Re: [Cfrg] On the use of Montgomery form curves for key agreement

Brian LaMacchia <> Tue, 02 September 2014 07:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 04DBD1A00F6 for <>; Tue, 2 Sep 2014 00:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BPlX8JtHDh0b for <>; Tue, 2 Sep 2014 00:58:24 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 07F201A00E8 for <>; Tue, 2 Sep 2014 00:58:23 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1015.19; Tue, 2 Sep 2014 07:58:22 +0000
Received: from ([]) by ([]) with mapi id 15.00.1015.018; Tue, 2 Sep 2014 07:58:22 +0000
From: Brian LaMacchia <>
To: Robert Ransom <>
Thread-Topic: [Cfrg] On the use of Montgomery form curves for key agreement
Thread-Index: Ac/GFKdVASv0pPTeROyHvj6EvV57FQAAYtoAAAwdIdAADhl2AAABG7xg
Date: Tue, 02 Sep 2014 07:58:21 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 0322B4EDE1
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(377454003)(479174003)(13464003)(189002)(199003)(51704005)(24454002)(2656002)(64706001)(92566001)(86612001)(80022001)(66066001)(20776003)(76576001)(74316001)(87936001)(21056001)(90102001)(86362001)(85852003)(83072002)(46102001)(77982001)(99396002)(81342001)(4396001)(19580395003)(83322001)(33646002)(19580405001)(106356001)(76482001)(76176999)(77096002)(74662001)(85306004)(99286002)(54356999)(105586002)(50986999)(93886004)(108616004)(81542001)(107046002)(31966008)(101416001)(95666004)(74502001)(110136001)(24736002)(42262002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB243;; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Sep 2014 07:58:26 -0000

-----Original Message-----
From: Robert Ransom [] 
Sent: Tuesday, September 2, 2014 12:25 AM
To: Brian LaMacchia
Cc: Andy Lutomirski;
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement

>On 9/1/14, Brian LaMacchia <> wrote:
>>  To be clear, the reason you would
>> want to change to another form in ECDHE is for significant performance 
>> gains in the fixed-base key generation.

>This is false, and you clearly know that: your own research group's paper gives performance figures for >a ‘hybrid’ ECDHE implementation which uses Edwards form internally for key generation, and uses the >Montgomery ladder for the variable-base scalar multiplication.
>(For everyone else, the added cost (during key generation) of encoding a projective Edwards-form >point to a Montgomery-form point format rather than an Edwards-form point format is trivial: two >additions.)

Hi Robert,

I think you misread that portion of my email as being about the cost of conversion between coordinate formats, when I was in fact referring to the overall “hybrid” implementation.  If you go back and reread the entire message, you’ll see a more detailed comment on exactly this point at the bottom of my reply to Andy.