RE: Curve25519/448 key agreement for SSH

[denis bider <ietf-ssh3@denisbider.com>]

Simon, Aris -

thank you for this work. I plan to be implementing this soon, and I appreciate that you're moving ahead with standardization.

With respect to conversion of the binary string X into mpint K, is there a chance that X might have its high bit set?

If it's possible for the high bit to be set, it seems you ought to clarify how that's converted into mpint, given that mpint is signed:

https://www.ietf.org/rfc/rfc4251.txt
      Represents multiple precision integers in two's complement format,
      stored as a string, 8 bits per byte, MSB first.  Negative numbers
      have the value 1 as the most significant bit of the first byte of
      the data partition.  If the most significant bit would be set for
      a positive number, the number MUST be preceded by a zero byte.Besides that, I'm noticing the language could use improvement in places ("this document re-use" -> "this document reuses", "is is" -> "is").

Overall, thank you for moving forward with this, though.


----- Original Message -----
From: Simon Josefsson 
Sent: Monday, November 9, 2015 09:07
To: ietf-ssh@netbsd.org 
Subject: Curve25519/448 key agreement for SSH

Aris and me have prepared a document describing key agreement using the
CFRG curves for Secure Shell.  As you know, curve25519-sha256@libssh.org
is already implemented by libssh, OpenSSH, Dropbear, and some others.
This is about putting the description of that into IETF format, and to
add the Curve448 hedge variant chosen by CFRG.  It might not be detailed
enough for independent implementation, but we hope to get there.  Any
review and feedback is welcome.

https://tools.ietf.org/html/draft-josefsson-ssh-curves

/Simon

PS. There is https://tools.ietf.org/html/draft-bjh21-ssh-ed25519 but
that talks about Ed25519 signatures.  The document above is about key
agreement.