 4:59 PM, Andrey Jivsov <> wrote:
>>> Wouldn't be another method?
>>> Traditionally the problem was solved by carrying 1 bit and then finding a place to fit it in and defining what it means, etc. There is another way. One can adjust the private key to make the coordinate that we drop, x in this case, be the smallest of the two possibilities.
>>> The nice feature of my proposal is that you can still also encode the bit if you wish so, as you proposed.
>> This is interesting, but I think it works better with the Edwards x-coordinate instead of the Montgomery y-coordinate.  That is, it applies well to Watson’s (Montgomery x, Edwards x) representation.  This is because not every point you might want to transmit is a public key; it might be the product of something which does not support an easy negation, such as PAKE.  In this case, with your proposal, implementers have to send the sign bit, and we have two wire formats again.  But if the Edwards x-coordinate is used, you can also fast-adjust by adding the point of order 2, which maps EdX to -EdX.  (It maps EdY to -EdY and MontX to 1/MontX.)  If the protocol wipes out the cofactor (almost every protocol does for security reasons), then this is more likely to be acceptable than negating the point.
>> Then again, any discussion like this is fraught with issues about alternative encodings for non-wire formats, implementation compatibility, uniqueness, covert channels, etc.  Might take some hashing out.
>> Cheers,
>> — Mike
> It seems to me that it will be possible to find an option to tweak the private scalar in more complex protocols, while making this an internal adjustment.
> For example, in
> the PE is never sent out, so its generation doesn't change.
> The Element is a point, which is very similar to a public key for our purpose. The Element is sent to the other peer and it needs to be "compliant". The element is generated from a random mask and PE; thus the mask can be adjusted appropriately so that the Element is "compliant" (then the 'scalar' is calculated with the appropriately adjusted mask).

Dragonfly, SPEKE and ECDH don’t use addition, and don’t need y-coordinates at all.  They could use a Montgomery ladder and never compute or transmit those coordinates.

Some systems, such as signatures, use addition but don’t send the results out on the wire.  Your technique works well for those.  You still need a point encoding before hashing, but compression has no value there anyway.

But I can’t think of an obvious way to extend your approach to a protocol like SPAKE2 which requires sending a point out after addition.

— Mike