Re: [Cfrg] big-endian short-Weierstrass please

Nico Williams <> Thu, 29 January 2015 21:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6208F1A884F for <>; Thu, 29 Jan 2015 13:54:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id D-EzV-N8Dc2L for <>; Thu, 29 Jan 2015 13:54:30 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 781141A8856 for <>; Thu, 29 Jan 2015 13:54:24 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 030342005D005; Thu, 29 Jan 2015 13:54:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s=; bh=13Q8hoRvp+eP5k3Br1aenVYWMR0=; b=RD/ZEzq2cwg /LSPHc61G8ZncLwP9G1zuMNmkRpCUhg91LMK8TGOmhAvv+7H+Gr20YdTsVd0DRDH Tz2gAF1o3u9/QjSPi5UAWgHcmMKA/akQL0m3mosT022qGqyFcU3kD1PiROrD7rKS X7Isp+WVUHA2BKuc99X35+Y3FO3CiIA0=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id 9AF4E2005D004; Thu, 29 Jan 2015 13:54:23 -0800 (PST)
Date: Thu, 29 Jan 2015 15:54:23 -0600
From: Nico Williams <>
To: "Blumenthal, Uri - 0558 - MITLL" <>
Message-ID: <20150129215419.GD3110@localhost>
References: <20150128231006.GJ3110@localhost> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jan 2015 21:54:31 -0000

On Thu, Jan 29, 2015 at 09:28:57PM +0000, Blumenthal, Uri - 0558 - MITLL wrote:
> I’m arguing that there is a need for DIY curves, on both personal and
> “organizational” level.

That's not really what is causing debate.  The associated proposal for a
one-size-fits-all point representation is.  DIY curve negotiation could
include point representation negotiation, though the cost in terms of
generic code would be non-trivial, but then, so is the cost of DIY
curves in general, thus I don't mind that cost.

Drop the one-size-fits-all point representation proposal and this thread
goes quiet and we can expend effort on those remaining issues that
matter the most right now (amongst which DIY-curves isn't, not for me

> > So I think we can come up with a decision here but the process makes me
> > certain that there is no possibility that two random computers could negotiate
> > a secure set of curves on the Internet via a protocol. Unless that is we
> > assume some form of out-of-band trust relationship.
> There should be a set of “universally” accepted curves, so that when you
> want to talk to a complete stranger – both of you would use what the
> “community” considers cryptographically OK (which belongs to that small
> commonly shared set). But that’s only half of use cases.

If a community can agree a priori on a set of specific curves, then
there's no need for DIY curves, just a registry of DIY curves.

OTOH, if the two strangers meeting by chance don't have a common
community yet still want to pick one of their DIY curves, then we need
DIY curve support in the protocol, and one has to wonder: why would the
other stranger trust the first as to choice of DIY curve?!  Which
thought leads me to conclude that we don't need DIY curves, just a
registry that is open enough to represent a superset of communities (the
two strangers still need to agree as to a common subset of that, of

> There should be an option to specify “my own” curves, so that when, e.g. one
> “team" member wants to talk to his peer – their software will pick that
> special curve that was for whatever reasons approved by their boss, or
> refuse to connect. Because in that context ability to establish a connection
> with a stranger is underisable.

How do you not get this with a registry?

> > That said, I prefer the Edwards curves because I can explain them to other
> > folk without resorting to abstract math (now I have been given the link to
> > DJB's presentation at Chaos). The use of The Wierstrass forms are much less
> > friendly.
> I see your point.

There is that too.