Re: [TLS] Curve25519 in TLS

Watson Ladd <> Wed, 16 October 2013 18:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7282911E82CE for <>; Wed, 16 Oct 2013 11:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TP5DsHF+aimg for <>; Wed, 16 Oct 2013 11:48:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::22a]) by (Postfix) with ESMTP id 877D911E8196 for <>; Wed, 16 Oct 2013 11:48:29 -0700 (PDT)
Received: by with SMTP id l12so7460788wiv.5 for <>; Wed, 16 Oct 2013 11:48:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=XbN7Z4eja9jsdRixm8mC1BC1BYe9+xNhqF1M0F46RTs=; b=F+7M18xf8Y0usW0MVpQ9aFcgSkr7nzbzrwkF73MbETKkSWNBRWatO8u7DK/zKf7ipq E6U7pnZhiau3Xet8hJqiMtevxX7K7B6cfIIeGkfpxPuiIdclpcNuLArEUTptn0TMmXjm yzDt4Mt1CMoSA8WJDv5xiROnMIhuN1tGc6N7op/IB+46t6dfoQaoFv0J2sqmZBYO2KD1 li5GN2IZqma35GipzkMuq/z0YOK9sF3jS+ZOYmR0fI2denTrQ6+0whUctTHrtujBph4E wD9utJpo6TlFDYMBKUDexvMh7BSAIvq2YeSJQz6NAODocXuZCsxWSMlP/39ZmP2SoLvU AXuw==
MIME-Version: 1.0
X-Received: by with SMTP id m13mr3578215wiw.10.1381949308726; Wed, 16 Oct 2013 11:48:28 -0700 (PDT)
Received: by with HTTP; Wed, 16 Oct 2013 11:48:28 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Wed, 16 Oct 2013 11:48:28 -0700
Message-ID: <>
From: Watson Ladd <>
To: Manuel Pégourié-Gonnard <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Simon Josefsson <>, "" <>
Subject: Re: [TLS] Curve25519 in TLS
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Oct 2013 18:48:50 -0000

Minor nitpicks about language below.

On Tue, Oct 15, 2013 at 11:36 PM, Manuel Pégourié-Gonnard
<> wrote:
> Hi,
> On 24/09/2013 17:32, Simon Josefsson wrote:
> I think a few points should be clarified in the draft. As the
> introduction correctly states, Curve25519 is a new ECDH function, not
> just a new curve for use with the usual ECDH construction. Let me sum up
> the constructions of ECDH in TLS and in Curve25519.
> 1. Private keys: random integer in the range [1, q-1] with q the order of G.
> 2. Public keys: a point on the curve (defined over F_p).
> 3. Public key encoding: either
>     (a) the x and y coordinates of the point, or
>     (b) the x coordinate and a bit for determination of the y coordinate,
> with integers represented as big-endian bytes strings, preceded by a
> first byte indicating which format was chosen (and holding the possible
> additional bit).
I don't believe this is correct: RFC4492 permits curves with cofactor
greater than one.
I don't have a copy of the IEEE standard in front of me, but I believe
in this case one has to
do a group membership check. So it depends on what the meaning of G is.
> Curve25519 ECDH:
> 1. Private keys: random 254-bit positive integer with the high-order bit
> set and the three lowest-order bits cleared.
> 2. Public keys: any number in the range [0, 2^{256}-1].
> 3. Public key encoding: a byte string in little-endian convention.
> Now I'll discuss the differences and possible issues in more detail.
> 1. Concerning the private key, I think keeping the paper's definition
> does not raise any issue. Implementors should just be careful to use a
> special procedure for this curve.
What is actually happening is that exponentiation by the private key
is annihilating the small order
torsion subgroup on both the curve and the twist because the private
key is divisible by 8, and the curve and twist
have large prime-order subgroups with cofactor 8 and 4 respectively.
This is a big difference from the usual method,
in which one only sends members.
> 2. Concerning the public key, the 256-bit integer in the paper
> represents (modulo p) the x coordinate of a point on the curve E, but
> this point may not be defined over F_p, but over F_{p^2}. An alternative
> way of seeing things is that the public key may be either the x
> coordinate of a point in E(F_p) or of a point in E'(F_p) where E' is the
> twist curve y^2 = x^3 + 2Ax^2 + 4x.
> By construction of E, this is not a security issue at all, and rather a
> fact that simplifies implementations of the Curve25519-ECDH protocol,
> since there is no need to check the validity of public keys and they are
> shorter, but it introduces a real difference (in the type of objects,
> not just their representation) with the usual TLS ECDH function.
> 3. So, if we want to preserve the nice property than any 32-byte string
> (ie, any 256-bit integer x) is a valid key (and I think we do), we don't
> have a y coordinate at our disposal for the normal encoding procedure.
> Some ideas around this issue:
> A. Just use the convention y = 0 and one of the existing formats.
> Pros: simple, just works.
> Cons: with the basic "uncompressed" format, wastes 32 bytes of bandwidth.
Also, a dirty hack.
> B. Always use the "ansiX962_compressed_prime" format.
> Pros: doesn't waste bandwidth.
> Cons: forces applications to advertise support this format, which is a
> problem if they can't support it for other prime curves, unless we
> introduce an exception to the effect that support for this format with
> this particular curve is implied as soon as support for the curve is
> advertised. Does not seem very clean to me.
The other issue is that this isn't the ansiX962 format for deep
technical reasons. You would need to use
a birational morphism to Weirstrauß form, which is a pointless PITA,
or just tell pleasing lies, which annoys those of
us trying to analyze things, and is a potential source of bugs.
> C. Introduce a new point format "compressed_prime_montgomery".
> Pros: doesn't waste bandwidth, doesn't look hacky.
> Cons: a new point format only for one curve? OTOH, it is indeed a
> particular class of curve, since the recommended formulas work only with
> the x coordinate, and other curves in this class may be added later.
> Note that A and C may be combined.
Probably the best idea, especially given that definition of addition
is completely different.
> Any other idea?
> Manuel.
> _______________________________________________
> TLS mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin