Re: [openpgp] Curve25519/ECDH

Clint Adams <> Sun, 27 August 2017 22:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 79EA51321C9 for <>; Sun, 27 Aug 2017 15:29:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iwCwRcCs1wYZ for <>; Sun, 27 Aug 2017 15:29:48 -0700 (PDT)
Received: from ( [IPv6:2600:3c00::f03c:91ff:fe96:c8b9]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4D78132192 for <>; Sun, 27 Aug 2017 15:29:48 -0700 (PDT)
Received: by (Postfix, from userid 1000) id 9BB006255F; Sun, 27 Aug 2017 22:29:46 +0000 (UTC)
Date: Sun, 27 Aug 2017 22:29:46 +0000
From: Clint Adams <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <>
Subject: Re: [openpgp] Curve25519/ECDH
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 27 Aug 2017 22:29:50 -0000

On Fri, Aug 11, 2017 at 08:10:11PM +0000, Clint Adams wrote:
> After speaking with NIIBE-san this morning, I think there could be some
> more clarity with regard to how Curve25519 keys are meant to be
> public-key algorithm 18.
> To that end I've submitted

Per request, into the list archive:

While Ed25519 gets its own packet tag, Curve25519 keys are treated
the same as ECDH (by design and by the GnuPG implementation).
 middle.mkd | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/middle.mkd b/middle.mkd
index ec864c4..2615cf4 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -3735,8 +3735,8 @@ found in [](#KOBLITZ).
 This document references five named prime field curves, defined in
 [](#FIPS186) as "Curve P-256", "Curve P-384", and "Curve P-521"; and
 defined in [](#RFC5639) as "brainpoolP256r1", and "brainpoolP512r1".
-Further curve "Ed25519", defined in [](#I-D.irtf-cfrg-eddsa) is
-referenced for use with the EdDSA algorithm.
+Further curve "Curve25519", defined in [](#RFC7748) is referenced
+for use with Ed25519 (EdDSA signing) and X25519 (encryption).
 The named curves are referenced as a sequence of bytes in this
 document, called throughout, curve OID.  [](#ecc-curve-oid) describes
@@ -3756,7 +3756,8 @@ size.  The adjusted underlying field size is the underlying field size
 that is rounded up to the nearest 8-bit boundary.
 Therefore, the exact size of the MPI payload is 515 bits for "Curve
-P-256", 771 for "Curve P-384", and 1059 for "Curve P-521".
+P-256", 771 for "Curve P-384", 1059 for "Curve P-521", and ???{FIXME}
+for Curve25519.
 Even though the zero point, also called the point at infinity, may
 occur as a result of arithmetic operations on points of an elliptic
@@ -3867,7 +3868,8 @@ definition of the OtherInfo bitstring [](#SP800-56A):
     fingerprint are used.
 The size of the KDF parameters sequence, defined above, is either 54
-for the NIST curve P-256 or 51 for the curves P-384 and P-521.
+for the NIST curve P-256, 51 for the curves P-384 and P-521, or
+???{FIXME} for Curve25519.
 The key wrapping method is described in [](#RFC3394).  KDF produces a
 symmetric key that is used as a key-encryption key (KEK) as specified