Re: ssh-ed25519 implementations

"denis bider \(Bitvise\)" <> Thu, 11 May 2017 05:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 04E3C128BC8 for <>; Wed, 10 May 2017 22:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.39
X-Spam-Status: No, score=-1.39 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c1sC6_opZMge for <>; Wed, 10 May 2017 22:22:18 -0700 (PDT)
Received: from ( [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5851C129AF4 for <>; Wed, 10 May 2017 22:22:12 -0700 (PDT)
Received: by (Postfix, from userid 605) id 26F4F855B2; Thu, 11 May 2017 05:22:10 +0000 (UTC)
Received: by (Postfix, from userid 1347) id CCEE7855A7; Thu, 11 May 2017 05:22:09 +0000 (UTC)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4850585599 for <>; Thu, 11 May 2017 03:53:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10025) with ESMTP id jgZvf-MPzN4C for <>; Thu, 11 May 2017 03:53:49 +0000 (UTC)
Received: from ( []) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9CD0C84CE1 for <>; Thu, 11 May 2017 03:53:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; h=from:subject:date:message-id:to:mime-version:content-type:in-reply-to: references; bh=IgVov2NUbTGjomFsLNS2rO5UJqS9kkxV4NHqBfjNGE8=; b=QrMZCeBZIZrdzV7dV9YlZpXU1V84nP+Ojf6BFZTvk0aWC2chyXrwNKurmnsHO13jkfb0pHWHnbTW2 KhyHB6ou9dgAuHLLjpm9Z2QY73fDZRUO6wGf4HbqTT3/Uymdb/Bj8h6AaYGI8VYhhy5JYxrMm8nnZI 6dSvVEukuM+yuUJfSImL4EWiOIGOUpWUYwm5/A7SbVJapQz4Zg5U7oUIPUvBPKkYDtVKFZzgarK6VF BBN/vbtNKC0L7dBX+Y6fgomPbBC6M3P2usj0MRalgM2zyrp7dpEb2yaTRQI6km9mxRuvwRBdO8WDHf syjSI5/glQU9yv7zQn81wF4Zj/pk2VQ==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([]) by with ESMTPSA (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Thu, 11 May 2017 04:53:44 +0100
Message-ID: <B1761C2AE47B4204B4002FDEE14C0218@Khan>
From: "denis bider \(Bitvise\)" <>
To: <>, "Mark D. Baushke" <>
References: <>
In-Reply-To: <>
Subject: Re: ssh-ed25519 implementations
Date: Wed, 10 May 2017 21:53:01 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0099_01D2C9D7.CB6F8240"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Precedence: list
List-Unsubscribe: <>

Hey Mark!

For curve448-sha512, I have no objections for either choice of encoding. What’s more important than the choice of encoding is that there isn’t doubt about the choice of encoding.

That being said, I agree it may be slightly preferable to use signed mpint, given that this would be consistent with all other SSH key exchange methods, including Curve25519, and it would be weird for Curve448 to depart from this.


From: Mark D. Baushke 
Sent: Wednesday, May 10, 2017 19:39
Subject: ssh-ed25519 implementations

[Second attempt. my first attempt got bounced by fraud detection checks
for some unknown reason. -- mdb]


Eric Rescorla <> has brought to my attention that in it is
currently specifying the SSH encoding of secrets on the wire using the
mpint process as described in section 5 of [RFC4251] while RFC 7748
describes using a little-endian format:

  GF(2^448 - 2^224 - 1) and are encoded as an array of bytes, u,
  in little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... +

This seems to be what is being implemeneted for, so I should make
an explicit note of this in the draft.

However, I am unaware of any curve448-sha512 implementations at
present and would like consensus that it should also follow the mpint
method rather than the RFC 7748 method.

Please reply to with your opinions.

        Thank you,
        -- Mark