RE: ssh-ed25519 implementations

Daniel Migault <> Thu, 11 May 2017 15:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D0566131491 for <>; Thu, 11 May 2017 08:56:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0KFRtd82yPqp for <>; Thu, 11 May 2017 08:56:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A03A61314A4 for <>; Thu, 11 May 2017 08:50:31 -0700 (PDT)
Received: by (Postfix, from userid 605) id 5B5908557D; Thu, 11 May 2017 15:50:30 +0000 (UTC)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5786085576 for <>; Thu, 11 May 2017 15:50:27 +0000 (UTC)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10025) with ESMTP id C7LFXKq9YF05 for <>; Thu, 11 May 2017 15:50:26 +0000 (UTC)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 97D2C84CE1 for <>; Thu, 11 May 2017 15:50:26 +0000 (UTC)
X-AuditID: c618062d-481ff70000000cf0-1e-591482dd3f80
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 1C.D3.03312.DD284195; Thu, 11 May 2017 17:27:28 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0319.002; Thu, 11 May 2017 10:05:16 -0400
From: Daniel Migault <>
To: "Mark D. Baushke" <>, Eric Rescorla <>, "Ron Frederick" <>, Brian Smith <>, "denis bider" <>, Simon Tatham <>
CC: "" <>, "" <>
Subject: RE: ssh-ed25519 implementations
Thread-Topic: ssh-ed25519 implementations
Thread-Index: AQHSylsYe0kaNRFXjUKb2lX66nDkWqHvIbRQ
Date: Thu, 11 May 2017 14:05:15 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFIsWRmVeSWpSXmKPExsUyuXRPiO6DJpFIg2mt1hY/mlazW1yZeojZ YuvCWcwWx8/NZbZY8focu8WHe4/ZLLruXGezWLX5H7sDh8e+hsOsHjtn3WX3WLLkJ5PH9aar 7B4LH/Ywely8pOwx+XEbs8ftdxeZAjiiuGxSUnMyy1KL9O0SuDJm3pvCWHCLr+L7rQ2sDYyP ubsYOTkkBEwk7l3cx9rFyMUhJHCUUWJz0zsmCGc5o8ScrrmsIFVsAkYSbYf62UFsEYH7jBKN XyO7GDk4mAXCJJr36IKEhQU0Je59fcEMEhYR0JKYe8ARohqos/cOWCeLgKrE1IXTWEBsXgFf ie0H9rFDrNrIKPHl2y42kASngJlE74HDYGsZBcQkvp9awwRiMwuIS9x6Mp8J4mgBiSV7zjND 2KISLx//Y4WwFSX29U9nh6jXkViw+xMbhK0tsWzha2aIxYISJ2c+YZnAKDoLydhZSFpmIWmZ haRlASPLKkaO0uKCnNx0I4NNjMAYPCbBpruD8f50z0OMAhyMSjy8D2SEI4VYE8uKK3MPMUpw MCuJ8GplikQK8aYkVlalFuXHF5XmpBYfYpTmYFES551w/kKEkEB6YklqdmpqQWoRTJaJg1Oq gdFDJy1+7td1R5yPvJmw9MOED0zyYmubtD9FNwrtD5t/a6lWTnjJ0sOXVkzKtrsg1nPv2h/n jE1MoglHdVZ/kLv675eS4f4n3MePiN4UrjOV5zmWt+GcukO/7emH14zMNUo6eKpC7KrKLLd+ zWv21I3cJH3kg65K8/Lz9md/fvh7YsL1qN6pf4qUWIozEg21mIuKEwGB1baKvQIAAA==
Precedence: list
List-Unsubscribe: <>

I believe it is nicer to have Curve25519 and Curve448 should be coherent.  The text is clarifying.

-----Original Message-----
From: [] On Behalf Of Mark D. Baushke
Sent: Thursday, May 11, 2017 9:33 AM
To: Eric Rescorla <>om>; Ron Frederick <>et>; Brian Smith <>rg>; denis bider <>om>; Simon Tatham <>
Subject: Re: ssh-ed25519 implementations 

Hi Eric & Ron & Brian & Simon,

Given input from folks so far, I think it would be better if both
Curve25519 and Curve448 continued to use the "mpint" format for K when generating a hash even though this is not what RFC7748 suggests.

Would it make sense to include the following text to the end of section
2.1 of ?

    When performing the X25519 or X448 operations, the integer values
    there will be encoded into byte strings by doing a fix-length
    unsigned litle-endian conversion, per [RFC7748]. It is only later
    when these byte strings are then passed to the ECDH code in SSH that
    the bytes are re-interpreted as a fixed-length unsigned big-endian
    integer value K, and then later that K value is encoded as a
    variable-length signed "mpint" before being fed to the hash
    algorithm used for key generation.

to help clarify the differences between RFC7748 and what is happening in SSH?

Much of this text is borrowed from what Ron Frederick has written to me, any remaining confusion is my fault.

I think that the above text should help clear up the confusion that Eric noted in this section of code.

If there are no problems with this text, I will release the -05 draft with it.

	Thank you,
	-- Mark