Re: [Cfrg] big-endian short-Weierstrass please

[Nico Williams <nico@cryptonector.com>]

On Thu, Jan 29, 2015 at 09:28:57PM +0000, Blumenthal, Uri - 0558 - MITLL wrote:
> I’m arguing that there is a need for DIY curves, on both personal and
> “organizational” level.

That's not really what is causing debate.  The associated proposal for a
one-size-fits-all point representation is.  DIY curve negotiation could
include point representation negotiation, though the cost in terms of
generic code would be non-trivial, but then, so is the cost of DIY
curves in general, thus I don't mind that cost.

Drop the one-size-fits-all point representation proposal and this thread
goes quiet and we can expend effort on those remaining issues that
matter the most right now (amongst which DIY-curves isn't, not for me
anyways).

> > So I think we can come up with a decision here but the process makes me
> > certain that there is no possibility that two random computers could negotiate
> > a secure set of curves on the Internet via a protocol. Unless that is we
> > assume some form of out-of-band trust relationship.
> 
> There should be a set of “universally” accepted curves, so that when you
> want to talk to a complete stranger – both of you would use what the
> “community” considers cryptographically OK (which belongs to that small
> commonly shared set). But that’s only half of use cases.

If a community can agree a priori on a set of specific curves, then
there's no need for DIY curves, just a registry of DIY curves.

OTOH, if the two strangers meeting by chance don't have a common
community yet still want to pick one of their DIY curves, then we need
DIY curve support in the protocol, and one has to wonder: why would the
other stranger trust the first as to choice of DIY curve?!  Which
thought leads me to conclude that we don't need DIY curves, just a
registry that is open enough to represent a superset of communities (the
two strangers still need to agree as to a common subset of that, of
course).

> There should be an option to specify “my own” curves, so that when, e.g. one
> “team" member wants to talk to his peer – their software will pick that
> special curve that was for whatever reasons approved by their boss, or
> refuse to connect. Because in that context ability to establish a connection
> with a stranger is underisable.

How do you not get this with a registry?

> > That said, I prefer the Edwards curves because I can explain them to other
> > folk without resorting to abstract math (now I have been given the link to
> > DJB's presentation at Chaos). The use of The Wierstrass forms are much less
> > friendly.
> 
> I see your point.

There is that too.