Re: [Cfrg] Point format endian (was: Adoption of draft-ladd-spake2 as a RG document)

"Dan Harkins" <> Mon, 26 January 2015 06:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7F3D91A1EFF for <>; Sun, 25 Jan 2015 22:31:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id soEEQZfq6wOr for <>; Sun, 25 Jan 2015 22:31:01 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 6E1351A1BD7 for <>; Sun, 25 Jan 2015 22:31:01 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id CABCB1022400A; Sun, 25 Jan 2015 22:31:00 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Sun, 25 Jan 2015 22:31:01 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
Date: Sun, 25 Jan 2015 22:31:01 -0800
From: Dan Harkins <>
To: Watson Ladd <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] Point format endian (was: Adoption of draft-ladd-spake2 as a RG document)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Jan 2015 06:31:02 -0000

On Sun, January 25, 2015 12:35 pm, Watson Ladd wrote:
> On Sun, Jan 25, 2015 at 10:26 AM, Mike Hamburg <> wrote:
>> I think that this is actually an interesting question, so maybewe can
>> put aside religion and mockery thereof for little bit...
>> Does anyone know of existing code which processes cryptography over
>> multiple fields using a generic bignums package (hopefully with
>> fixed-size
>> bignums for timing resistance), and would be complicated by inconsistent
>> endian practices in a new curve?  If so, it might be worth considering a
>> consistent endian.

  Yes Mike, there are numerous crypto libraries, both open source and
proprietary, that use a generic bignum package. And it is that "might be
worth considering" that is making me raise this issue.

> Both NSS and OpenSSL have a bignum library underlying ECC operations,
> but I don't know how often that gets used in practice vs per curve
> optimized implementations. But we're talking about swapping bytes in a
> serialization function: it's a potential wart, but a small one. If we
> do reverse endianness, then what SSH is already doing won't be
> included.

  Warts are ugly. And if small warts are not a concern then let's just
leave SSH with a wart and everyone else can be wart-free.

> The fact that actual developers making actual projects don't consider
> this a problem should register.

  Well this actual developer making actual projects considers this a
problem. The argument from Rich is that he's OK with curve25519
being a special case because of he wants to interop with some existing
implementations. And I guess that's the difference. Aside from SSH
(which will have "a potential ward, but a small one") I don't see
a large number of protocols implemented with this format that
make this change compelling.