Re: [Cfrg] Curve manipulation, revisited

Watson Ladd <> Tue, 30 December 2014 17:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A76A51A039D for <>; Tue, 30 Dec 2014 09:45:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hZCsXFVhEL2q for <>; Tue, 30 Dec 2014 09:45:55 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 191A41A0381 for <>; Tue, 30 Dec 2014 09:45:55 -0800 (PST)
Received: by with SMTP id c41so7401642yho.17 for <>; Tue, 30 Dec 2014 09:45:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=NzInAvcLyA4vFRhGbE3vE1jF8txHhL9JuApA2LvEBwg=; b=GzuRVTKuq16aPgL4w2eIkkQ0yPTd9dvHoQk5ARS0KjGohYz48QrS3ZJZ8DZqSg93Nu XUX8cHsvaFd51uTLDeWi472gx8FjjKY86sGJh0MR/zHpQeTYYA4wRbNhRSo9WQEei8W6 AnJ/DxLCAwLjIz/6O/ahar6cXHBJzMoRXqYAxRicUrmNLXEnNfuE62slXdS9zvd8sjsY +/NrQ+D8denDeupcPmvp6yUYBP9p+DHgBWjbtZFUd8t8PNRgt7JQnUbRJci0eZRBzYCS iO+8CW0TInQAR7ioBhkInE00xFGVIY1OlHZs9FxOH105JfNFMO7VXDppMFXkZpFwT0VN sTog==
MIME-Version: 1.0
X-Received: by with SMTP id k28mr24705183yha.163.1419961554293; Tue, 30 Dec 2014 09:45:54 -0800 (PST)
Received: by with HTTP; Tue, 30 Dec 2014 09:45:54 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Tue, 30 Dec 2014 12:45:54 -0500
Message-ID: <>
From: Watson Ladd <>
To: Paul Hoffman <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "" <>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Dec 2014 17:45:59 -0000

On Tue, Dec 30, 2014 at 12:33 PM, Paul Hoffman <> wrote:
> On Dec 29, 2014, at 6:52 PM, Tony Arcieri <> wrote:
>> I think you can avoid this slippery slope by the CFRG recommending Curve25519 as one of potentially many curves at a 128-bit security level, for now, as an interim solution, simply to avoid the current situation of apparent infinite deadlock.
> No, please no. An "interim solution" signature algorithm is stillborn. Few people would want to take the operational effort to create *and maintain* keys for an interim solution when the current solution (P256) is good enough.
> If the CFRG cannot come to an agreement on a curve, a signature algorithm, and the necessary format additions, for 128-strength ECC, it should tell the IETF so as soon as possible. Stretching this out with interim values and half-solutions will be worse than claiming defeat.

We already have agreement: It's a Montgomery x-coordinate solution
modulo the prime 2^255-19, with the curve equal to that of Curve25519.
Literally the only difference is the basepoint, which is irrelevant to
security. This is hidden behind the dramatically increased stream of
emails, but it's there.

For signatures, NUMS isn't opposed to EdDSA. Rather they would like to
see FrankenECDSA, which may be slightly easier for some to adopt.

I strongly urge that we finish off the 128-bit level ASAP.

> --Paul Hoffman
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin