Re: [Cfrg] [TLS] Unwarrented change to point formats

"Paterson, Kenny" <> Sun, 27 July 2014 18:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9A14F1A0B0E for <>; Sun, 27 Jul 2014 11:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iuvvwK9jSBHh for <>; Sun, 27 Jul 2014 11:25:58 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E94D51A0350 for <>; Sun, 27 Jul 2014 11:25:57 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.995.14; Sun, 27 Jul 2014 18:25:55 +0000
Received: from ([]) by ([]) with mapi id 15.00.0995.014; Sun, 27 Jul 2014 18:25:55 +0000
From: "Paterson, Kenny" <>
To: Watson Ladd <>
Thread-Topic: [TLS] Unwarrented change to point formats
Thread-Index: AQHPqPtIfxZu0QqDV0qbT2QAUQQVkpu0PnH4
Date: Sun, 27 Jul 2014 18:25:54 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 0285201563
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(189002)(199002)(24454002)(51704005)(74502001)(4396001)(74662001)(74482001)(83716003)(36756003)(77982001)(31966008)(15975445006)(76482001)(79102001)(82746002)(21056001)(46102001)(1411001)(101416001)(110136001)(2656002)(105586002)(107046002)(87936001)(86362001)(33656002)(95666004)(85306003)(99396002)(92726001)(92566001)(76176999)(83072002)(85852003)(54356999)(81542001)(50986999)(83322001)(80022001)(66066001)(106356001)(81342001)(64706001)(20776003)(19580395003)(19580405001)(106116001)(104396001); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB381;; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>, "" <>
Subject: Re: [Cfrg] [TLS] Unwarrented change to point formats
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 27 Jul 2014 18:26:00 -0000


There was certainly support for Curve25519 at the CFRG interim phone conference, from my reading of the transcript. 

I don't think the reasons for the TLS WG to ask for our input are nebulous, as you put it. I'd say they were taking a responsible approach, charging us as experts to explore the alternatives carefully and make recommendations. This choice will affect the future security of TLS for years - or decades - to come. So we have to get it right. 

That request to us does not mean anyone is ignoring existing drafts, as you write. I am also not aware of this IETF-wide requirement that you mention. I believe it's a "nice to have", but not a hard requirement. Can you point to something more solid that is demonstrably a consensus view?

You will note from my previous emails summarising the meeting in Toronto that backwards compatibility with the existing wire format is regarded as being desirable but not essential by the TLS WG leadership. If it can be done, it will make adoption easier; if not, we can change it, but it will need some careful drafting to make sure it's crystal clear. 

The fact that the small group who run OpenSSH has adopted a couple of schemes based on a particular curve does not necessarily make that curve the right choice for TLS. I also don't regard that as wide adoption, as you put it. I'm not aware of a public, requirements-driven process behind their choice. That's what we are attempting here.  

Your continued inputs to the process are most welcome. 



> On 26 Jul 2014, at 18:59, "Watson Ladd" <> wrote:
> Dear all,
> Curve25519 was a draft. Curve25519 came back with good reviews from
> the CFRG. End of story? No: the TLS WG leadership has decided to ask
> for the choice of curves, on nebulous criteria, ignoring existing
> drafts, on the basis that the curves must be applicable "IETF wide".
> I don't see the reason for this, especially given that OpenSSH has
> implemented and deployed Curve25519 and Ed25519, complete with
> Montgomery form on the wire.  Arguing that we need twisted Edwards
> point formats everywhere for consistency with existing libraries
> ignores what has already been deployed and widely adopted.
> Sincerely,
> Watson Ladd
> _______________________________________________
> TLS mailing list