[Cryptech Tech] Regarding Curve25519 and IETF

Bernd Paysan bernd at net2o.de
Tue Dec 16 17:59:28 UTC 2014

Previous message: [Cryptech Tech] Regarding Curve25519 and IETF
Next message: [Cryptech Tech] Regarding Curve25519 and IETF
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Dienstag, 16. Dezember 2014, 14:31:13 schrieb Joachim Strömbergson:
> Aloha!
> 
> The fight about new curves in TLS reached a new level last night:
> 
> http://www.ietf.org/mail-archive/web/cfrg/current/msg05661.html
> 
> What I don't get is what the need is and thus motivation for generating
> another, but different 25519-curve. The patent issue is scary.

Microsoft's embrace&extend mechanism at work.

Actually, creating "another 25519-curve" is already a DJB offense, with the 
Ed25519 form.  This form has significant advantages (regularity allows 
speedup), and the curve has the same properties as the original Curve25519.

So the thing I would propose for standardization is to use Ed25519 both for 
signature and for ECDH, having only one form for both purposes is a good idea 
- you don't have to implement the basics twice, and if you like to, you can 
use your pubkey both for signing and encryption. Pubkeys usually are signature 
keys, so nobody with a sane protocol (where only signature keys are permanent) 
should have a problem with that.

The benchmarks I've done also come out favorable for Ed25519: keypair 
generation is at least twice as fast than Curve25519, which is important for 
ephemeral key exchange (you want one new keypair per connection), and ECDH is 
30% faster.  Since the primitive operations all are multiplications and 
additions on mod 2^255-19, this speed advantage is independent of how you 
implement the primitives.

HSM support for crypto protocols should at least do the signing of ephemeral 
keypairs, because that's done with a long-lived key.  Actually, for net2o, I 
don't use signing, I use another DH exchange with the permanent pubkeys, and 
create the session key out of both DHE results - I've done this, because at 
that time, the signing algorithm based on Curve25519 wasn't ready.

The newer curves from DJB are all Edwards-only for good reasons.  So dropping 
the Montgommery Curve25519 in favor of Ed25519 is a good idea.  But that's not 
what they suggest here ;-).

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/

Previous message: [Cryptech Tech] Regarding Curve25519 and IETF
Next message: [Cryptech Tech] Regarding Curve25519 and IETF
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list