IETF Logo Mail Archive

Re: [Cfrg] Curve25519 specification, test vectors, etc.

CodesInChaos <codesinchaos@gmail.com> Mon, 03 March 2014 11:04 UTC

Return-Path: <codesinchaos@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6AF01A0EB8 for <cfrg@ietfa.amsl.com>; Mon, 3 Mar 2014 03:04:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OxhO1FGv7CJp for <cfrg@ietfa.amsl.com>; Mon, 3 Mar 2014 03:04:54 -0800 (PST)
Received: from mail-yh0-x233.google.com (mail-yh0-x233.google.com [IPv6:2607:f8b0:4002:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 17C4B1A0785 for <cfrg@irtf.org>; Mon, 3 Mar 2014 03:04:53 -0800 (PST)
Received: by mail-yh0-f51.google.com with SMTP id f10so2928049yha.10 for <cfrg@irtf.org>; Mon, 03 Mar 2014 03:04:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=K77r5fMd/VWfH4ohlBGW7q0Z6SorSTe4y8C7M3uua9w=; b=qRRZt8RSKomsnoPDUPmJWhdnDnEYxh/PFlw2h24fDz8IVwkZLHasPRPuOKB1TwmEig DHHdOBr/ibrSc2zOtauZdo/ZtxvGoa97fTKesLNZ6XIXYUfVfVqA1oUubBIGGJqkLs68 W/lsXxEU5BfsHXFGTlDGiT5Jv8bF+2YdBvw/2LXEfQE0FVzAvoKjs9+IpVWzMS/mnxsA HDtRirA9HEcjAU9GP+JJGf0FqIlovKOV6d7z9atCO7yjGXU2VPrF3Fj5mxHLeM8BD2Nl bSkBYWnL0rafPPPfwS4whCNr2GFf6GtvUQU0kgDEMDJC8jrEsdowIrq3e6B9JduTDTHx s9Bw==
MIME-Version: 1.0
X-Received: by 10.236.231.234 with SMTP id l100mr4324yhq.135.1393844691084; Mon, 03 Mar 2014 03:04:51 -0800 (PST)
Received: by 10.170.87.6 with HTTP; Mon, 3 Mar 2014 03:04:51 -0800 (PST)
In-Reply-To: <53144BEF.7090407@cisco.com>
References: <20140303075807.19923.qmail@cr.yp.to> <53144BEF.7090407@cisco.com>
Date: Mon, 03 Mar 2014 12:04:51 +0100
Message-ID: <CAK9dnSxqC4dqNi6ghBx6PcVTVj+XR-PF05cCZMyggf5krjZfWg@mail.gmail.com>
From: CodesInChaos <codesinchaos@gmail.com>
To: David McGrew <mcgrew@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/YdRsIZivNkyRIuaaAgtm9hLxZJU
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: [Cfrg] Curve25519 specification, test vectors, etc.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 11:04:56 -0000

Two potential pitfalls for a Curve25519 implementation:

* Parsing non standard public keys where the most significant bit is set.

  The Curve25519 spec requires parsing the input as a 256 bit integer
which is then reduced mod p.
  Some implementations parse it as 255 bit integer, ignoring the last
bit. (Similar to the way Ed25519 parses its public keys).

  Older versions of Curve25519-donna and LibSodium had this flaw. See
https://github.com/jedisct1/libsodium/issues/78 for details.

  I suggest adding a test vector for the public key with all bits set.

* The shared secret gets hashed with (H)Salsa20.

  The hashing differs between the original Curve25519 paper and NaCl.
  The Curve25519 paper specifies a hash based on Salsa20 with custom constants
  The NaCl paper specifies HSalsa20 (i.e. without xor-ing the input)
with standard constants and an all zero nonce.

  I have only seen the NaCl variant in practice.

v2.23.0 | Report a Bug | By Email