Re: [Cfrg] Curve manipulation, revisited
Watson Ladd <watsonbladd@gmail.com> Tue, 30 December 2014 16:06 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91C681A01F6 for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 08:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRPL-t16hsSA for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 08:06:19 -0800 (PST)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E051C1A01E1 for <cfrg@irtf.org>; Tue, 30 Dec 2014 08:06:18 -0800 (PST)
Received: by mail-yk0-f178.google.com with SMTP id 20so7221600yks.37 for <cfrg@irtf.org>; Tue, 30 Dec 2014 08:06:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sHrqZM9o/aKOuXQbFrGfQ2ZoxbuCYFIpwA8cVL0aAxE=; b=B38wFY1F3E77jn+/wuQ+FivmyqebD1w8BjO2ougRgzJfjNrZvLsULx+Z6MJ3MV8tQ8 980+TB4Q6Pl6u3aeHa7VHmo6sruxx+qr2FgnSVrwWVtDKXdFexAppbAW6iT/DTVhyAMz W4uUMSVC9fBAlQvLxDkGGlBJIZKFdw07EfncryzCHgYAV4cohiA9H9lwZxje6/1Dau0N qXmqGEQUiD6NlL9wcltb2c87LB73H2FaJrQFm+Bo4c8VsAHJI98y5hacXUV+iSOE8EMq pxj6e/BMc8e6EYLyCmYFb894prwgFeofdymzbEmfMhjCmeebNg1MC7ZE6hHagmKIlHoS reWg==
MIME-Version: 1.0
X-Received: by 10.236.7.52 with SMTP id 40mr40583339yho.172.1419955578055; Tue, 30 Dec 2014 08:06:18 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Tue, 30 Dec 2014 08:06:17 -0800 (PST)
In-Reply-To: <CA+Vbu7y3dJ4sX3SxjnaxuTK2Ew5uEFOFbdSGveiqaNGBU98byw@mail.gmail.com>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <CAMfhd9XEqMwFzJ4sK4aHGbke6REZb26uaEEv9gbM5v_goDzwUA@mail.gmail.com> <CA+Vbu7zO3OatbC+cXiV58hvJCuqiTYvnsSuyopDXum4qBX54fw@mail.gmail.com> <EBD3350E-93CA-4D85-91C0-560D17187572@shiftleft.org> <CA+Vbu7zxGm3EE7h3K2mg5WoziUf4bmjoaCAVzFgaaGsE=kLFpQ@mail.gmail.com> <CACsn0cnmy1u+1uY=8NMkq1Sh_A-kX9LOKJA3u1QFpO=ZgvFG2Q@mail.gmail.com> <CA+Vbu7y3dJ4sX3SxjnaxuTK2Ew5uEFOFbdSGveiqaNGBU98byw@mail.gmail.com>
Date: Tue, 30 Dec 2014 11:06:17 -0500
Message-ID: <CACsn0c=vnphefNyGytiNOANssVAfG7tVka8Ws38W9BjE8_VP0g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Benjamin Black <b@b3k.us>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/2r8DqLgebIZOt2mAX9lIbytfy7g
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 16:06:20 -0000
On Mon, Dec 29, 2014 at 3:36 PM, Benjamin Black <b@b3k.us> wrote: > On Mon, Dec 29, 2014 at 12:25 PM, Watson Ladd <watsonbladd@gmail.com> wrote: >> >> >> I also don't see why this matters: now that Montgomery x form and >> complete coordinates for signatures are being used, there isn't a >> difference between the rival proposals on this point. >> > > Does this mean you find the draft with the additions of x-only and the > cofactor constraint acceptable? No, for several reasons. 2^389-21 has significant performance benefits on Haswell, 8-9% over 2^384-big, which performs the same way as Ed448. Our early measurements were on other platforms, with relatively unoptimized code, and didn't compare to the NUMS code you released, but to your performance numbers. Because we used different benchmarking setups, there was a systemic error in our cycle counts vs. yours. Now that we remeasured your code with our benchmark, we get better numbers. (We is misleading: Mike Hamburg did a lot more of the work then I did, and the suggestion was Ilari Liusivaas. My sole contribution was writing a terrible first cut, which Mike threw out for the second version) The easiest way to get good numbers across multiple platforms would be a SUPERCOP run. I've screwed up enough measurements to know that one needs the same framework for as many numbers as possible, otherwise you benchmark the testbench. But the NUMS people have made sure that won't happen. If you want ECDSA, use Weierstrass form. It's not ECDSA if you don't. I get the idea of the FrankenECDSA, but I'd like to know that it would be actually useful and speed adoption in TLS, and it relies on implementations that have a generic ECDSA that calls curve specific multiply functions. Maybe FrankenECDSA is useful: my guess is it isn't, but I could be convinced. But this doesn't affect what curve to use. As for customers, if they don't find Curve25519 acceptable, they won't find a curve that's Curve25519 with a different basepoint acceptable unless they really have no idea how things work. At this point you've already agreed to Curve25519, modulo the basepoint, which doesn't matter for security, but does matter for implementators. Why have this waste? Sincerely, Watson Ladd > > > b > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Curve manipulation, revisited D. J. Bernstein
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Mike Hamburg
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Tony Arcieri
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Nico Williams
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman
- Re: [Cfrg] Curve manipulation, revisited Harry Halpin
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman