Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]

Mike Hamburg <> Thu, 27 November 2014 08:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 49BB31A01F0 for <>; Thu, 27 Nov 2014 00:15:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qNEtiJ22DiBJ for <>; Thu, 27 Nov 2014 00:15:00 -0800 (PST)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 299A71A0166 for <>; Thu, 27 Nov 2014 00:15:00 -0800 (PST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 75C1B3AC24; Thu, 27 Nov 2014 00:13:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=sldo; t=1417075998; bh=ltCyfFIkHxKO+ZYjYV2qmxglkH4AP10ihmVmlcKjIco=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=cD+t6QrmXJyQp4N3ceii2/pWwjfI1ugGUQImLiICm0jwsL/OvW9URluWjHV+F4hUj 9EGN5y0fhdNMJjX0/QjvfcG/paMJJ5d4uhJIsUrZ8HDSoKHTbNtHqs/krpAen3zC8v gMIZM6dEmMqg0aHbsFgpsvgQgUPg9pjgC9+0XycM=
Message-ID: <>
Date: Thu, 27 Nov 2014 00:14:49 -0800
From: Mike Hamburg <>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Alyssa Rowan <>, Adam Langley <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Nov 2014 08:15:01 -0000

On 11/26/2014 11:54 PM, Alyssa Rowan wrote:
> Yes,  that's just what I thought.
> As the greater value of A used in Curve25519 produces a simpler secure implementation with no weak private keys to check for, and that is the only big difference between Curve25519 and this proposal, I should prefer Curve25519 according to our selection criteria. Why *not* that, then?
Ask anyone who's implemented ECDSA on NIST-P160 :-)

Curve25519 has no weak keys because its order is 2^252+O(2^126), i.e. 
slightly over a power of 2.  Many curve generation procedures specify 
that the order must be slightly under a power of 2 rather than slightly 
over, because that also has advantages.  It permits slightly easier 
Barrett reduction mod the order, avoids special cases involving an extra 
bit, and for a few cases (MQV, I think) avoids having to do an extra 
point op in constant time algorithms just in case that bit might be set.

-- Mike