Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document

Joppe Bos <> Fri, 09 January 2015 14:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5908D1A879C for <>; Fri, 9 Jan 2015 06:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zToO1298oe-m for <>; Fri, 9 Jan 2015 06:00:17 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fe00::677]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 750831A87A2 for <>; Fri, 9 Jan 2015 06:00:08 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 9 Jan 2015 13:59:45 +0000
Received: from ([]) by ([]) with mapi id 15.01.0049.002; Fri, 9 Jan 2015 13:59:45 +0000
From: Joppe Bos <>
To: "" <>, "" <>
Thread-Topic: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document
Thread-Index: AQHQKR3CPwjtAQnV00eRzIHuVeF6CJy31HLw
Date: Fri, 09 Jan 2015 13:59:45 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
authentication-results: spf=none (sender IP is );
x-dmarcaction: None
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(3005003);SRVR:AMSPR04MB520;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:AMSPR04MB520;
x-forefront-prvs: 04519BA941
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(53754006)(54014002)(13464003)(199003)(189002)(377454003)(4396001)(66066001)(107886001)(107046002)(1720100001)(40100003)(2656002)(87936001)(20776003)(64706001)(99396003)(2900100001)(68736005)(74316001)(77096005)(15975445007)(102836002)(2950100001)(62966003)(77156002)(122556002)(54606007)(50986999)(120916001)(99936001)(19580405001)(19580395003)(2501002)(54356999)(76176999)(97736003)(46102003)(54206007)(101416001)(105586002)(92566001)(106116001)(106356001)(21056001)(31966008)(76576001)(33656002)(86362001)(230783001); DIR:OUT; SFP:1101; SCL:1; SRVR:AMSPR04MB520;; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0235_01D02C1C.E659DDE0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2015 13:59:45.5063 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMSPR04MB520
Archived-At: <>
Subject: Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Jan 2015 14:00:23 -0000

Hi all,

The current version of the draft contains methods for parameter selection
(section 6) and a single recommended curve (section 7). 
IMO the natural approach would be to first agree upon a parameter selection
procedure (one draft) and subsequently, when a large portion of the
community agrees that this selection procedure is sound, use this procedure
to select new curves (another draft). Currently, we are changing the
selection procedure to match an existing curve. If we want curve25519
because it is fast and widely deployed then we should state this clearly and
refrain from modifying the selection procedures because this might have a
negative impact on the potential selection of curves in the future. 

Please find below some comments on the current version of the draft.

Section 7: 
- The specification of the parameters is done either in formula form (p), in
decimal (d) or a formula + hexadecimal (order). Maybe use the same notation
(e.g. either decimal or hexadecimal) everywhere to avoid confusion?
- For completeness it might be good to give the corresponding (short)
Weierstrass form of the curve(s).

Section 8-10:
These sections are curve25519 specific, this should be stated much clearer.

Section 8:
As far as my understanding goes there was no consensus on the wire format of
field elements. 
This section states that "when transmitting field elements in the
Diffie-Hellman protocol below, they MUST be encoded as an array of bytes, x,
in little-endian order". Maybe some notation got confused here, what is this
x-coordinate? The only x defined are on the Edwards curve while I think here
the Montgomery curve is meant (the u-coordinate from section 7). This should
be fixed or stated clearer to avoid confusion.

Section 9:
- It is not entirely clear to me why such low-level details are provided in
this draft. Is it expected from the CFRG to deliver implementation details
for algorithms or just a specification of curves plus related info (such as
wire formats)? If we want to provide such low-level details then why not
also state how to implement the field arithmetic?
- Why is only the approach based on the Montgomery ladder stated in this
section? There is nothing wrong with the Montgomery ladder but it is not the
best solution for all reasonable definitions of best. The implementer has
the choice, as stated before on this list, to compute DH on (for instance)
the corresponding Edwards or Weierstrass curve. Currently it looks as if the
CFRG recommends to use the Montgomery ladder for all scenarios;  something
we know is suboptimal in terms of performance for higher security levels.
Moreover, imagine the scenarios where people use (twisted) Edwards curves
for signatures. Then implementing DH using the Montgomery ladder implies
managing code for both the Montgomery and the twisted Edwards curve and,
following the reasoning expressed by some people on this list, a larger code
base implies more room for errors which implies a less secure approach. 
- This ladder implementation defines the usage of cswap ("due to the
existence of side-channels in commodity hardware"). Although this adds some
protection this algorithm is not secure in many realistic threat models
(e.g. in hardware security). To me, it looks quite arbitrary to just protect
against one type of attack and not against a whole range of other
side-channel attacks. The threat model should depend on where the
implementation will be used and therefore it is up to the implementer to
make the appropriate design decisions and introduce the adequate

Best regards,


-----Original Message-----
From: Cfrg [] On Behalf Of Alexey Melnikov
Sent: Monday, January 05, 2015 8:15 PM
Subject: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document

This message starts 2 weeks adoption call (ending on January 19th 2015) on:

as the starting point for the CFRG document which describes an algorithm for
safe curve parameter generation for a particular security level and also
recommends a specific curve (2^255-19) for the 128-bit security level.

Please reply to this message or directly to CFRG chairs, stating whether you
support (or not) adoption of this document. If you do not support adoption
of this document, please state whether you support adoption of any
alternative document or whether you want a particular change be made to the
document before adoption.

Chairs ask not to reiterate previously expressed technical opinions or
arguments. But clarifying questions on the adoption call are welcome.

While making your decision, please keep in mind

On behalf of CFRG chairs.

P.S. Editors of draft-black-rpgecc-01 and
draft-turner-thecurve25519function-01 can become co-editors of the adopted
document, if they choose to do so. Email chairs directly if you are willing
or not willing to do so.

Cfrg mailing list