[Cryptech Tech] Regarding Curve25519 and IETF

Peter Schwabe peter at cryptojedi.org
Wed Dec 17 08:49:53 UTC 2014

Previous message: [Cryptech Tech] Regarding Curve25519 and IETF
Next message: [Cryptech Tech] Regarding Curve25519 and IETF
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bernd Paysan <bernd at net2o.de> wrote:

Good morning,

I just read the message on Curve25519 and Ed25519 and thought that I
throw in my 2 cents.

> So the thing I would propose for standardization is to use Ed25519 both for 
> signature and for ECDH, having only one form for both purposes is a good idea 
> - you don't have to implement the basics twice, and if you like to, you can 
> use your pubkey both for signing and encryption. 

Using the same key pair for signing and for encryption is not
necessarily secure. Dan, Tanja (both in CC), and I are planning to
investigate this in more detail and come up with a solution that
supports one key for both encryption and signing in a secure way. You
might want to wait until we're done with this.

> Pubkeys usually are signature keys, so nobody with a sane protocol
> (where only signature keys are permanent) should have a problem with
> that.
> 
> The benchmarks I've done also come out favorable for Ed25519: keypair 
> generation is at least twice as fast than Curve25519, which is important for 
> ephemeral key exchange (you want one new keypair per connection), and ECDH is 
> 30% faster.  

Well, only if you don't re-use ephemeral keys for a short time (for a
discussion, see [1, Appendix D]. Curve25519 is still conceptually easier
(no decompression needed etc.) and the overhead of implementing both is
negligible because the field arithmetic is shared. 

> HSM support for crypto protocols should at least do the signing of ephemeral 
> keypairs, because that's done with a long-lived key.  Actually, for net2o, I 
> don't use signing, I use another DH exchange with the permanent pubkeys, and 
> create the session key out of both DHE results - I've done this, because at 
> that time, the signing algorithm based on Curve25519 wasn't ready.

> The newer curves from DJB are all Edwards-only for good reasons.  So dropping 
> the Montgommery Curve25519 in favor of Ed25519 is a good idea.  But that's not 
> what they suggest here ;-).

Maybe Dan wants to comment here, but I have never heard him say that you
should scrap Curve25519 and just use Ed25519 for DH. 

Cheers,

Peter

[1] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and
    Peter Schwabe: "Kummer strikes back: new DH speed records."
    http://cryptojedi.org/papers/#kummer

Previous message: [Cryptech Tech] Regarding Curve25519 and IETF
Next message: [Cryptech Tech] Regarding Curve25519 and IETF
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list