Re: [Cfrg] On the use of Montgomery form curves for key agreement

Manuel Pégourié-Gonnard <> Mon, 08 September 2014 20:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5FB601A037A for <>; Mon, 8 Sep 2014 13:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.902
X-Spam-Status: No, score=-2.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GXbfd9VXCn-u for <>; Mon, 8 Sep 2014 13:01:01 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF8BC1A02F2 for <>; Mon, 8 Sep 2014 13:01:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 0FA4516148; Mon, 8 Sep 2014 22:00:58 +0200 (CEST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id B0D091F635; Mon, 8 Sep 2014 22:00:55 +0200 (CEST)
Message-ID: <>
Date: Mon, 08 Sep 2014 22:00:55 +0200
From: Manuel Pégourié-Gonnard <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: Andy Lutomirski <>, Nico Williams <>
References: <> <> <> <> <> <>
In-Reply-To: <>
OpenPGP: id=98EED379; url=
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Sep 2014 20:01:03 -0000

On 08/09/2014 21:34, Andy Lutomirski wrote:
> On Mon, Sep 8, 2014 at 11:51 AM, Nico Williams <> wrote:
>> As for key reuse (as opposed to how long after use the key is
>> destroyed), obviously it cannot be bad, otherwise we'd only have
>> ephemeral-ephemeral DH.  But we've been using DH with static keys
>> since DH was invented.
Key reuse is bad if the implementation has side channels. Well, arguably that
should never be the case, but anyway.

> Certainly the any exchange of the form K = H(g^(a+b)) followed by use
> of most AEADs (e.g. GCM, most things using Poly1305, etc) starting
> with IV 0 and key K (or a hash of K) will fail catastrophically.
This can certainly be a catastrophic failure in some protocol, but in TLS at
least I think the random values from the hello messages prevent this particular
mode of failure.

> In summary, I think that a protocol intended to allow ephemeral key
> reuse needs to specify that reuse is allowed (so the proofs can be
> designed correctly) and to specify *how* the keys may be reused (to
> avoid catastrophic failure).
However, I agree with this point.

> I hope that OpenSSL doesn't already reuse ECDH keys on the client.
> The code is entirely incomprehensible, so my five minutes of trying to
> understand it went nowhere at all.
I would assume they don't: on server you must select one curve, while on the
client curve selection is dynamic. I take this as an indication that they reuse
keys on the server but not on the client. But do not trust me on this!