IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Thu, 12 March 2015 23:08 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31F0E1A8763 for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 16:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Puesl-n7OCuL for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 16:07:57 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0672.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::672]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F7491A700B for <cfrg@irtf.org>; Thu, 12 Mar 2015 16:07:57 -0700 (PDT)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB381.eurprd03.prod.outlook.com (10.141.10.11) with Microsoft SMTP Server (TLS) id 15.1.112.19; Thu, 12 Mar 2015 22:33:43 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.01.0112.000; Thu, 12 Mar 2015 22:33:43 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Nico Williams <nico@cryptonector.com>, Alexey Melnikov <alexey.melnikov@isode.com>
Thread-Topic: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)
Thread-Index: AQHQV5x6lMNrZn/9ZESl8xFUb9PbwJ0ZVYIAgAAkVoA=
Date: Thu, 12 Mar 2015 22:33:43 +0000
Message-ID: <D127C247.42445%kenny.paterson@rhul.ac.uk>
References: <54F8E735.2010202@isode.com> <20150312202314.GZ7286@localhost>
In-Reply-To: <20150312202314.GZ7286@localhost>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.8.150116
x-originating-ip: [212.183.128.162]
authentication-results: cryptonector.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB381;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10009020)(6009001)(24454002)(51704005)(479174004)(2900100001)(92566002)(83506001)(2950100001)(87936001)(2656002)(36756003)(106116001)(122556002)(19580395003)(19580405001)(40100003)(76176999)(50986999)(54356999)(77096005)(77156002)(1720100001)(15975445007)(62966003)(46102003)(102836002)(74482002)(66066001)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB381; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <DBXPR03MB381CEF778440BCC21EE3C1EBC060@DBXPR03MB381.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002009)(5005006); SRVR:DBXPR03MB381; BCL:0; PCL:0; RULEID:; SRVR:DBXPR03MB381;
x-forefront-prvs: 05134F8B4F
Content-Type: text/plain; charset="us-ascii"
Content-ID: <EAE4A3CDC12CB843B078961A20FF6DCE@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2015 22:33:43.3687 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB381
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/-aXf2pSqxMM_HpKKtOTBMfU7a40>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 23:08:00 -0000

On 12/03/2015 21:23, "Nico Williams" <nico@cryptonector.com> wrote:

>On Thu, Mar 05, 2015 at 11:31:01PM +0000, Alexey Melnikov wrote:
>> CFRG chairs are starting discussion of the next topic:
>> 
>> Q4: draft-irtf-cfrg-curves-01 currently contains curves in both
>> Montgomery form and Edwards form. The scalar multiplication routine
>> is specified using Montgomery form (and is specific to Curve25519,
>> which will need to be changed given our decision to include a higher
>> security level curve). Its input is a scalar and the u-coordinate of
>
>I don't understand the parenthetical.  What does including a higher
>security-level curve have to do with whether Curve25519 uses Montgomery
>form?

Nothing. The point is that the current text concerning the scalar
multiplication routine is very tied to Curve25519, and needs to be
modified if it is to be able to handle other curves - either by
generalising it or including separate and parallel text for each
additional curve. No-one is proposing to harm Curve25519 in any way!

>> a point on a Montgomery-form curve; its output is the u-coordinate
>> of a point on a Montgomery-form curve. The DH function builds on
>> this routine. Do we want to stay with specifying the inputs and
>> outputs in Montgomery form for these routines? Or do we want to
>> switch to an alternative curve form and coordinate system for
>> defining the routines? If so, which form and coordinate system?
>
>Stay, not switch.
>
>Yesterday I posted an extended reply about this as a follow-up to
>Watson's reply about this:
>
>http://www.ietf.org/mail-archive/web/cfrg/current/msg06438.html
>
>> [Chairs are aware that it is possible to switch back and forward
>> between different curve forms and coordinate systems, with
>> associated costs, no matter which form is specified for the inputs
>> and outputs of the routines. But we now have to decide *which* form
>> we want to use for inputs and outputs, so as to ensure
>> interoperability between Alice and Bob. Chairs did not want to
>> implicitly force the choice of Montgomery form/coordinates without
>> polling the group first.]
>
>There is no need to switch back and forth between code representations
>unless one wishes to use a private key both for ECDH *and* other ECC
>purporses (e.g., signatures) where Montgomery is a pessimization.  Even
>should such a use-case arise, as you point out, conversions are
>possible.
>
>> Once this issues is settled, we will be discussing (in no particular
>> order. Chairs reserve the right to add additional questions) wire
>> format, byte order and signature schemes. Please don't discuss any
>> of these future topics at this time.
>
>Sure, though of course, if we accept that each curve can dictate what
>point representation to use [up to and including separately for each use
>type, ECDH, signatures, ...], then there's no point getting exercised
>about Curve25519's choice of marshalling format (including endianness)
>(but there would be a point to getting exercised about changing that).
>
>Nico
>-- 
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email