[Cryptech Tech] Regarding Curve25519 and IETF

[Peter Schwabe]

Bernd Paysan <bernd at net2o.de> wrote:

Good morning,

I just read the message on Curve25519 and Ed25519 and thought that I
throw in my 2 cents.

> So the thing I would propose for standardization is to use Ed25519
> both for
> signature and for ECDH, having only one form for both purposes is a
> good idea
> - you don't have to implement the basics twice, and if you like to,
> you can
> use your pubkey both for signing and encryption.

Using the same key pair for signing and for encryption is not
necessarily secure. Dan, Tanja (both in CC), and I are planning to
investigate this in more detail and come up with a solution that
supports one key for both encryption and signing in a secure way. You
might want to wait until we're done with this.

> Pubkeys usually are signature keys, so nobody with a sane protocol
> (where only signature keys are permanent) should have a problem with
> that.
>
> The benchmarks I've done also come out favorable for Ed25519: keypair
> generation is at least twice as fast than Curve25519, which is
> important for
> ephemeral key exchange (you want one new keypair per connection), and
> ECDH is
> 30% faster.

Well, only if you don't re-use ephemeral keys for a short time (for a
discussion, see [1, Appendix D]. Curve25519 is still conceptually easier
(no decompression needed etc.) and the overhead of implementing both is
negligible because the field arithmetic is shared.

> HSM support for crypto protocols should at least do the signing of
> ephemeral
> keypairs, because that's done with a long-lived key.  Actually, for
> net2o, I
> don't use signing, I use another DH exchange with the permanent
> pubkeys, and
> create the session key out of both DHE results - I've done this,
> because at
> that time, the signing algorithm based on Curve25519 wasn't ready.

> The newer curves from DJB are all Edwards-only for good reasons.  So
> dropping
> the Montgommery Curve25519 in favor of Ed25519 is a good idea.  But
> that's not
> what they suggest here ;-).

Maybe Dan wants to comment here, but I have never heard him say that you
should scrap Curve25519 and just use Ed25519 for DH.

Cheers,

Peter


[1] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and
    Peter Schwabe: "Kummer strikes back: new DH speed records."      
        http://cryptojedi.org/papers/#kummer                       
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 173 bytes
Desc: Digital signature
URL: <https://lists.cryptech.is/archives/tech/attachments/20141217/80057d4d/attachment-0001.sig>