Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement

Peter Gutmann <> Mon, 13 January 2014 01:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EC1D51ACCED for <>; Sun, 12 Jan 2014 17:08:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FQlc1yoV1nmm for <>; Sun, 12 Jan 2014 17:08:53 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 690941ACCEA for <>; Sun, 12 Jan 2014 17:08:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1389575323; x=1421111323; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=d0p+kwrOwmU90jASLxpLz7YdOdoXbIP7O8+6L93/6m0=; b=AtttK8+Rb4sh+nWZ+2Kja1tHOGrKpAU1lfvQm5axJeNM5jTqRhDwmaFH ALh8RWpOsXYy7b+YI4I1ZtzWUXLhywkp4AeO9+NOM5dTaMRpHBncUmz5Z tXdyA0pqUqswJEpWEM2tpS9EizfS6uSEVD6ytiXhDB5r4GLFn9H6976L/ A=;
X-IronPort-AV: E=Sophos;i="4.95,649,1384254000"; d="scan'208";a="307033796"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 13 Jan 2014 14:08:41 +1300
Received: from ([]) by ([]) with mapi id 14.03.0158.001; Mon, 13 Jan 2014 14:08:41 +1300
From: Peter Gutmann <>
To: "" <>
Thread-Topic: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
Thread-Index: Ac8P+/9byi6ayj65T4y8eOEVo2PxzA==
Date: Mon, 13 Jan 2014 01:08:41 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jan 2014 01:08:58 -0000

Alyssa Rowan <> writes:

>EdDSA uses a hash to generate deterministic secret random exponents, to avoid
>eating entropy when signing (like ECDSA does in its natural habitat). That
>will need to be a big enough hash to cover the size we need: 512 bits covers
>2^255 - 19, but to cover Curve3617 or E521, we're going to need a bigger boat.

That assumes you need a single application of a hash function to do the job,
which as several people have pointed out is going to bite you at some point
when you run out of appropriately-sized hash functions.  Why not use HKDF, RFC
5869, which works with any hash function you like?