Re: [Cfrg] Elliptic curve evaluation truths

"Paterson, Kenny" <> Wed, 26 November 2014 09:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A82E51A86EE for <>; Wed, 26 Nov 2014 01:39:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KUdMWXdhtO_c for <>; Wed, 26 Nov 2014 01:39:30 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fe00::661]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3AFFA1A6FFD for <>; Wed, 26 Nov 2014 01:39:30 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 26 Nov 2014 09:39:06 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 26 Nov 2014 09:39:05 +0000
Received: from ([]) by ([]) with mapi id 15.01.0026.003; Wed, 26 Nov 2014 09:39:05 +0000
From: "Paterson, Kenny" <>
To: Michael Hamburg <>, "Parkinson, Sean" <>
Thread-Topic: [Cfrg] Elliptic curve evaluation truths
Date: Wed, 26 Nov 2014 09:39:05 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-forefront-prvs: 04073E895A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(51704005)(479174003)(189002)(53754006)(13464003)(52604005)(377454003)(199003)(24454002)(86362001)(74482002)(15202345003)(92566001)(4396001)(20776003)(66066001)(64706001)(1720100001)(77156002)(46102003)(62966003)(36756003)(2656002)(87936001)(120916001)(15974865002)(122556002)(19580395003)(19580405001)(83506001)(40100003)(99396003)(15975445006)(97736003)(76176999)(50986999)(54356999)(31966008)(107046002)(95666004)(93886004)(101416001)(106356001)(92726001)(21056001)(19273905006)(105586002)(7059030)(563064011); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB384;; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB013;
Cc: "" <>
Subject: Re: [Cfrg] Elliptic curve evaluation truths
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Nov 2014 09:39:33 -0000

Hi Everyone,

Thanks for contributing to this thread. It's helpful in establishing some
facts that will help to inform our decision-making for people who are not
so aware of the basic issues. But, please, let's not get into huge amounts
of details here, as it will distract us from our main business.

On that front, I'm hoping we'll have some significant developments in the
next couple of days that will help us move forward with that main work of
selecting curves to recommend to the TLS WG.



On 26/11/2014 02:02, "Michael Hamburg" <>; wrote:

>Usually Montgomery curves are used because they have a very simple and
>efficient x-only Montgomery ladder implementation, where the y coordinate
>is not computed, at least not in the inner loop.
>It is not possible to add two points without some information about the
>y-coordinate.  However, if the y-coordinate is given (compressed on the
>wire, but uncompressed internally), then it possible to add points on a
>Montgomery curve.  That¹s not what people will do, though.  Instead
>they¹ll convert to (twisted) Edwards, where all the math is much simpler.
> Depending on the signature form, it may be possible to verify without
>adding, but people probably won¹t do that either.
>Likewise, it is possible but not practical to use ³pools of points² on a
>Montgomery curve.  Instead people will use Edwards form.
>So I would state:
>def) ³Twisted Edwards² includes traditional Edwards curves with a = 1.
>0) Every Montgomery curve is equivalent (isomorphic) to a Twisted Edwards
>curve.  Every Twisted Edwards curve is equivalent to a Montgomery or
>twisted Montgomery curve.  Every elliptic curve is equivalent to a short
>Weierstrass curve.
>4) Signing and verification on a Montgomery curve practically requires
>using Twisted Edwards form.
>6) Twisted Edwards and short Weierstrass curves support precomputed
>tables to speed up ephemeral DH.  Supporting this for Montgomery curves
>practically requires using Twisted Edwards form.
>Nitpicking Watson¹s claims:
>Every curve supports the Montgomery ladder, often in several flavors.
>Montgomery curves are used because they have a particularly simple and
>efficient Montgomery ladder.  A curve with a point of order 4 in some
>other form may have a somewhat slower or more complex Montgomery ladder
>than Montgomery curves.
>‹ Mike
>> On Nov 25, 2014, at 4:02 PM, Parkinson, Sean <>;
>> My understanding is that because you can't efficiently perform a point
>>add operation of two random points with Montgomery curves then signature
>>schemes are out.
>> Is there inefficient algorithms for performing point add on the
>>Montgomery curve?
>> I intended to not include transforming points to other curve types. So
>>  4. Signing and verification operations on Montgomery curves is not
>> I'm intentionally not talking about simplicity of implementations. That
>>is making things more complicated and hiding the 'truths'.
>> Sorry, 'Pools of points' was my name for the technique of having a
>>number of pre-generated points that are then added to each other to
>>quickly generate new points for TLS PFS.
>> Sean
>> --
>> Sean Parkinson | Consultant Software Engineer | RSA, The Security
>>Division of EMC
>> Office +61 7 3032 5232 | Fax +61 7 3032 5299
>> -----Original Message-----
>> From: Watson Ladd []
>> Sent: Wednesday, 26 November 2014 2:35 AM
>> To: Parkinson, Sean
>> Cc:
>> Subject: Re: [Cfrg] Elliptic curve evaluation truths
>> On Mon, Nov 24, 2014 at 11:56 PM, Parkinson, Sean
>><>; wrote:
>>> In hopes of reaching consensus, I thought I might start a list of
>>> known truths.
>>> Please don¹t just argue against each point but instead look to refine
>>> the statements where possible.
>>> 1.       Only curves over prime fields are being considered.
>>> 2.       Good, efficient implementations of Twisted Edwards curves will
>>> faster than good, efficient implementations of short Weierstrass with
>>> the same prime.
>>> 3.       Good, efficient Montgomery curve implementations are simpler
>>> good, efficient Twisted Edwards and short Weierstrass curve
>>> 4.       Montgomery curves cannot be used for signing/verification
>>> operations.
>> This is incorrect: see DJB's "Curves, Coordinates and Computation
>>emails". One can retrieve y-coordinates from the Montgomery ladder.
>> In fact, 2 and 3 both need to be reworked in light of this email.
>> The correct statement is that curves with a complete addition law are
>>easy to work with, and that the Montgomery ladder is also very simple.
>> Curves have a complete addition law if they are isomorphic to Edwards
>>curves, which is almost the same as having a point of order 4. The
>>Montgomery ladder works for curves with a point of order 4. (I may have
>>gotten the conditions somewhat wrong: this is morally correct)
>> How the curve is presented on the wire doesn't change this: one does a
>>few fast calculations to put the point retrieved from the wire in the
>>preferred form for calculation, and a few fast ones at the end to put it
>>back in the form on the wire.
>> This is also missing security considerations: it's easy to get
>>multiplication correct with a complete addition law, much harder without
>>one. Edwards curves always have a complete addition law, while Twisted
>>Edwards may or may not, depending on the value $a$ being a quadratic
>>residue or not.
>>> 5.       Small co-factor curves are no weaker, in terms of small
>>> attacks, than co-factor 1 curves.
>>> 6.       Twisted Edwards and short Weierstrass but not Montgomery
>>> support pools of points for ephemeral DH.
>> What do you mean by pools of points? Do you mean fast fixed-based
>>exponentiation? In that case one can do a fast fixed-based
>>exponentiation on the isomorphic or isogenous Edwards curve, and use a
>>few fast computations to get the point on the Montgomery curve.
>>> 7.       NIST curves are going to be in use for some time.
>>> 8.       One curve at about WF-128 is required.
>>> 9.       At least one curve with WF greater than 128 is required.
>>> 10.   Good, efficient implementations of curves using special primes
>>> significantly faster than good, efficient implementations using random
>>> primes.
>>> 11.   There are steps in performance based on the number of words used.
>>> 12.   There are a few special primes that are significantly faster
>>>than the
>>> step they are on.
>>> 13.   The curves chosen will be used for ECDH and ECDSA.
>>> 14.   The curves will be used in TLS and certificates.
>>> If you have more truths then please add to this list.
>>> Sean
>>> --
>>> Sean Parkinson | Consultant Software Engineer | RSA, The Security
>>> Division of EMC
>>> Office +61 7 3032 5232 | Fax +61 7 3032 5299
>>> _______________________________________________
>>> Cfrg mailing list
>> --
>> "Those who would give up Essential Liberty to purchase a little
>>Temporary Safety deserve neither  Liberty nor Safety."
>> -- Benjamin Franklin
>> _______________________________________________
>> Cfrg mailing list
>Cfrg mailing list