Horizontal PDF Slides

1 2 The first 10 years of Curve25519 Abstract: “This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 2 3 Abstract: “This paper explains Elliptic-curve computations the design and implementation of a high-security elliptic-curve- Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with or without the side benefits).” 2 3 4 Abstract: “This paper explains Elliptic-curve computations 1987 (distributed 1984) Lenstra: the design and implementation ECM, the elliptic-curve method of a high-security elliptic-curve- of factoring integers. Diffie-Hellman function 1985 Bosma, 1986 Goldwasser– achieving record-setting speeds: Kilian, 1986 Chudnovsky– e.g., 832457 Pentium III cycles Chudnovsky, 1988 Atkin: ECPP, (with several side benefits: elliptic-curve primality proving. free key compression, free key validation, and state-of-the-art 1985/6 (distributed 1984) Miller, timing-attack protection), and independently more than twice as fast as other 1987 (distributed 1984) Koblitz: authors’ results at the same ECC—use elliptic curves in DH conjectured security level (with to avoid index-calculus attacks. or without the side benefits).” 2 3 4 Abstract: “This paper explains Elliptic-curve computations 1987 (distributed 1984) Lenstra: the design and implementation ECM, the elliptic-curve method of a high-security elliptic-curve- of factoring integers. Diffie-Hellman function 1985 Bosma, 1986 Goldwasser– achieving record-setting speeds: Kilian, 1986 Chudnovsky– e.g., 832457 Pentium III cycles Chudnovsky, 1988 Atkin: ECPP, (with several side benefits: elliptic-curve primality proving. free key compression, free key validation, and state-of-the-art 1985/6 (distributed 1984) Miller, timing-attack protection), and independently more than twice as fast as other 1987 (distributed 1984) Koblitz: authors’ results at the same ECC—use elliptic curves in DH conjectured security level (with to avoid index-calculus attacks. or without the side benefits).” 2 3 4 Abstract: “This paper explains Elliptic-curve computations 1987 (distributed 1984) Lenstra: the design and implementation ECM, the elliptic-curve method of a high-security elliptic-curve- of factoring integers. Diffie-Hellman function 1985 Bosma, 1986 Goldwasser– achieving record-setting speeds: Kilian, 1986 Chudnovsky– e.g., 832457 Pentium III cycles Chudnovsky, 1988 Atkin: ECPP, (with several side benefits: elliptic-curve primality proving. free key compression, free key validation, and state-of-the-art 1985/6 (distributed 1984) Miller, timing-attack protection), and independently more than twice as fast as other 1987 (distributed 1984) Koblitz: authors’ results at the same ECC—use elliptic curves in DH conjectured security level (with to avoid index-calculus attacks. or without the side benefits).” 3 4 Elliptic-curve computations 1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method of factoring integers. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 3 4 5 Elliptic-curve computations 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 3 4 5 Elliptic-curve computations 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 3 4 5 Elliptic-curve computations 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 4 5 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 4 5 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– 1987 Montgomery, for ECM: Chudnovsky, 1988 Atkin: ECPP, best speed from y 2 = x3+Ax2+x, elliptic-curve primality proving. preferably with (A − 2)=4 small. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 4 5 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, ECM, the elliptic-curve method for ECM+ECPP: analyze several of factoring integers. ways to represent elliptic curves; optimize # field operations. 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– 1987 Montgomery, for ECM: Chudnovsky, 1988 Atkin: ECPP, best speed from y 2 = x3+Ax2+x, elliptic-curve primality proving. preferably with (A − 2)=4 small. 1985/6 (distributed 1984) Miller, Late 1990s: ANSI/IEEE/NIST and independently standards specify y 2 = x3 −3x +b 1987 (distributed 1984) Koblitz: in Jacobian coordinates, ECC—use elliptic curves in DH citing Chudnovsky–Chudnovsky. to avoid index-calculus attacks. Alleged motivation: “the fastest arithmetic on elliptic curves”. 4 5 6 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky ECM, the elliptic-curve method for ECM+ECPP: analyze several actually recommend this? of factoring integers. ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– 1987 Montgomery, for ECM: Chudnovsky, 1988 Atkin: ECPP, best speed from y 2 = x3+Ax2+x, elliptic-curve primality proving. preferably with (A − 2)=4 small. 1985/6 (distributed 1984) Miller, Late 1990s: ANSI/IEEE/NIST and independently standards specify y 2 = x3 −3x +b 1987 (distributed 1984) Koblitz: in Jacobian coordinates, ECC—use elliptic curves in DH citing Chudnovsky–Chudnovsky. to avoid index-calculus attacks. Alleged motivation: “the fastest arithmetic on elliptic curves”. 4 5 6 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky ECM, the elliptic-curve method for ECM+ECPP: analyze several actually recommend this? of factoring integers. ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– 1987 Montgomery, for ECM: Chudnovsky, 1988 Atkin: ECPP, best speed from y 2 = x3+Ax2+x, elliptic-curve primality proving. preferably with (A − 2)=4 small. 1985/6 (distributed 1984) Miller, Late 1990s: ANSI/IEEE/NIST and independently standards specify y 2 = x3 −3x +b 1987 (distributed 1984) Koblitz: in Jacobian coordinates, ECC—use elliptic curves in DH citing Chudnovsky–Chudnovsky. to avoid index-calculus attacks. Alleged motivation: “the fastest arithmetic on elliptic curves”. 4 5 6 1987 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky ECM, the elliptic-curve method for ECM+ECPP: analyze several actually recommend this? of factoring integers. ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– 1987 Montgomery, for ECM: Chudnovsky, 1988 Atkin: ECPP, best speed from y 2 = x3+Ax2+x, elliptic-curve primality proving. preferably with (A − 2)=4 small. 1985/6 (distributed 1984) Miller, Late 1990s: ANSI/IEEE/NIST and independently standards specify y 2 = x3 −3x +b 1987 (distributed 1984) Koblitz: in Jacobian coordinates, ECC—use elliptic curves in DH citing Chudnovsky–Chudnovsky. to avoid index-calculus attacks. Alleged motivation: “the fastest arithmetic on elliptic curves”. 5 6 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: best speed from y 2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”. 5 6 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: Analyze all known options best speed from y 2 = x3+Ax2+x, for computing n; P 7→ nP preferably with (A − 2)=4 small. on conservative elliptic curves. Montgomery ladder is the fastest. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”. 5 6 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: Analyze all known options best speed from y 2 = x3+Ax2+x, for computing n; P 7→ nP preferably with (A − 2)=4 small. on conservative elliptic curves. Montgomery ladder is the fastest. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x3 −3x +b Problem: Elliptic-curve formulas in Jacobian coordinates, always have exceptional cases. citing Chudnovsky–Chudnovsky. Montgomery derives formulas for Alleged motivation: “the fastest generic inputs; for crypto we need arithmetic on elliptic curves”. algorithms that always work. 5 6 7 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: Analyze all known options best speed from y 2 = x3+Ax2+x, for computing n; P 7→ nP preferably with (A − 2)=4 small. on conservative elliptic curves. Montgomery ladder is the fastest. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x3 −3x +b Problem: Elliptic-curve formulas in Jacobian coordinates, always have exceptional cases. citing Chudnovsky–Chudnovsky. Montgomery derives formulas for Alleged motivation: “the fastest generic inputs; for crypto we need arithmetic on elliptic curves”. algorithms that always work. 5 6 7 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: Analyze all known options best speed from y 2 = x3+Ax2+x, for computing n; P 7→ nP preferably with (A − 2)=4 small. on conservative elliptic curves. Montgomery ladder is the fastest. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x3 −3x +b Problem: Elliptic-curve formulas in Jacobian coordinates, always have exceptional cases. citing Chudnovsky–Chudnovsky. Montgomery derives formulas for Alleged motivation: “the fastest generic inputs; for crypto we need arithmetic on elliptic curves”. algorithms that always work. 5 6 7 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: Analyze all known options best speed from y 2 = x3+Ax2+x, for computing n; P 7→ nP preferably with (A − 2)=4 small. on conservative elliptic curves. Montgomery ladder is the fastest. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x3 −3x +b Problem: Elliptic-curve formulas in Jacobian coordinates, always have exceptional cases. citing Chudnovsky–Chudnovsky. Montgomery derives formulas for Alleged motivation: “the fastest generic inputs; for crypto we need arithmetic on elliptic curves”. algorithms that always work. 6 7 Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P 7→ nP on conservative elliptic curves. Montgomery ladder is the fastest.

Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work. 6 7 8 Did Chudnovsky and Chudnovsky But wait, it’s worse! actually recommend this? Crypto 1996 Kocher: What about Montgomery? secret branches aﬀect timing; What about papers after 1987? this leaks your secret key. Analyze all known options for computing n; P 7→ nP on conservative elliptic curves. Montgomery ladder is the fastest.

Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work. 7 8 But wait, it’s worse! Crypto 1996 Kocher: secret branches aﬀect timing; this leaks your secret key. 7 8 But wait, it’s worse! Crypto 1996 Kocher: secret branches aﬀect timing; this leaks your secret key.

Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES. 8 9 But wait, it’s worse! “Guaranteed” countermeasure: load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; 2004.11/2005.04 Bernstein: this leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; Briefly mentioned by Kocher e.g., secret array indices can affect and by ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can affect from secrets to array indices. timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES. 8 9 But wait, it’s worse! “Guaranteed” countermeasure: load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; 2004.11/2005.04 Bernstein: this leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; Briefly mentioned by Kocher e.g., secret array indices can affect and by ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can affect from secrets to array indices. timing via cache misses. 2013 Bernstein–Schwabe 2002 Page, CHES 2003 Tsunoo– “A word of warning”: Saito–Suzaki–Shigeri–Miyauchi: Cheaper countermeasure timing attacks on DES. recommended by Intel isn’t safe. 8 9 10 But wait, it’s worse! “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; 2004.11/2005.04 Bernstein: this leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; Briefly mentioned by Kocher e.g., secret array indices can affect and by ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can affect from secrets to array indices. timing via cache misses. 2013 Bernstein–Schwabe 2002 Page, CHES 2003 Tsunoo– “A word of warning”: Saito–Suzaki–Shigeri–Miyauchi: Cheaper countermeasure timing attacks on DES. recommended by Intel isn’t safe. 8 9 10 But wait, it’s worse! “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; 2004.11/2005.04 Bernstein: this leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; Briefly mentioned by Kocher e.g., secret array indices can affect and by ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can affect from secrets to array indices. timing via cache misses. 2013 Bernstein–Schwabe 2002 Page, CHES 2003 Tsunoo– “A word of warning”: Saito–Suzaki–Shigeri–Miyauchi: Cheaper countermeasure timing attacks on DES. recommended by Intel isn’t safe. 8 9 10 But wait, it’s worse! “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; 2004.11/2005.04 Bernstein: this leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; Briefly mentioned by Kocher e.g., secret array indices can affect and by ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can affect from secrets to array indices. timing via cache misses. 2013 Bernstein–Schwabe 2002 Page, CHES 2003 Tsunoo– “A word of warning”: Saito–Suzaki–Shigeri–Miyauchi: Cheaper countermeasure timing attacks on DES. recommended by Intel isn’t safe. 9 10 “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe. 9 10 11 “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. The Curve25519 paper load entire table into cache. Avoid “all input-dependent 2004.11/2005.04 Bernstein: branches, all input-dependent array Timing attacks on AES. indices, and other instructions Countermeasure isn’t safe; with input-dependent timings”. e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe. 9 10 11 “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. The Curve25519 paper load entire table into cache. Avoid “all input-dependent 2004.11/2005.04 Bernstein: branches, all input-dependent array Timing attacks on AES. indices, and other instructions Countermeasure isn’t safe; with input-dependent timings”. e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe. 9 10 11 “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. The Curve25519 paper load entire table into cache. Avoid “all input-dependent 2004.11/2005.04 Bernstein: branches, all input-dependent array Timing attacks on AES. indices, and other instructions Countermeasure isn’t safe; with input-dependent timings”. e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves.

Deﬁne X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P ). 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves.

Deﬁne X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P ). Use the Montgomery ladder without any extra tests. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves.

Deﬁne X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P ). Use the Montgomery ladder without any extra tests.

Theorem: Output is X0(nP ). 10 11 12 2016: OpenSSL didn’t listen. The Curve25519 paper x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): Avoid “all input-dependent bit = 1 & (n >> i) branches, all input-dependent array x2,x3 = cswap(x2,x3,bit) indices, and other instructions z2,z3 = cswap(z2,z3,bit) with input-dependent timings”. x3,z3 = ((x2*x3-z2*z3)^2, 2 3 2 Choose a curve y = x + Ax + x x1*(x2*z3-z2*x3)^2) 2 where A − 4 is not a square. x2,z2 = ((x2^2-z2^2)^2, ≈25% of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) Deﬁne X0(x; y) = x; X0(∞) = 0. z2,z3 = cswap(z2,z3,bit) Transmit each point P as X0(P ). return x2*z2^(p-2) Use the Montgomery ladder without any extra tests.

Theorem: Output is X0(nP ). 11 12 The Curve25519 paper x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): Avoid “all input-dependent bit = 1 & (n >> i) branches, all input-dependent array x2,x3 = cswap(x2,x3,bit) indices, and other instructions z2,z3 = cswap(z2,z3,bit) with input-dependent timings”. x3,z3 = ((x2*x3-z2*z3)^2, 2 3 2 Choose a curve y = x + Ax + x x1*(x2*z3-z2*x3)^2) 2 where A − 4 is not a square. x2,z2 = ((x2^2-z2^2)^2, ≈25% of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) Deﬁne X0(x; y) = x; X0(∞) = 0. z2,z3 = cswap(z2,z3,bit) Transmit each point P as X0(P ). return x2*z2^(p-2) Use the Montgomery ladder without any extra tests.

Theorem: Output is X0(nP ). 11 12 13 The Curve25519 paper x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, for i in reversed(range(255)): depending on top bit of n. Avoid “all input-dependent bit = 1 & (n >> i) branches, all input-dependent array x2,x3 = cswap(x2,x3,bit) indices, and other instructions z2,z3 = cswap(z2,z3,bit) with input-dependent timings”. x3,z3 = ((x2*x3-z2*z3)^2, 2 3 2 Choose a curve y = x + Ax + x x1*(x2*z3-z2*x3)^2) 2 where A − 4 is not a square. x2,z2 = ((x2^2-z2^2)^2, ≈25% of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) Deﬁne X0(x; y) = x; X0(∞) = 0. z2,z3 = cswap(z2,z3,bit) Transmit each point P as X0(P ). return x2*z2^(p-2) Use the Montgomery ladder without any extra tests.

Theorem: Output is X0(nP ). 12 13 x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, for i in reversed(range(255)): depending on top bit of n. bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2) 12 13 x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, for i in reversed(range(255)): depending on top bit of n. bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2) 12 13 x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, for i in reversed(range(255)): depending on top bit of n. bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) Also define scalars n x2,z2 = ((x2^2-z2^2)^2, to never have leading 0 bits, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) so original Montgomery ladder x2,x3 = cswap(x2,x3,bit) still takes constant time. z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2) 12 13 x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, for i in reversed(range(255)): depending on top bit of n. bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) Also define scalars n x2,z2 = ((x2^2-z2^2)^2, to never have leading 0 bits, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) so original Montgomery ladder x2,x3 = cswap(x2,x3,bit) still takes constant time. z2,z3 = cswap(z2,z3,bit) Use arithmetic to compute return x2*z2^(p-2) cswap in constant time. 12 13 14 x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, “Hey, you forgot to check that for i in reversed(range(255)): depending on top bit of n. the input is on the curve!” bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) Also define scalars n x2,z2 = ((x2^2-z2^2)^2, to never have leading 0 bits, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) so original Montgomery ladder x2,x3 = cswap(x2,x3,bit) still takes constant time. z2,z3 = cswap(z2,z3,bit) Use arithmetic to compute return x2*z2^(p-2) cswap in constant time. 12 13 14 x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, “Hey, you forgot to check that for i in reversed(range(255)): depending on top bit of n. the input is on the curve!” bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) Also define scalars n x2,z2 = ((x2^2-z2^2)^2, to never have leading 0 bits, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) so original Montgomery ladder x2,x3 = cswap(x2,x3,bit) still takes constant time. z2,z3 = cswap(z2,z3,bit) Use arithmetic to compute return x2*z2^(p-2) cswap in constant time. 12 13 14 x2,z2,x3,z3 = 1,0,x1,1 Montgomery has variable #loops, “Hey, you forgot to check that for i in reversed(range(255)): depending on top bit of n. the input is on the curve!” bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) Also define scalars n x2,z2 = ((x2^2-z2^2)^2, to never have leading 0 bits, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) so original Montgomery ladder x2,x3 = cswap(x2,x3,bit) still takes constant time. z2,z3 = cswap(z2,z3,bit) Use arithmetic to compute return x2*z2^(p-2) cswap in constant time. 13 14 Montgomery has variable #loops, “Hey, you forgot to check that depending on top bit of n. the input is on the curve!” Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time. 13 14 Montgomery has variable #loops, “Hey, you forgot to check that depending on top bit of n. the input is on the curve!” Curve25519: Change initialization Conventional wisdom: Important to allow leading 0 bits. to check; otherwise broken by Use constant #loops. Crypto 2000 Biehl–Meyer–Müller. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time. 13 14 Montgomery has variable #loops, “Hey, you forgot to check that depending on top bit of n. the input is on the curve!” Curve25519: Change initialization Conventional wisdom: Important to allow leading 0 bits. to check; otherwise broken by Use constant #loops. Crypto 2000 Biehl–Meyer–Müller. Also define scalars n ESORICS 2015 Jager–Schwenk– to never have leading 0 bits, Somorovsky: Successful attacks! so original Montgomery ladder Checking is easy to forget. still takes constant time. Use arithmetic to compute cswap in constant time. 13 14 15 Montgomery has variable #loops, “Hey, you forgot to check that Curve25519 paper: depending on top bit of n. the input is on the curve!” “free key validation” eliminates these attacks. Curve25519: Change initialization Conventional wisdom: Important No cost for checking input; to allow leading 0 bits. to check; otherwise broken by no code to forget. Use constant #loops. Crypto 2000 Biehl–Meyer–Müller. Also define scalars n ESORICS 2015 Jager–Schwenk– to never have leading 0 bits, Somorovsky: Successful attacks! so original Montgomery ladder Checking is easy to forget. still takes constant time. Use arithmetic to compute cswap in constant time. 13 14 15 Montgomery has variable #loops, “Hey, you forgot to check that Curve25519 paper: depending on top bit of n. the input is on the curve!” “free key validation” eliminates these attacks. Curve25519: Change initialization Conventional wisdom: Important No cost for checking input; to allow leading 0 bits. to check; otherwise broken by no code to forget. Use constant #loops. Crypto 2000 Biehl–Meyer–Müller. Also define scalars n ESORICS 2015 Jager–Schwenk– to never have leading 0 bits, Somorovsky: Successful attacks! so original Montgomery ladder Checking is easy to forget. still takes constant time. Use arithmetic to compute cswap in constant time. 13 14 15 Montgomery has variable #loops, “Hey, you forgot to check that Curve25519 paper: depending on top bit of n. the input is on the curve!” “free key validation” eliminates these attacks. Curve25519: Change initialization Conventional wisdom: Important No cost for checking input; to allow leading 0 bits. to check; otherwise broken by no code to forget. Use constant #loops. Crypto 2000 Biehl–Meyer–Müller. Also define scalars n ESORICS 2015 Jager–Schwenk– to never have leading 0 bits, Somorovsky: Successful attacks! so original Montgomery ladder Checking is easy to forget. still takes constant time. Use arithmetic to compute cswap in constant time. 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–Müller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget. 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–Müller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x-coordinate, not (x; y). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–Müller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x-coordinate, not (x; y). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–Müller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x-coordinate, not (x; y). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve. 14 15 16 “Hey, you forgot to check that Curve25519 paper: Longest section in Curve25519 the input is on the curve!” “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs Conventional wisdom: Important No cost for checking input; from 1999–2004 Bernstein. to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–Müller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x-coordinate, not (x; y). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve. 14 15 16 “Hey, you forgot to check that Curve25519 paper: Longest section in Curve25519 the input is on the curve!” “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs Conventional wisdom: Important No cost for checking input; from 1999–2004 Bernstein. to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–Müller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x-coordinate, not (x; y). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve. 14 15 16 “Hey, you forgot to check that Curve25519 paper: Longest section in Curve25519 the input is on the curve!” “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs Conventional wisdom: Important No cost for checking input; from 1999–2004 Bernstein. to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–Müller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x-coordinate, not (x; y). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve. 15 16 Curve25519 paper: Longest section in Curve25519 “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs No cost for checking input; from 1999–2004 Bernstein. no code to forget. 1. Montgomery naturally follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve. 15 16 Curve25519 paper: Longest section in Curve25519 “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs No cost for checking input; from 1999–2004 Bernstein. no code to forget. Barely mentioned in paper: 1. Montgomery naturally new programming language. follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve. 15 16 Curve25519 paper: Longest section in Curve25519 “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs No cost for checking input; from 1999–2004 Bernstein. no code to forget. Barely mentioned in paper: 1. Montgomery naturally new programming language. follows 1986 Miller compression: New prime 2255 − 19. send only x-coordinate, not (x; y). Faster than NIST P-256 prime Forces input onto “curve” or 2256 − 2224 + 2192 + 296 − 1. “twist”. (Bonus: 32-byte keys!) “Prime fields also have 2. Montgomery ladder works the virtue of minimizing the correctly for inputs on twist. number of security concerns for 3. Choose twist-secure curve. elliptic-curve cryptography.” 15 16 17 Curve25519 paper: Longest section in Curve25519 Curve25519 paper specified a “free key validation” paper: fast finite-field arithmetic, multi-user DH system. See eliminates these attacks. improving on algorithm designs 1976 Diffie–Hellman; also, e.g., No cost for checking input; from 1999–2004 Bernstein. 1999 Rescorla “static-static no code to forget. mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: 1. Montgomery naturally new programming language. follows 1986 Miller compression: New prime 2255 − 19. send only x-coordinate, not (x; y). Faster than NIST P-256 prime Forces input onto “curve” or 2256 − 2224 + 2192 + 296 − 1. “twist”. (Bonus: 32-byte keys!) “Prime fields also have 2. Montgomery ladder works the virtue of minimizing the correctly for inputs on twist. number of security concerns for 3. Choose twist-secure curve. elliptic-curve cryptography.” 15 16 17 Curve25519 paper: Longest section in Curve25519 Curve25519 paper specified a “free key validation” paper: fast finite-field arithmetic, multi-user DH system. See eliminates these attacks. improving on algorithm designs 1976 Diffie–Hellman; also, e.g., No cost for checking input; from 1999–2004 Bernstein. 1999 Rescorla “static-static no code to forget. mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: 1. Montgomery naturally new programming language. follows 1986 Miller compression: New prime 2255 − 19. send only x-coordinate, not (x; y). Faster than NIST P-256 prime Forces input onto “curve” or 2256 − 2224 + 2192 + 296 − 1. “twist”. (Bonus: 32-byte keys!) “Prime fields also have 2. Montgomery ladder works the virtue of minimizing the correctly for inputs on twist. number of security concerns for 3. Choose twist-secure curve. elliptic-curve cryptography.” 15 16 17 Curve25519 paper: Longest section in Curve25519 Curve25519 paper specified a “free key validation” paper: fast finite-field arithmetic, multi-user DH system. See eliminates these attacks. improving on algorithm designs 1976 Diffie–Hellman; also, e.g., No cost for checking input; from 1999–2004 Bernstein. 1999 Rescorla “static-static no code to forget. mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: 1. Montgomery naturally new programming language. follows 1986 Miller compression: New prime 2255 − 19. send only x-coordinate, not (x; y). Faster than NIST P-256 prime Forces input onto “curve” or 2256 − 2224 + 2192 + 296 − 1. “twist”. (Bonus: 32-byte keys!) “Prime fields also have 2. Montgomery ladder works the virtue of minimizing the correctly for inputs on twist. number of security concerns for 3. Choose twist-secure curve. elliptic-curve cryptography.” 16 17 Longest section in Curve25519 Curve25519 paper specified a paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. New prime 2255 − 19. Faster than NIST P-256 prime 2256 − 2224 + 2192 + 296 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.” 16 17 Longest section in Curve25519 Curve25519 paper specified a paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. Included security survey: • Reductions: intolerably loose. New prime 2255 − 19. • Known attack ideas: rho etc. Faster than NIST P-256 prime • Multi-user batch attacks. 2256 − 2224 + 2192 + 296 − 1. • Special-purpose hardware: “Prime fields also have 160-bit ECC is breakable. the virtue of minimizing the • Small-subgroup attacks, number of security concerns for invalid-curve attacks, etc. elliptic-curve cryptography.” 16 17 18 Longest section in Curve25519 Curve25519 paper specified a 2015: Beware batch attacks. paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. Included security survey: • Reductions: intolerably loose. New prime 2255 − 19. • Known attack ideas: rho etc. Faster than NIST P-256 prime • Multi-user batch attacks. 2256 − 2224 + 2192 + 296 − 1. • Special-purpose hardware: “Prime fields also have 160-bit ECC is breakable. the virtue of minimizing the • Small-subgroup attacks, number of security concerns for invalid-curve attacks, etc. elliptic-curve cryptography.” 16 17 18 Longest section in Curve25519 Curve25519 paper specified a 2015: Beware batch attacks. paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. Included security survey: • Reductions: intolerably loose. New prime 2255 − 19. • Known attack ideas: rho etc. Faster than NIST P-256 prime • Multi-user batch attacks. 2256 − 2224 + 2192 + 296 − 1. • Special-purpose hardware: “Prime fields also have 160-bit ECC is breakable. the virtue of minimizing the • Small-subgroup attacks, number of security concerns for invalid-curve attacks, etc. elliptic-curve cryptography.” 16 17 18 Longest section in Curve25519 Curve25519 paper specified a 2015: Beware batch attacks. paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. Included security survey: • Reductions: intolerably loose. New prime 2255 − 19. • Known attack ideas: rho etc. Faster than NIST P-256 prime • Multi-user batch attacks. 2256 − 2224 + 2192 + 296 − 1. • Special-purpose hardware: “Prime fields also have 160-bit ECC is breakable. the virtue of minimizing the • Small-subgroup attacks, number of security concerns for invalid-curve attacks, etc. elliptic-curve cryptography.” 17 18 Curve25519 paper specified a 2015: Beware batch attacks. multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Included security survey: • Reductions: intolerably loose. • Known attack ideas: rho etc. • Multi-user batch attacks. • Special-purpose hardware: 160-bit ECC is breakable. • Small-subgroup attacks, invalid-curve attacks, etc. 17 18 19 Curve25519 paper specified a 2015: Beware batch attacks. Paper sketched common-sense multi-user DH system. See attack model, including 1976 Diffie–Hellman; also, e.g., composition with subsequent 1999 Rescorla “static-static multi-user secret-key system mode”; 2006 NIST “C(0,2)”. (as in, e.g., 2001 Bernstein “public-key authenticators”); Included security survey: attacks on secret-key system • Reductions: intolerably loose. (the motivation given for • Known attack ideas: rho etc. “Reveal” queries in PKC 2013 • Multi-user batch attacks. Freire–Hofheinz–Kiltz–Paterson); • Special-purpose hardware: dishonest key registrations 160-bit ECC is breakable. (as in, e.g., Eurocrypt 2008 • Small-subgroup attacks, Cash–Kiltz–Shoup); invalid-curve attacks, etc. keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 17 18 19 Curve25519 paper specified a 2015: Beware batch attacks. Paper sketched common-sense multi-user DH system. See attack model, including 1976 Diffie–Hellman; also, e.g., composition with subsequent 1999 Rescorla “static-static multi-user secret-key system mode”; 2006 NIST “C(0,2)”. (as in, e.g., 2001 Bernstein “public-key authenticators”); Included security survey: attacks on secret-key system • Reductions: intolerably loose. (the motivation given for • Known attack ideas: rho etc. “Reveal” queries in PKC 2013 • Multi-user batch attacks. Freire–Hofheinz–Kiltz–Paterson); • Special-purpose hardware: dishonest key registrations 160-bit ECC is breakable. (as in, e.g., Eurocrypt 2008 • Small-subgroup attacks, Cash–Kiltz–Shoup); invalid-curve attacks, etc. keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 17 18 19 Curve25519 paper specified a 2015: Beware batch attacks. Paper sketched common-sense multi-user DH system. See attack model, including 1976 Diffie–Hellman; also, e.g., composition with subsequent 1999 Rescorla “static-static multi-user secret-key system mode”; 2006 NIST “C(0,2)”. (as in, e.g., 2001 Bernstein “public-key authenticators”); Included security survey: attacks on secret-key system • Reductions: intolerably loose. (the motivation given for • Known attack ideas: rho etc. “Reveal” queries in PKC 2013 • Multi-user batch attacks. Freire–Hofheinz–Kiltz–Paterson); • Special-purpose hardware: dishonest key registrations 160-bit ECC is breakable. (as in, e.g., Eurocrypt 2008 • Small-subgroup attacks, Cash–Kiltz–Shoup); invalid-curve attacks, etc. keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 18 19 2015: Beware batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 18 19 20 2015: Beware batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 18 19 20 2015: Beware batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 18 19 20 2015: Beware batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 19 20 Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 19 20 21 Paper sketched common-sense Email from program chairs: attack model, including composition with subsequent It is my pleasure to inform you multi-user secret-key system that your paper "Curve25519: (as in, e.g., 2001 Bernstein new Diffie-Hellman speed “public-key authenticators”); records" was accepted to attacks on secret-key system PKC’06. Congratulations! (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 19 20 21 Paper sketched common-sense Email from program chairs: attack model, including composition with subsequent It is my pleasure to inform you multi-user secret-key system that your paper "Curve25519: (as in, e.g., 2001 Bernstein new Diffie-Hellman speed “public-key authenticators”); records" was accepted to attacks on secret-key system PKC’06. Congratulations! (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 19 20 21 Paper sketched common-sense Email from program chairs: attack model, including composition with subsequent It is my pleasure to inform you multi-user secret-key system that your paper "Curve25519: (as in, e.g., 2001 Bernstein new Diffie-Hellman speed “public-key authenticators”); records" was accepted to attacks on secret-key system PKC’06. Congratulations! (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–Müller). 20 21 Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations! 20 21 Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations!

Below please find the reviewers’ comments on your paper "Curve25519: new Diffie- Hellman speed records" that was submitted to PKC 2006. 20 21 22 Email from program chairs: Reviewer #1:

It is my pleasure to inform you While I think (frankly) that that your paper "Curve25519: this is a nice engineering work, new Diffie-Hellman speed I think that this is not a records" was accepted to "real" research paper. PKC’06. Congratulations! I don’t question the correctness but I question Below please find the reviewers’ the appropriateness of the comments on your paper paper to the conference. "Curve25519: new Diffie- Hellman speed records" So engineering isn’t research? that was submitted to PKC 2006. 20 21 22 Email from program chairs: Reviewer #1:

... benefits including protection It is my pleasure to inform you While I think (frankly) that against timing attacks, no that your paper "Curve25519: this is a nice engineering work, apparrent patent infringements, new Diffie-Hellman speed I think that this is not a and very good speed. ... records" was accepted to "real" research paper. PKC’06. Congratulations! I don’t question the On the negative side, the paper correctness but I question does not introduce novel ideas, the appropriateness of the Below please find the reviewers’ nor does it attempt to prove paper to the conference. comments on your paper things rigorously (the word "Curve25519: new Diffie- "conjecture" is used repeatedly Hellman speed records" So engineering isn’t research? throughout). It is principally that was submitted to PKC 2006. a considerable engineering achievement. 21 22 23 Email from program chairs: Reviewer #1: Reviewer #2:

... benefits including protection While I think (frankly) that against timing attacks, no this is a nice engineering work, apparrent patent infringements, I think that this is not a and very good speed. ... "real" research paper. I don’t question the On the negative side, the paper correctness but I question does not introduce novel ideas, the appropriateness of the nor does it attempt to prove paper to the conference. things rigorously (the word "conjecture" is used repeatedly So engineering isn’t research? throughout). It is principally a considerable engineering achievement. 22 23 24 Reviewer #1: Reviewer #2: e.g. “Breaking the Curve25519 function—for example, computing ... benefits including protection While I think (frankly) that the shared secret from the two against timing attacks, no this is a nice engineering work, public keys—is conjectured to be apparrent patent infringements, I think that this is not a extremely difficult. Every known and very good speed. ... "real" research paper. attack is more expensive than I don’t question the performing a brute-force search On the negative side, the paper correctness but I question on a typical 128-bit secret-key does not introduce novel ideas, ::: the appropriateness of the cipher. Curves of this shape nor does it attempt to prove paper to the conference. have order divisible by 4, requiring things rigorously (the word a marginally larger prime for the "conjecture" is used repeatedly same conjectured security level, So engineering isn’t research? throughout). It is principally but this is outweighed by the a considerable engineering extra speed of curve operations.” achievement. 22 23 24 Reviewer #1: Reviewer #2: e.g. “Breaking the Curve25519 function—for example, computing ... benefits including protection While I think (frankly) that the shared secret from the two against timing attacks, no this is a nice engineering work, public keys—is conjectured to be apparrent patent infringements, I think that this is not a extremely difficult. Every known and very good speed. ... "real" research paper. attack is more expensive than I don’t question the performing a brute-force search On the negative side, the paper correctness but I question on a typical 128-bit secret-key does not introduce novel ideas, ::: the appropriateness of the cipher. Curves of this shape nor does it attempt to prove paper to the conference. have order divisible by 4, requiring things rigorously (the word a marginally larger prime for the "conjecture" is used repeatedly same conjectured security level, So engineering isn’t research? throughout). It is principally but this is outweighed by the a considerable engineering extra speed of curve operations.” achievement. 22 23 24 Reviewer #1: Reviewer #2: e.g. “Breaking the Curve25519 function—for example, computing ... benefits including protection While I think (frankly) that the shared secret from the two against timing attacks, no this is a nice engineering work, public keys—is conjectured to be apparrent patent infringements, I think that this is not a extremely difficult. Every known and very good speed. ... "real" research paper. attack is more expensive than I don’t question the performing a brute-force search On the negative side, the paper correctness but I question on a typical 128-bit secret-key does not introduce novel ideas, ::: the appropriateness of the cipher. Curves of this shape nor does it attempt to prove paper to the conference. have order divisible by 4, requiring things rigorously (the word a marginally larger prime for the "conjecture" is used repeatedly same conjectured security level, So engineering isn’t research? throughout). It is principally but this is outweighed by the a considerable engineering extra speed of curve operations.” achievement. 23 24 Reviewer #2: e.g. “Breaking the Curve25519 function—for example, computing ... benefits including protection the shared secret from the two against timing attacks, no public keys—is conjectured to be apparrent patent infringements, extremely difficult. Every known and very good speed. ... attack is more expensive than performing a brute-force search On the negative side, the paper on a typical 128-bit secret-key does not introduce novel ideas, cipher. ::: Curves of this shape nor does it attempt to prove have order divisible by 4, requiring things rigorously (the word a marginally larger prime for the "conjecture" is used repeatedly same conjectured security level, throughout). It is principally but this is outweighed by the a considerable engineering extra speed of curve operations.” achievement. 23 24 25 Reviewer #2: e.g. “Breaking the Curve25519 Reviewer #3: function—for example, computing ... benefits including protection the shared secret from the two ... The curve and the field are against timing attacks, no public keys—is conjectured to be hardwired into the program, apparrent patent infringements, extremely difficult. Every known which leaves little flexibility and very good speed. ... attack is more expensive than if changes are someday needed. performing a brute-force search ... My main concerns about the On the negative side, the paper on a typical 128-bit secret-key paper are that it comes across does not introduce novel ideas, cipher. ::: Curves of this shape as low on useful content (it’s nor does it attempt to prove have order divisible by 4, requiring mostly about one curve), and is things rigorously (the word a marginally larger prime for the very strangely written, and "conjecture" is used repeatedly same conjectured security level, therefore unpleasant to read ... throughout). It is principally but this is outweighed by the The paper is written in what a considerable engineering extra speed of curve operations.” achievement. 23 24 25 Reviewer #2: e.g. “Breaking the Curve25519 Reviewer #3: function—for example, computing ... benefits including protection the shared secret from the two ... The curve and the field are against timing attacks, no public keys—is conjectured to be hardwired into the program, apparrent patent infringements, extremely difficult. Every known which leaves little flexibility and very good speed. ... attack is more expensive than if changes are someday needed. performing a brute-force search ... My main concerns about the On the negative side, the paper on a typical 128-bit secret-key paper are that it comes across does not introduce novel ideas, cipher. ::: Curves of this shape as low on useful content (it’s nor does it attempt to prove have order divisible by 4, requiring mostly about one curve), and is things rigorously (the word a marginally larger prime for the very strangely written, and "conjecture" is used repeatedly same conjectured security level, therefore unpleasant to read ... throughout). It is principally but this is outweighed by the The paper is written in what a considerable engineering extra speed of curve operations.” achievement. 23 24 25 Reviewer #2: e.g. “Breaking the Curve25519 Reviewer #3: function—for example, computing ... benefits including protection the shared secret from the two ... The curve and the field are against timing attacks, no public keys—is conjectured to be hardwired into the program, apparrent patent infringements, extremely difficult. Every known which leaves little flexibility and very good speed. ... attack is more expensive than if changes are someday needed. performing a brute-force search ... My main concerns about the On the negative side, the paper on a typical 128-bit secret-key paper are that it comes across does not introduce novel ideas, cipher. ::: Curves of this shape as low on useful content (it’s nor does it attempt to prove have order divisible by 4, requiring mostly about one curve), and is things rigorously (the word a marginally larger prime for the very strangely written, and "conjecture" is used repeatedly same conjectured security level, therefore unpleasant to read ... throughout). It is principally but this is outweighed by the The paper is written in what a considerable engineering extra speed of curve operations.” achievement. 24 25 e.g. “Breaking the Curve25519 Reviewer #3: function—for example, computing the shared secret from the two ... The curve and the field are public keys—is conjectured to be hardwired into the program, extremely difficult. Every known which leaves little flexibility attack is more expensive than if changes are someday needed. performing a brute-force search ... My main concerns about the on a typical 128-bit secret-key paper are that it comes across cipher. ::: Curves of this shape as low on useful content (it’s have order divisible by 4, requiring mostly about one curve), and is a marginally larger prime for the very strangely written, and same conjectured security level, therefore unpleasant to read ... but this is outweighed by the The paper is written in what extra speed of curve operations.” 24 25 26 e.g. “Breaking the Curve25519 Reviewer #3: comes across as a rambling function—for example, computing incoherent style. ... The the shared secret from the two ... The curve and the field are rewriting that would be required public keys—is conjectured to be hardwired into the program, to make this paper readable is extremely difficult. Every known which leaves little flexibility significant (though easy for attack is more expensive than if changes are someday needed. someone willing to do it), and performing a brute-force search ... My main concerns about the I’m not optimistic that it would on a typical 128-bit secret-key paper are that it comes across be done by the deadline, or that cipher. ::: Curves of this shape as low on useful content (it’s the content (I can’t say have order divisible by 4, requiring mostly about one curve), and is "results" since there aren’t any a marginally larger prime for the very strangely written, and stated results, other than a same conjectured security level, therefore unpleasant to read ... trivial mathematical result) is but this is outweighed by the The paper is written in what significant enough to justify extra speed of curve operations.” 24 25 26 e.g. “Breaking the Curve25519 Reviewer #3: comes across as a rambling function—for example, computing incoherent style. ... The the shared secret from the two ... The curve and the field are rewriting that would be required public keys—is conjectured to be hardwired into the program, to make this paper readable is extremely difficult. Every known which leaves little flexibility significant (though easy for attack is more expensive than if changes are someday needed. someone willing to do it), and performing a brute-force search ... My main concerns about the I’m not optimistic that it would on a typical 128-bit secret-key paper are that it comes across be done by the deadline, or that cipher. ::: Curves of this shape as low on useful content (it’s the content (I can’t say have order divisible by 4, requiring mostly about one curve), and is "results" since there aren’t any a marginally larger prime for the very strangely written, and stated results, other than a same conjectured security level, therefore unpleasant to read ... trivial mathematical result) is but this is outweighed by the The paper is written in what significant enough to justify extra speed of curve operations.” 24 25 26 e.g. “Breaking the Curve25519 Reviewer #3: comes across as a rambling function—for example, computing incoherent style. ... The the shared secret from the two ... The curve and the field are rewriting that would be required public keys—is conjectured to be hardwired into the program, to make this paper readable is extremely difficult. Every known which leaves little flexibility significant (though easy for attack is more expensive than if changes are someday needed. someone willing to do it), and performing a brute-force search ... My main concerns about the I’m not optimistic that it would on a typical 128-bit secret-key paper are that it comes across be done by the deadline, or that cipher. ::: Curves of this shape as low on useful content (it’s the content (I can’t say have order divisible by 4, requiring mostly about one curve), and is "results" since there aren’t any a marginally larger prime for the very strangely written, and stated results, other than a same conjectured security level, therefore unpleasant to read ... trivial mathematical result) is but this is outweighed by the The paper is written in what significant enough to justify extra speed of curve operations.” 25 26 Reviewer #3: comes across as a rambling incoherent style. ... The ... The curve and the field are rewriting that would be required hardwired into the program, to make this paper readable is which leaves little flexibility significant (though easy for if changes are someday needed. someone willing to do it), and ... My main concerns about the I’m not optimistic that it would paper are that it comes across be done by the deadline, or that as low on useful content (it’s the content (I can’t say mostly about one curve), and is "results" since there aren’t any very strangely written, and stated results, other than a therefore unpleasant to read ... trivial mathematical result) is The paper is written in what significant enough to justify 25 26 27 Reviewer #3: comes across as a rambling acceptance. ... The "Conjectured incoherent style. ... The Curve25519 security level" ... The curve and the field are rewriting that would be required section should be omitted; or if hardwired into the program, to make this paper readable is there’s useful and new content which leaves little flexibility significant (though easy for in it, that should be made if changes are someday needed. someone willing to do it), and clear. ... Most of the ... My main concerns about the I’m not optimistic that it would appendices should be removed. paper are that it comes across be done by the deadline, or that For example, the irrelevant as low on useful content (it’s the content (I can’t say discussion of patents should mostly about one curve), and is "results" since there aren’t any either be removed, or rephrased very strangely written, and stated results, other than a to be a purely scientific therefore unpleasant to read ... trivial mathematical result) is discussion and not a patent The paper is written in what significant enough to justify discussion, and the appendix 25 26 27 Reviewer #3: comes across as a rambling acceptance. ... The "Conjectured incoherent style. ... The Curve25519 security level" ... The curve and the field are rewriting that would be required section should be omitted; or if hardwired into the program, to make this paper readable is there’s useful and new content which leaves little flexibility significant (though easy for in it, that should be made if changes are someday needed. someone willing to do it), and clear. ... Most of the ... My main concerns about the I’m not optimistic that it would appendices should be removed. paper are that it comes across be done by the deadline, or that For example, the irrelevant as low on useful content (it’s the content (I can’t say discussion of patents should mostly about one curve), and is "results" since there aren’t any either be removed, or rephrased very strangely written, and stated results, other than a to be a purely scientific therefore unpleasant to read ... trivial mathematical result) is discussion and not a patent The paper is written in what significant enough to justify discussion, and the appendix 25 26 27 Reviewer #3: comes across as a rambling acceptance. ... The "Conjectured incoherent style. ... The Curve25519 security level" ... The curve and the field are rewriting that would be required section should be omitted; or if hardwired into the program, to make this paper readable is there’s useful and new content which leaves little flexibility significant (though easy for in it, that should be made if changes are someday needed. someone willing to do it), and clear. ... Most of the ... My main concerns about the I’m not optimistic that it would appendices should be removed. paper are that it comes across be done by the deadline, or that For example, the irrelevant as low on useful content (it’s the content (I can’t say discussion of patents should mostly about one curve), and is "results" since there aren’t any either be removed, or rephrased very strangely written, and stated results, other than a to be a purely scientific therefore unpleasant to read ... trivial mathematical result) is discussion and not a patent The paper is written in what significant enough to justify discussion, and the appendix 26 27 comes across as a rambling acceptance. ... The "Conjectured incoherent style. ... The Curve25519 security level" rewriting that would be required section should be omitted; or if to make this paper readable is there’s useful and new content significant (though easy for in it, that should be made someone willing to do it), and clear. ... Most of the I’m not optimistic that it would appendices should be removed. be done by the deadline, or that For example, the irrelevant the content (I can’t say discussion of patents should "results" since there aren’t any either be removed, or rephrased stated results, other than a to be a purely scientific trivial mathematical result) is discussion and not a patent significant enough to justify discussion, and the appendix 26 27 28 comes across as a rambling acceptance. ... The "Conjectured that shows that 3 numbers are incoherent style. ... The Curve25519 security level" prime should be removed. ... rewriting that would be required section should be omitted; or if The paper will be of greatest to make this paper readable is there’s useful and new content interest to those implementing significant (though easy for in it, that should be made Diffie-Hellman with elliptic someone willing to do it), and clear. ... Most of the curves. But the limitations on I’m not optimistic that it would appendices should be removed. the exponent (and the lack of a be done by the deadline, or that For example, the irrelevant y-coordinate) prevent it from the content (I can’t say discussion of patents should being used by El Gamal and other "results" since there aren’t any either be removed, or rephrased ECC protocols. ... stated results, other than a to be a purely scientific trivial mathematical result) is discussion and not a patent significant enough to justify discussion, and the appendix 26 27 28 comes across as a rambling acceptance. ... The "Conjectured that shows that 3 numbers are incoherent style. ... The Curve25519 security level" prime should be removed. ... rewriting that would be required section should be omitted; or if The paper will be of greatest to make this paper readable is there’s useful and new content interest to those implementing significant (though easy for in it, that should be made Diffie-Hellman with elliptic someone willing to do it), and clear. ... Most of the curves. But the limitations on I’m not optimistic that it would appendices should be removed. the exponent (and the lack of a be done by the deadline, or that For example, the irrelevant y-coordinate) prevent it from the content (I can’t say discussion of patents should being used by El Gamal and other "results" since there aren’t any either be removed, or rephrased ECC protocols. ... stated results, other than a to be a purely scientific trivial mathematical result) is discussion and not a patent significant enough to justify discussion, and the appendix 26 27 28 comes across as a rambling acceptance. ... The "Conjectured that shows that 3 numbers are incoherent style. ... The Curve25519 security level" prime should be removed. ... rewriting that would be required section should be omitted; or if The paper will be of greatest to make this paper readable is there’s useful and new content interest to those implementing significant (though easy for in it, that should be made Diffie-Hellman with elliptic someone willing to do it), and clear. ... Most of the curves. But the limitations on I’m not optimistic that it would appendices should be removed. the exponent (and the lack of a be done by the deadline, or that For example, the irrelevant y-coordinate) prevent it from the content (I can’t say discussion of patents should being used by El Gamal and other "results" since there aren’t any either be removed, or rephrased ECC protocols. ... stated results, other than a to be a purely scientific trivial mathematical result) is discussion and not a patent significant enough to justify discussion, and the appendix 27 28 acceptance. ... The "Conjectured that shows that 3 numbers are Curve25519 security level" prime should be removed. ... section should be omitted; or if The paper will be of greatest there’s useful and new content interest to those implementing in it, that should be made Diffie-Hellman with elliptic clear. ... Most of the curves. But the limitations on appendices should be removed. the exponent (and the lack of a For example, the irrelevant y-coordinate) prevent it from discussion of patents should being used by El Gamal and other either be removed, or rephrased ECC protocols. ... to be a purely scientific discussion and not a patent discussion, and the appendix 27 28 acceptance. ... The "Conjectured that shows that 3 numbers are Curve25519 security level" prime should be removed. ... section should be omitted; or if The paper will be of greatest there’s useful and new content interest to those implementing in it, that should be made Diffie-Hellman with elliptic clear. ... Most of the curves. But the limitations on appendices should be removed. the exponent (and the lack of a For example, the irrelevant y-coordinate) prevent it from discussion of patents should being used by El Gamal and other either be removed, or rephrased ECC protocols. ... The paper is to be a purely scientific remarkably free of grammatical discussion and not a patent errors. discussion, and the appendix 27 28 29 acceptance. ... The "Conjectured that shows that 3 numbers are 2016: Counterfeit “primes”. Curve25519 security level" prime should be removed. ... section should be omitted; or if The paper will be of greatest there’s useful and new content interest to those implementing in it, that should be made Diffie-Hellman with elliptic clear. ... Most of the curves. But the limitations on appendices should be removed. the exponent (and the lack of a For example, the irrelevant y-coordinate) prevent it from discussion of patents should being used by El Gamal and other either be removed, or rephrased ECC protocols. ... The paper is to be a purely scientific remarkably free of grammatical discussion and not a patent errors. discussion, and the appendix 27 28 29 acceptance. ... The "Conjectured that shows that 3 numbers are 2016: Counterfeit “primes”. Curve25519 security level" prime should be removed. ... section should be omitted; or if The paper will be of greatest there’s useful and new content interest to those implementing in it, that should be made Diffie-Hellman with elliptic clear. ... Most of the curves. But the limitations on appendices should be removed. the exponent (and the lack of a For example, the irrelevant y-coordinate) prevent it from discussion of patents should being used by El Gamal and other either be removed, or rephrased ECC protocols. ... The paper is to be a purely scientific remarkably free of grammatical discussion and not a patent errors. discussion, and the appendix 27 28 29 acceptance. ... The "Conjectured that shows that 3 numbers are 2016: Counterfeit “primes”. Curve25519 security level" prime should be removed. ... section should be omitted; or if The paper will be of greatest there’s useful and new content interest to those implementing in it, that should be made Diffie-Hellman with elliptic clear. ... Most of the curves. But the limitations on appendices should be removed. the exponent (and the lack of a For example, the irrelevant y-coordinate) prevent it from discussion of patents should being used by El Gamal and other either be removed, or rephrased ECC protocols. ... The paper is to be a purely scientific remarkably free of grammatical discussion and not a patent errors. discussion, and the appendix 28 29 that shows that 3 numbers are 2016: Counterfeit “primes”. prime should be removed. ... The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic curves. But the limitations on the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors. 28 29 30 that shows that 3 numbers are 2016: Counterfeit “primes”. With reviews like these, prime should be removed. ... how did PKC accept Curve25519? The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic curves. But the limitations on the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors. 28 29 30 that shows that 3 numbers are 2016: Counterfeit “primes”. With reviews like these, prime should be removed. ... how did PKC accept Curve25519? The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic curves. But the limitations on the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors. 28 29 30 that shows that 3 numbers are 2016: Counterfeit “primes”. With reviews like these, prime should be removed. ... how did PKC accept Curve25519? The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic curves. But the limitations on the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors. 29 30 2016: Counterfeit “primes”. With reviews like these, how did PKC accept Curve25519? 29 30 2016: Counterfeit “primes”. With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced other people as part of discussion. Or program chairs liked paper. 29 30 2016: Counterfeit “primes”. With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced other people as part of discussion. Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this. 29 30 2016: Counterfeit “primes”. With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced other people as part of discussion. Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this. Note to young cryptographers: Don’t let referees discourage you. 29 30 31 2016: Counterfeit “primes”. With reviews like these, Edwards curves how did PKC accept Curve25519? 2007 Edwards “A Reviewer #4 was positive. normal form for elliptic curves”: Maybe reviewer #4 convinced x1y2 + x2y1 x3 = , other people as part of discussion. c(1 + x1x2y1y2) Or program chairs liked paper. y y − x x y = 1 2 1 2 3 c − x x y y Maybe someone thought the title (1 1 2 1 2) “9th International Conference on generically defines addition law Theory and Practice in Public- (x1; y1) + (x2; y2) = (x3; y3) Key Cryptography” justified on any elliptic curve of the form 2 2 2 2 2 an occasional paper like this. x + y = c (1 + x y ). Note to young cryptographers: Euler+Gauss defined this law 4 Don’t let referees discourage you. for one curve: c = −1. 29 30 31 2016: Counterfeit “primes”. With reviews like these, Edwards curves how did PKC accept Curve25519? 2007 Edwards “A Reviewer #4 was positive. normal form for elliptic curves”: Maybe reviewer #4 convinced x1y2 + x2y1 x3 = , other people as part of discussion. c(1 + x1x2y1y2) Or program chairs liked paper. y y − x x y = 1 2 1 2 3 c − x x y y Maybe someone thought the title (1 1 2 1 2) “9th International Conference on generically defines addition law Theory and Practice in Public- (x1; y1) + (x2; y2) = (x3; y3) Key Cryptography” justified on any elliptic curve of the form 2 2 2 2 2 an occasional paper like this. x + y = c (1 + x y ). Note to young cryptographers: Euler+Gauss defined this law 4 Don’t let referees discourage you. for one curve: c = −1. 29 30 31 2016: Counterfeit “primes”. With reviews like these, Edwards curves how did PKC accept Curve25519? 2007 Edwards “A Reviewer #4 was positive. normal form for elliptic curves”: Maybe reviewer #4 convinced x1y2 + x2y1 x3 = , other people as part of discussion. c(1 + x1x2y1y2) Or program chairs liked paper. y y − x x y = 1 2 1 2 3 c − x x y y Maybe someone thought the title (1 1 2 1 2) “9th International Conference on generically defines addition law Theory and Practice in Public- (x1; y1) + (x2; y2) = (x3; y3) Key Cryptography” justified on any elliptic curve of the form 2 2 2 2 2 an occasional paper like this. x + y = c (1 + x y ). Note to young cryptographers: Euler+Gauss defined this law 4 Don’t let referees discourage you. for one curve: c = −1. 30 31 With reviews like these, Edwards curves how did PKC accept Curve25519? 2007 Edwards “A Reviewer #4 was positive. normal form for elliptic curves”: Maybe reviewer #4 convinced x1y2 + x2y1 x3 = , other people as part of discussion. c(1 + x1x2y1y2) Or program chairs liked paper. y y − x x y = 1 2 1 2 3 c − x x y y Maybe someone thought the title (1 1 2 1 2) “9th International Conference on generically defines addition law Theory and Practice in Public- (x1; y1) + (x2; y2) = (x3; y3) Key Cryptography” justified on any elliptic curve of the form 2 2 2 2 2 an occasional paper like this. x + y = c (1 + x y ). Note to young cryptographers: Euler+Gauss defined this law 4 Don’t let referees discourage you. for one curve: c = −1. 30 31 32 With reviews like these, Edwards curves 2007 Bernstein–Lange “Faster how did PKC accept Curve25519? addition and doubling on elliptic 2007 Edwards “A curves”: Edwards addition law Reviewer #4 was positive. normal form for elliptic curves”: easily generalizes to Maybe reviewer #4 convinced x1y2 + x2y1 x3 = , x1y2 + x2y1 other people as part of discussion. c(1 + x1x2y1y2) x = , 3 1 + dx x y y Or program chairs liked paper. y y − x x 1 2 1 2 y = 1 2 1 2 y y − x x 3 c − x x y y 1 2 1 2 Maybe someone thought the title (1 1 2 1 2) y3 = . 1 − dx1x2y1y2 generically defines addition law “9th International Conference on on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) Theory and Practice in Public- 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. Key Cryptography” justified on any elliptic curve of the form 2 2 2 2 2 4 an occasional paper like this. x + y = c (1 + x y ). d = c is original Edwards. d = 0 is circle, non-elliptic. Note to young cryptographers: Euler+Gauss defined this law 4 Don’t let referees discourage you. for one curve: c = −1. 30 31 32 With reviews like these, Edwards curves 2007 Bernstein–Lange “Faster how did PKC accept Curve25519? addition and doubling on elliptic 2007 Edwards “A curves”: Edwards addition law Reviewer #4 was positive. normal form for elliptic curves”: easily generalizes to Maybe reviewer #4 convinced x1y2 + x2y1 x3 = , x1y2 + x2y1 other people as part of discussion. c(1 + x1x2y1y2) x = , 3 1 + dx x y y Or program chairs liked paper. y y − x x 1 2 1 2 y = 1 2 1 2 y y − x x 3 c − x x y y 1 2 1 2 Maybe someone thought the title (1 1 2 1 2) y3 = . 1 − dx1x2y1y2 generically defines addition law “9th International Conference on on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) Theory and Practice in Public- 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. Key Cryptography” justified on any elliptic curve of the form 2 2 2 2 2 4 an occasional paper like this. x + y = c (1 + x y ). d = c is original Edwards. d = 0 is circle, non-elliptic. Note to young cryptographers: Euler+Gauss defined this law 4 Don’t let referees discourage you. for one curve: c = −1. 30 31 32 With reviews like these, Edwards curves 2007 Bernstein–Lange “Faster how did PKC accept Curve25519? addition and doubling on elliptic 2007 Edwards “A curves”: Edwards addition law Reviewer #4 was positive. normal form for elliptic curves”: easily generalizes to Maybe reviewer #4 convinced x1y2 + x2y1 x3 = , x1y2 + x2y1 other people as part of discussion. c(1 + x1x2y1y2) x = , 3 1 + dx x y y Or program chairs liked paper. y y − x x 1 2 1 2 y = 1 2 1 2 y y − x x 3 c − x x y y 1 2 1 2 Maybe someone thought the title (1 1 2 1 2) y3 = . 1 − dx1x2y1y2 generically defines addition law “9th International Conference on on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) Theory and Practice in Public- 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. Key Cryptography” justified on any elliptic curve of the form 2 2 2 2 2 4 an occasional paper like this. x + y = c (1 + x y ). d = c is original Edwards. d = 0 is circle, non-elliptic. Note to young cryptographers: Euler+Gauss defined this law 4 Don’t let referees discourage you. for one curve: c = −1. 31 32 Edwards curves 2007 Bernstein–Lange “Faster addition and doubling on elliptic 2007 Edwards “A curves”: Edwards addition law normal form for elliptic curves”: easily generalizes to x1y2 + x2y1 x3 = , x1y2 + x2y1 c(1 + x1x2y1y2) x3 = , 1 + dx1x2y1y2 y1y2 − x1x2 y3 = y1y2 − x1x2 c(1 − x1x2y1y2) y3 = . 1 − dx1x2y1y2 generically defines addition law on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. on any elliptic curve of the form x2 + y 2 = c2(1 + x2y 2). d = c4 is original Edwards. d = 0 is circle, non-elliptic. Euler+Gauss defined this law for one curve: c4 = −1. 31 32 Edwards curves 2007 Bernstein–Lange “Faster addition and doubling on elliptic 2007 Edwards “A curves”: Edwards addition law normal form for elliptic curves”: easily generalizes to x1y2 + x2y1 x3 = , x1y2 + x2y1 c(1 + x1x2y1y2) x3 = , 1 + dx1x2y1y2 y1y2 − x1x2 y3 = y1y2 − x1x2 c(1 − x1x2y1y2) y3 = . 1 − dx1x2y1y2 generically defines addition law on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. on any elliptic curve of the form x2 + y 2 = c2(1 + x2y 2). d = c4 is original Edwards. d = 0 is circle, non-elliptic. Euler+Gauss defined this law Surprise for non-square d: for one curve: c4 = −1. this addition law is complete! 31 32 33 Edwards curves 2007 Bernstein–Lange “Faster By easy change of coordinates addition and doubling on elliptic can write y 2 = x3 + Ax2 + x 2007 Edwards “A curves”: Edwards addition law with non-square A2 − 4 normal form for elliptic curves”: easily generalizes to as a complete Edwards curve. x1y2 + x2y1 x3 = , x1y2 + x2y1 In particular: Curve25519. c(1 + x1x2y1y2) x3 = , 1 + dx1x2y1y2 y1y2 − x1x2 y3 = y1y2 − x1x2 c(1 − x1x2y1y2) y3 = . 1 − dx1x2y1y2 generically defines addition law on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. on any elliptic curve of the form x2 + y 2 = c2(1 + x2y 2). d = c4 is original Edwards. d = 0 is circle, non-elliptic. Euler+Gauss defined this law Surprise for non-square d: for one curve: c4 = −1. this addition law is complete! 31 32 33 Edwards curves 2007 Bernstein–Lange “Faster By easy change of coordinates addition and doubling on elliptic can write y 2 = x3 + Ax2 + x 2007 Edwards “A curves”: Edwards addition law with non-square A2 − 4 normal form for elliptic curves”: easily generalizes to as a complete Edwards curve. x1y2 + x2y1 x3 = , x1y2 + x2y1 In particular: Curve25519. c(1 + x1x2y1y2) x3 = , 1 + dx1x2y1y2 y1y2 − x1x2 y3 = y1y2 − x1x2 c(1 − x1x2y1y2) y3 = . 1 − dx1x2y1y2 generically defines addition law on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. on any elliptic curve of the form x2 + y 2 = c2(1 + x2y 2). d = c4 is original Edwards. d = 0 is circle, non-elliptic. Euler+Gauss defined this law Surprise for non-square d: for one curve: c4 = −1. this addition law is complete! 31 32 33 Edwards curves 2007 Bernstein–Lange “Faster By easy change of coordinates addition and doubling on elliptic can write y 2 = x3 + Ax2 + x 2007 Edwards “A curves”: Edwards addition law with non-square A2 − 4 normal form for elliptic curves”: easily generalizes to as a complete Edwards curve. x1y2 + x2y1 x3 = , x1y2 + x2y1 In particular: Curve25519. c(1 + x1x2y1y2) x3 = , 1 + dx1x2y1y2 y1y2 − x1x2 y3 = y1y2 − x1x2 c(1 − x1x2y1y2) y3 = . 1 − dx1x2y1y2 generically defines addition law on any elliptic curve of the form (x ; y ) + (x ; y ) = (x ; y ) 1 1 2 2 3 3 x2 + y 2 = 1 + dx2y 2. on any elliptic curve of the form x2 + y 2 = c2(1 + x2y 2). d = c4 is original Edwards. d = 0 is circle, non-elliptic. Euler+Gauss defined this law Surprise for non-square d: for one curve: c4 = −1. this addition law is complete! 32 33 2007 Bernstein–Lange “Faster By easy change of coordinates addition and doubling on elliptic can write y 2 = x3 + Ax2 + x curves”: Edwards addition law with non-square A2 − 4 easily generalizes to as a complete Edwards curve. x1y2 + x2y1 In particular: Curve25519. x3 = , 1 + dx1x2y1y2 y1y2 − x1x2 y3 = . 1 − dx1x2y1y2 on any elliptic curve of the form x2 + y 2 = 1 + dx2y 2. d = c4 is original Edwards. d = 0 is circle, non-elliptic. Surprise for non-square d: this addition law is complete! 32 33 2007 Bernstein–Lange “Faster By easy change of coordinates addition and doubling on elliptic can write y 2 = x3 + Ax2 + x curves”: Edwards addition law with non-square A2 − 4 easily generalizes to as a complete Edwards curve. x y + x y In particular: Curve25519. x = 1 2 2 1 , 3 1 + dx x y y 1 2 1 2 Curve arithmetic is very fast. y1y2 − x1x2 y3 = . (After various followup papers: 1 − dx1x2y1y2 on any elliptic curve of the form even faster!) x2 + y 2 = 1 + dx2y 2. Almost as fast as Montgomery n; P 7→ nP d = c4 is original Edwards. for in DH. d = 0 is circle, non-elliptic. New speed records for Surprise for non-square d: m; n; P; Q 7→ mP + nQ this addition law is complete! and other signature operations. 32 33 34 2007 Bernstein–Lange “Faster By easy change of coordinates The Ed25519 signature system addition and doubling on elliptic can write y 2 = x3 + Ax2 + x CHES 2011 Bernstein–Duif– curves”: Edwards addition law with non-square A2 − 4 Lange–Schwabe–Yang: easily generalizes to as a complete Edwards curve. Start from Schnorr signatures. x1y2 + x2y1 In particular: Curve25519. x3 = , Skip signature compression. 1 + dx1x2y1y2 Curve arithmetic is very fast. Support batch verification. y1y2 − x1x2 y3 = . (After various followup papers: Use double-size H output, and 1 − dx1x2y1y2 include public key A as input: on any elliptic curve of the form even faster!) SB = R + H(R; A; M)A. x2 + y 2 = 1 + dx2y 2. Almost as fast as Montgomery n; P 7→ nP Generate R deterministically d = c4 is original Edwards. for in DH. as a secret hash of M. d = 0 is circle, non-elliptic. New speed records for ⇒ Avoid PlayStation disaster. Surprise for non-square d: m; n; P; Q 7→ mP + nQ this addition law is complete! and other signature operations. Use Curve25519 in complete “−1-twisted” Edwards form. 32 33 34 2007 Bernstein–Lange “Faster By easy change of coordinates The Ed25519 signature system addition and doubling on elliptic can write y 2 = x3 + Ax2 + x CHES 2011 Bernstein–Duif– curves”: Edwards addition law with non-square A2 − 4 Lange–Schwabe–Yang: easily generalizes to as a complete Edwards curve. Start from Schnorr signatures. x1y2 + x2y1 In particular: Curve25519. x3 = , Skip signature compression. 1 + dx1x2y1y2 Curve arithmetic is very fast. Support batch verification. y1y2 − x1x2 y3 = . (After various followup papers: Use double-size H output, and 1 − dx1x2y1y2 include public key A as input: on any elliptic curve of the form even faster!) SB = R + H(R; A; M)A. x2 + y 2 = 1 + dx2y 2. Almost as fast as Montgomery n; P 7→ nP Generate R deterministically d = c4 is original Edwards. for in DH. as a secret hash of M. d = 0 is circle, non-elliptic. New speed records for ⇒ Avoid PlayStation disaster. Surprise for non-square d: m; n; P; Q 7→ mP + nQ this addition law is complete! and other signature operations. Use Curve25519 in complete “−1-twisted” Edwards form. 32 33 34 2007 Bernstein–Lange “Faster By easy change of coordinates The Ed25519 signature system addition and doubling on elliptic can write y 2 = x3 + Ax2 + x CHES 2011 Bernstein–Duif– curves”: Edwards addition law with non-square A2 − 4 Lange–Schwabe–Yang: easily generalizes to as a complete Edwards curve. Start from Schnorr signatures. x1y2 + x2y1 In particular: Curve25519. x3 = , Skip signature compression. 1 + dx1x2y1y2 Curve arithmetic is very fast. Support batch verification. y1y2 − x1x2 y3 = . (After various followup papers: Use double-size H output, and 1 − dx1x2y1y2 include public key A as input: on any elliptic curve of the form even faster!) SB = R + H(R; A; M)A. x2 + y 2 = 1 + dx2y 2. Almost as fast as Montgomery n; P 7→ nP Generate R deterministically d = c4 is original Edwards. for in DH. as a secret hash of M. d = 0 is circle, non-elliptic. New speed records for ⇒ Avoid PlayStation disaster. Surprise for non-square d: m; n; P; Q 7→ mP + nQ this addition law is complete! and other signature operations. Use Curve25519 in complete “−1-twisted” Edwards form. 33 34 By easy change of coordinates The Ed25519 signature system can write y 2 = x3 + Ax2 + x CHES 2011 Bernstein–Duif– with non-square A2 − 4 Lange–Schwabe–Yang: as a complete Edwards curve. In particular: Curve25519. Start from Schnorr signatures. Skip signature compression. Curve arithmetic is very fast. Support batch verification. (After various followup papers: Use double-size H output, and even faster!) include public key A as input: SB = R + H(R; A; M)A. Almost as fast as Montgomery for n; P 7→ nP in DH. Generate R deterministically as a secret hash of M. New speed records for ⇒ Avoid PlayStation disaster. m; n; P; Q 7→ mP + nQ and other signature operations. Use Curve25519 in complete “−1-twisted” Edwards form. 33 34 35 By easy change of coordinates The Ed25519 signature system Optimizations for more platforms can write y 2 = x3 + Ax2 + x CHES 2011 Bernstein–Duif– 2007 Gaudry–Thomé: Core 2. with non-square A2 − 4 Lange–Schwabe–Yang: 2009 Costigan–Schwabe: Cell. as a complete Edwards curve. 2011 Bernstein–Duif–Lange– In particular: Curve25519. Start from Schnorr signatures. Skip signature compression. Schwabe–Yang: Nehalem. Curve arithmetic is very fast. Support batch verification. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. (After various followup papers: Use double-size H output, and 2014 Mahé–Chauvet: GPUs. even faster!) include public key A as input: SB = R + H(R; A; M)A. 2014 Sasdrich–Güneysu: FPGAs. Almost as fast as Montgomery 2015 Chou: newer Intel. for n; P 7→ nP in DH. Generate R deterministically 2015 Düll–Haase–Hinterwälder– as a secret hash of M. New speed records for Hutter–Paar–Sánchez–Schwabe: ⇒ Avoid PlayStation disaster. m; n; P; Q 7→ mP + nQ microcontrollers. and other signature operations. Use Curve25519 in complete 2015 Hutter-Schilling–Schwabe– “−1-twisted” Edwards form. Wieser: ASICs. 33 34 35 By easy change of coordinates The Ed25519 signature system Optimizations for more platforms can write y 2 = x3 + Ax2 + x CHES 2011 Bernstein–Duif– 2007 Gaudry–Thomé: Core 2. with non-square A2 − 4 Lange–Schwabe–Yang: 2009 Costigan–Schwabe: Cell. as a complete Edwards curve. 2011 Bernstein–Duif–Lange– In particular: Curve25519. Start from Schnorr signatures. Skip signature compression. Schwabe–Yang: Nehalem. Curve arithmetic is very fast. Support batch verification. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. (After various followup papers: Use double-size H output, and 2014 Mahé–Chauvet: GPUs. even faster!) include public key A as input: SB = R + H(R; A; M)A. 2014 Sasdrich–Güneysu: FPGAs. Almost as fast as Montgomery 2015 Chou: newer Intel. for n; P 7→ nP in DH. Generate R deterministically 2015 Düll–Haase–Hinterwälder– as a secret hash of M. New speed records for Hutter–Paar–Sánchez–Schwabe: ⇒ Avoid PlayStation disaster. m; n; P; Q 7→ mP + nQ microcontrollers. and other signature operations. Use Curve25519 in complete 2015 Hutter-Schilling–Schwabe– “−1-twisted” Edwards form. Wieser: ASICs. 33 34 35 By easy change of coordinates The Ed25519 signature system Optimizations for more platforms can write y 2 = x3 + Ax2 + x CHES 2011 Bernstein–Duif– 2007 Gaudry–Thomé: Core 2. with non-square A2 − 4 Lange–Schwabe–Yang: 2009 Costigan–Schwabe: Cell. as a complete Edwards curve. 2011 Bernstein–Duif–Lange– In particular: Curve25519. Start from Schnorr signatures. Skip signature compression. Schwabe–Yang: Nehalem. Curve arithmetic is very fast. Support batch verification. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. (After various followup papers: Use double-size H output, and 2014 Mahé–Chauvet: GPUs. even faster!) include public key A as input: SB = R + H(R; A; M)A. 2014 Sasdrich–Güneysu: FPGAs. Almost as fast as Montgomery 2015 Chou: newer Intel. for n; P 7→ nP in DH. Generate R deterministically 2015 Düll–Haase–Hinterwälder– as a secret hash of M. New speed records for Hutter–Paar–Sánchez–Schwabe: ⇒ Avoid PlayStation disaster. m; n; P; Q 7→ mP + nQ microcontrollers. and other signature operations. Use Curve25519 in complete 2015 Hutter-Schilling–Schwabe– “−1-twisted” Edwards form. Wieser: ASICs. 34 35 The Ed25519 signature system Optimizations for more platforms CHES 2011 Bernstein–Duif– 2007 Gaudry–Thomé: Core 2. Lange–Schwabe–Yang: 2009 Costigan–Schwabe: Cell. Start from Schnorr signatures. 2011 Bernstein–Duif–Lange– Skip signature compression. Schwabe–Yang: Nehalem. Support batch verification. 2012 Bernstein–Schwabe: NEON. Use double-size H output, and 2014 Langley–Moon: newer Intel. include public key A as input: 2014 Mahé–Chauvet: GPUs. SB = R + H(R; A; M)A. 2014 Sasdrich–Güneysu: FPGAs. 2015 Chou: newer Intel. Generate R deterministically 2015 Düll–Haase–Hinterwälder– as a secret hash of M. Hutter–Paar–Sánchez–Schwabe: ⇒ Avoid PlayStation disaster. microcontrollers. Use Curve25519 in complete 2015 Hutter-Schilling–Schwabe– “−1-twisted” Edwards form. Wieser: ASICs. 34 35 36 The Ed25519 signature system Optimizations for more platforms Next-generation crypto library CHES 2011 Bernstein–Duif– 2007 Gaudry–Thomé: Core 2. NaCl: Networking and Lange–Schwabe–Yang: 2009 Costigan–Schwabe: Cell. Cryptography library provides Start from Schnorr signatures. 2011 Bernstein–Duif–Lange– very simple new API for public- Skip signature compression. Schwabe–Yang: Nehalem. key authenticated encryption. 2012 Bernstein–Schwabe: NEON. Support batch verification. All-in-one crypto_box function 2014 Langley–Moon: newer Intel. Use double-size H output, and uses Curve25519 for DH, 2014 Mahé–Chauvet: GPUs. include public key A as input: Salsa20 for encryption, 2014 Sasdrich–Güneysu: FPGAs. SB = R + H(R; A; M)A. Poly1305 for authentication. 2015 Chou: newer Intel. Generate R deterministically 2015 Düll–Haase–Hinterwälder– More on NaCl design: see as a secret hash of M. Hutter–Paar–Sánchez–Schwabe: 2011 Bernstein–Lange–Schwabe ⇒ Avoid PlayStation disaster. microcontrollers. “The security impact of a Use Curve25519 in complete 2015 Hutter-Schilling–Schwabe– new cryptographic library”. “−1-twisted” Edwards form. Wieser: ASICs. 34 35 36 The Ed25519 signature system Optimizations for more platforms Next-generation crypto library CHES 2011 Bernstein–Duif– 2007 Gaudry–Thomé: Core 2. NaCl: Networking and Lange–Schwabe–Yang: 2009 Costigan–Schwabe: Cell. Cryptography library provides Start from Schnorr signatures. 2011 Bernstein–Duif–Lange– very simple new API for public- Skip signature compression. Schwabe–Yang: Nehalem. key authenticated encryption. 2012 Bernstein–Schwabe: NEON. Support batch verification. All-in-one crypto_box function 2014 Langley–Moon: newer Intel. Use double-size H output, and uses Curve25519 for DH, 2014 Mahé–Chauvet: GPUs. include public key A as input: Salsa20 for encryption, 2014 Sasdrich–Güneysu: FPGAs. SB = R + H(R; A; M)A. Poly1305 for authentication. 2015 Chou: newer Intel. Generate R deterministically 2015 Düll–Haase–Hinterwälder– More on NaCl design: see as a secret hash of M. Hutter–Paar–Sánchez–Schwabe: 2011 Bernstein–Lange–Schwabe ⇒ Avoid PlayStation disaster. microcontrollers. “The security impact of a Use Curve25519 in complete 2015 Hutter-Schilling–Schwabe– new cryptographic library”. “−1-twisted” Edwards form. Wieser: ASICs. 34 35 36 The Ed25519 signature system Optimizations for more platforms Next-generation crypto library CHES 2011 Bernstein–Duif– 2007 Gaudry–Thomé: Core 2. NaCl: Networking and Lange–Schwabe–Yang: 2009 Costigan–Schwabe: Cell. Cryptography library provides Start from Schnorr signatures. 2011 Bernstein–Duif–Lange– very simple new API for public- Skip signature compression. Schwabe–Yang: Nehalem. key authenticated encryption. 2012 Bernstein–Schwabe: NEON. Support batch verification. All-in-one crypto_box function 2014 Langley–Moon: newer Intel. Use double-size H output, and uses Curve25519 for DH, 2014 Mahé–Chauvet: GPUs. include public key A as input: Salsa20 for encryption, 2014 Sasdrich–Güneysu: FPGAs. SB = R + H(R; A; M)A. Poly1305 for authentication. 2015 Chou: newer Intel. Generate R deterministically 2015 Düll–Haase–Hinterwälder– More on NaCl design: see as a secret hash of M. Hutter–Paar–Sánchez–Schwabe: 2011 Bernstein–Lange–Schwabe ⇒ Avoid PlayStation disaster. microcontrollers. “The security impact of a Use Curve25519 in complete 2015 Hutter-Schilling–Schwabe– new cryptographic library”. “−1-twisted” Edwards form. Wieser: ASICs. 35 36 Optimizations for more platforms Next-generation crypto library 2007 Gaudry–Thomé: Core 2. NaCl: Networking and 2009 Costigan–Schwabe: Cell. Cryptography library provides 2011 Bernstein–Duif–Lange– very simple new API for public- Schwabe–Yang: Nehalem. key authenticated encryption. 2012 Bernstein–Schwabe: NEON. All-in-one crypto_box function 2014 Langley–Moon: newer Intel. uses Curve25519 for DH, 2014 Mahé–Chauvet: GPUs. Salsa20 for encryption, 2014 Sasdrich–Güneysu: FPGAs. Poly1305 for authentication. 2015 Chou: newer Intel. 2015 Düll–Haase–Hinterwälder– More on NaCl design: see Hutter–Paar–Sánchez–Schwabe: 2011 Bernstein–Lange–Schwabe microcontrollers. “The security impact of a 2015 Hutter-Schilling–Schwabe– new cryptographic library”. Wieser: ASICs. 35 36 37 Optimizations for more platforms Next-generation crypto library Simplicity 2007 Gaudry–Thomé: Core 2. NaCl: Networking and Curve25519 paper 2009 Costigan–Schwabe: Cell. Cryptography library provides advertised “short code.” 2011 Bernstein–Duif–Lange– very simple new API for public- 2013 Bernstein–Janssen– Schwabe–Yang: Nehalem. key authenticated encryption. Lange–Schwabe: TweetNaCl, 2012 Bernstein–Schwabe: NEON. All-in-one crypto_box function reimplementing NaCl in 100 2014 Langley–Moon: newer Intel. uses Curve25519 for DH, tweets. Does speed matter? 2014 Mahé–Chauvet: GPUs. Salsa20 for encryption, 2014 Sasdrich–Güneysu: FPGAs. Poly1305 for authentication. 2015 Chou: newer Intel. 2015 Düll–Haase–Hinterwälder– More on NaCl design: see Hutter–Paar–Sánchez–Schwabe: 2011 Bernstein–Lange–Schwabe microcontrollers. “The security impact of a 2015 Hutter-Schilling–Schwabe– new cryptographic library”. Wieser: ASICs. 35 36 37 Optimizations for more platforms Next-generation crypto library Simplicity 2007 Gaudry–Thomé: Core 2. NaCl: Networking and Curve25519 paper 2009 Costigan–Schwabe: Cell. Cryptography library provides advertised “short code.” 2011 Bernstein–Duif–Lange– very simple new API for public- 2013 Bernstein–Janssen– Schwabe–Yang: Nehalem. key authenticated encryption. Lange–Schwabe: TweetNaCl, 2012 Bernstein–Schwabe: NEON. All-in-one crypto_box function reimplementing NaCl in 100 2014 Langley–Moon: newer Intel. uses Curve25519 for DH, tweets. Does speed matter? 2014 Mahé–Chauvet: GPUs. Salsa20 for encryption, 2014 Sasdrich–Güneysu: FPGAs. Poly1305 for authentication. 2015 Chou: newer Intel. 2015 Düll–Haase–Hinterwälder– More on NaCl design: see Hutter–Paar–Sánchez–Schwabe: 2011 Bernstein–Lange–Schwabe microcontrollers. “The security impact of a 2015 Hutter-Schilling–Schwabe– new cryptographic library”. Wieser: ASICs. 35 36 37 Optimizations for more platforms Next-generation crypto library Simplicity 2007 Gaudry–Thomé: Core 2. NaCl: Networking and Curve25519 paper 2009 Costigan–Schwabe: Cell. Cryptography library provides advertised “short code.” 2011 Bernstein–Duif–Lange– very simple new API for public- 2013 Bernstein–Janssen– Schwabe–Yang: Nehalem. key authenticated encryption. Lange–Schwabe: TweetNaCl, 2012 Bernstein–Schwabe: NEON. All-in-one crypto_box function reimplementing NaCl in 100 2014 Langley–Moon: newer Intel. uses Curve25519 for DH, tweets. Does speed matter? 2014 Mahé–Chauvet: GPUs. Salsa20 for encryption, 2014 Sasdrich–Güneysu: FPGAs. Poly1305 for authentication. 2015 Chou: newer Intel. 2015 Düll–Haase–Hinterwälder– More on NaCl design: see Hutter–Paar–Sánchez–Schwabe: 2011 Bernstein–Lange–Schwabe microcontrollers. “The security impact of a 2015 Hutter-Schilling–Schwabe– new cryptographic library”. Wieser: ASICs. 36 37 Next-generation crypto library Simplicity NaCl: Networking and Curve25519 paper Cryptography library provides advertised “short code.” very simple new API for public- 2013 Bernstein–Janssen– key authenticated encryption. Lange–Schwabe: TweetNaCl, All-in-one crypto_box function reimplementing NaCl in 100 uses Curve25519 for DH, tweets. Does speed matter? Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”. 36 37 Next-generation crypto library Simplicity NaCl: Networking and Curve25519 paper Cryptography library provides advertised “short code.” very simple new API for public- 2013 Bernstein–Janssen– key authenticated encryption. Lange–Schwabe: TweetNaCl, All-in-one crypto_box function reimplementing NaCl in 100 uses Curve25519 for DH, tweets. Does speed matter? Salsa20 for encryption, Largest chunk of code: The hash Poly1305 for authentication. function used inside signatures! More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”. 36 37 Next-generation crypto library Simplicity NaCl: Networking and Curve25519 paper Cryptography library provides advertised “short code.” very simple new API for public- 2013 Bernstein–Janssen– key authenticated encryption. Lange–Schwabe: TweetNaCl, All-in-one crypto_box function reimplementing NaCl in 100 uses Curve25519 for DH, tweets. Does speed matter? Salsa20 for encryption, Largest chunk of code: The hash Poly1305 for authentication. function used inside signatures! More on NaCl design: see 2014 Bernstein–van Gastel– 2011 Bernstein–Lange–Schwabe Janssen–Lange–Schwabe– “The security impact of a Smetsers: formal verification of new cryptographic library”. some TweetNaCl properties. 36 37 38 Next-generation crypto library Simplicity 2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying NaCl: Networking and Curve25519 paper Curve25519 software”: formal Cryptography library provides advertised “short code.” verification of correctness of very simple new API for public- 2013 Bernstein–Janssen– two high-speed asm main loops. key authenticated encryption. Lange–Schwabe: TweetNaCl, Newer work ongoing: e.g., 2015 All-in-one crypto_box function reimplementing NaCl in 100 Russinoff “A computationally uses Curve25519 for DH, tweets. Does speed matter? surveyable proof of the Salsa20 for encryption, Largest chunk of code: The hash Curve25519 group axioms”; 2015 Poly1305 for authentication. function used inside signatures! Bernstein–Schwabe gfverif. More on NaCl design: see 2014 Bernstein–van Gastel– Single-curve code helps speed 2011 Bernstein–Lange–Schwabe Janssen–Lange–Schwabe– and is the most promising avenue “The security impact of a Smetsers: formal verification of towards bug-free ECC software. new cryptographic library”. some TweetNaCl properties. 36 37 38 Next-generation crypto library Simplicity 2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying NaCl: Networking and Curve25519 paper Curve25519 software”: formal Cryptography library provides advertised “short code.” verification of correctness of very simple new API for public- 2013 Bernstein–Janssen– two high-speed asm main loops. key authenticated encryption. Lange–Schwabe: TweetNaCl, Newer work ongoing: e.g., 2015 All-in-one crypto_box function reimplementing NaCl in 100 Russinoff “A computationally uses Curve25519 for DH, tweets. Does speed matter? surveyable proof of the Salsa20 for encryption, Largest chunk of code: The hash Curve25519 group axioms”; 2015 Poly1305 for authentication. function used inside signatures! Bernstein–Schwabe gfverif. More on NaCl design: see 2014 Bernstein–van Gastel– Single-curve code helps speed 2011 Bernstein–Lange–Schwabe Janssen–Lange–Schwabe– and is the most promising avenue “The security impact of a Smetsers: formal verification of towards bug-free ECC software. new cryptographic library”. some TweetNaCl properties. 36 37 38 Next-generation crypto library Simplicity 2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying NaCl: Networking and Curve25519 paper Curve25519 software”: formal Cryptography library provides advertised “short code.” verification of correctness of very simple new API for public- 2013 Bernstein–Janssen– two high-speed asm main loops. key authenticated encryption. Lange–Schwabe: TweetNaCl, Newer work ongoing: e.g., 2015 All-in-one crypto_box function reimplementing NaCl in 100 Russinoff “A computationally uses Curve25519 for DH, tweets. Does speed matter? surveyable proof of the Salsa20 for encryption, Largest chunk of code: The hash Curve25519 group axioms”; 2015 Poly1305 for authentication. function used inside signatures! Bernstein–Schwabe gfverif. More on NaCl design: see 2014 Bernstein–van Gastel– Single-curve code helps speed 2011 Bernstein–Lange–Schwabe Janssen–Lange–Schwabe– and is the most promising avenue “The security impact of a Smetsers: formal verification of towards bug-free ECC software. new cryptographic library”. some TweetNaCl properties. 37 38 Simplicity 2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Curve25519 paper Curve25519 software”: formal advertised “short code.” verification of correctness of 2013 Bernstein–Janssen– two high-speed asm main loops. Lange–Schwabe: TweetNaCl, Newer work ongoing: e.g., 2015 reimplementing NaCl in 100 Russinoff “A computationally tweets. Does speed matter? surveyable proof of the Largest chunk of code: The hash Curve25519 group axioms”; 2015 function used inside signatures! Bernstein–Schwabe gfverif. 2014 Bernstein–van Gastel– Single-curve code helps speed Janssen–Lange–Schwabe– and is the most promising avenue Smetsers: formal verification of towards bug-free ECC software. some TweetNaCl properties. 37 38 39 Simplicity 2014 Chen–Hsu–Lin–Schwabe– 2012: Apple deploys Curve25519 Tsai–Wang–Yang–Yang “Verifying Curve25519 paper Curve25519 software”: formal advertised “short code.” verification of correctness of 2013 Bernstein–Janssen– two high-speed asm main loops. Lange–Schwabe: TweetNaCl, Newer work ongoing: e.g., 2015 reimplementing NaCl in 100 Russinoff “A computationally tweets. Does speed matter? surveyable proof of the Largest chunk of code: The hash Curve25519 group axioms”; 2015 function used inside signatures! Bernstein–Schwabe gfverif. 2014 Bernstein–van Gastel– Single-curve code helps speed Janssen–Lange–Schwabe– and is the most promising avenue Smetsers: formal verification of towards bug-free ECC software. some TweetNaCl properties. 37 38 39 Simplicity 2014 Chen–Hsu–Lin–Schwabe– 2012: Apple deploys Curve25519 Tsai–Wang–Yang–Yang “Verifying Curve25519 paper Curve25519 software”: formal advertised “short code.” verification of correctness of 2013 Bernstein–Janssen– two high-speed asm main loops. Lange–Schwabe: TweetNaCl, Newer work ongoing: e.g., 2015 reimplementing NaCl in 100 Russinoff “A computationally tweets. Does speed matter? surveyable proof of the Largest chunk of code: The hash Curve25519 group axioms”; 2015 function used inside signatures! Bernstein–Schwabe gfverif. 2014 Bernstein–van Gastel– Single-curve code helps speed Janssen–Lange–Schwabe– and is the most promising avenue Smetsers: formal verification of towards bug-free ECC software. some TweetNaCl properties. 37 38 39 Simplicity 2014 Chen–Hsu–Lin–Schwabe– 2012: Apple deploys Curve25519 Tsai–Wang–Yang–Yang “Verifying Curve25519 paper Curve25519 software”: formal advertised “short code.” verification of correctness of 2013 Bernstein–Janssen– two high-speed asm main loops. Lange–Schwabe: TweetNaCl, Newer work ongoing: e.g., 2015 reimplementing NaCl in 100 Russinoff “A computationally tweets. Does speed matter? surveyable proof of the Largest chunk of code: The hash Curve25519 group axioms”; 2015 function used inside signatures! Bernstein–Schwabe gfverif. 2014 Bernstein–van Gastel– Single-curve code helps speed Janssen–Lange–Schwabe– and is the most promising avenue Smetsers: formal verification of towards bug-free ECC software. some TweetNaCl properties. 38 39 2014 Chen–Hsu–Lin–Schwabe– 2012: Apple deploys Curve25519 Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software. 38 39 40 2014 Chen–Hsu–Lin–Schwabe– 2012: Apple deploys Curve25519 2013: Signal deploys Curve25519 Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software. 38 39 40 2014 Chen–Hsu–Lin–Schwabe– 2012: Apple deploys Curve25519 2013: Signal deploys Curve25519 Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software. 38 39 40 2014 Chen–Hsu–Lin–Schwabe– 2012: Apple deploys Curve25519 2013: Signal deploys Curve25519 Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software. 39 40 2012: Apple deploys Curve25519 2013: Signal deploys Curve25519 39 40 41 2012: Apple deploys Curve25519 2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519 39 40 41 2012: Apple deploys Curve25519 2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519 39 40 41 2012: Apple deploys Curve25519 2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519 40 41 2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519 40 41 42 2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519 2015.10: IRTF CFRG settles on EdDSA—Ed25519 and Ed448— for signatures. Already selected X25519 and X448 for DH. 2015.10: NIST reopens its ECC standards for comment, paving way for new curves. 2015.11: BoringSSL adds X25519 and Ed25519. These are just some highlights. Many more: ianix.com/pub /curve25519-deployment.html and /ed25519-deployment.html. 40 41 42 2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519 2015.10: IRTF CFRG settles on EdDSA—Ed25519 and Ed448— for signatures. Already selected X25519 and X448 for DH. 2015.10: NIST reopens its ECC standards for comment, paving way for new curves. 2015.11: BoringSSL adds X25519 and Ed25519. These are just some highlights. Many more: ianix.com/pub /curve25519-deployment.html and /ed25519-deployment.html. 40 41 42 2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519 2015.10: IRTF CFRG settles on EdDSA—Ed25519 and Ed448— for signatures. Already selected X25519 and X448 for DH. 2015.10: NIST reopens its ECC standards for comment, paving way for new curves. 2015.11: BoringSSL adds X25519 and Ed25519. These are just some highlights. Many more: ianix.com/pub /curve25519-deployment.html and /ed25519-deployment.html. 41 42 2014: OpenSSH deploys Curve25519 2015.10: IRTF CFRG settles on EdDSA—Ed25519 and Ed448— for signatures. Already selected X25519 and X448 for DH. 2015.10: NIST reopens its ECC standards for comment, paving way for new curves. 2015.11: BoringSSL adds X25519 and Ed25519. These are just some highlights. Many more: ianix.com/pub /curve25519-deployment.html and /ed25519-deployment.html.