Re: [Cfrg] Chopping out curves

Watson Ladd <watsonbladd@gmail.com> Fri, 17 January 2014 19:01 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F24E1A1F3D for <cfrg@ietfa.amsl.com>; Fri, 17 Jan 2014 11:01:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4cUzxTmNttZ for <cfrg@ietfa.amsl.com>; Fri, 17 Jan 2014 11:01:32 -0800 (PST)
Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED231AD939 for <cfrg@irtf.org>; Fri, 17 Jan 2014 11:01:32 -0800 (PST)
Received: by mail-we0-f182.google.com with SMTP id w62so4848827wes.41 for <cfrg@irtf.org>; Fri, 17 Jan 2014 11:01:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=/K9U9G7rgR0HCxWSKGYxjzBGEcphetbcg8wFqbYjvEY=; b=zbQ46s39mvncJsC9BKZ/ftyjdPj1jssDlJ9YYt+18AFJWQGiX3INOrvjc2YPfldfZN 0PK6siPcTUmEBknpmp2YDjQxXZKmy9xMgUwRf/nB8dAHvV5VwsIGJpLU9J+oORRBPisj FXlr3mman0w4FxHp2MtGz5v4Ryj3sISDJM9DmD92HVcJF5VU7RyWZyMtPq27R03yTJ3H FjORgEdFph3PkaTZiYIlPp+JvknBo1X6Tff3tQ5eyHn4Yi1AdVjH9nG8BbJqwLJ/dH9g wUFlqZhrIcEzoi2jPal8uAFCTpN1fJxlDyhXapWWnjN1UxhMDZ4HCeKUPkUstnw7lsKV KE9A==
MIME-Version: 1.0
X-Received: by 10.194.61.133 with SMTP id p5mr3485884wjr.73.1389985279268; Fri, 17 Jan 2014 11:01:19 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Fri, 17 Jan 2014 11:01:19 -0800 (PST)
In-Reply-To: <52D97D44.6040401@akr.io>
References: <CACsn0cmJX2begH0q8vOUZhP2t3CFo_2Ad71Neke4EKejoYCPRg@mail.gmail.com> <CAGZ8ZG1qF4ba3ogjHQnMwgXV+0Fj7eR44QdvuSw3GYBvNVFZBA@mail.gmail.com> <c406386b6fc67d11332141423f2f0f40.squirrel@www.trepanning.net> <CACsn0c=Eh1J81JHq=u8WsTtVK4HAJDghyisTZnM6U61jdr2KUQ@mail.gmail.com> <20140117011414.GA3413@netbook.cypherspace.org> <20140117023629.GA4435@netbook.cypherspace.org> <52D8DEC1.9060805@akr.io> <20140117124159.GA9258@netbook.cypherspace.org> <3374f0a3-9998-44e9-a052-61a4a94fe00c@email.android.com> <CABqy+soq1uvuiMRyF2FVXZoQ1gpdiO92Gj9A+Ri5FQa=5yp3-w@mail.gmail.com> <52D97D44.6040401@akr.io>
Date: Fri, 17 Jan 2014 11:01:19 -0800
Message-ID: <CACsn0c=_k4yS7tQFjOtrGVSfUP3BDqpd6d0F9vJLU8uRA5Mm+A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Chopping out curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 19:01:34 -0000

On Fri, Jan 17, 2014 at 10:58 AM, Alyssa Rowan <akr@akr.io> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 17/01/2014 14:33, Robert Ransom wrote:
>> Watson Ladd actually chose a point with small Edwards-form x, not
>> small Edwards-form y. […] ‘T25519’ is isomorphic to Curve25519, so
>> any non-identity group element of odd order on T25519 generates the
>> same group as the standard basepoint of Curve25519 (and has the
>> same order).
>
> Ah, thankyou. I missed that (and had mistakenly assumed he'd go for
> small y to match the Edwards curves).
>
> Clearly, I haven't had enough tea today!
>
>
> On 17/01/2014 14:33, Robert Ransom wrote:
>> There is no benefit to choosing a new basepoint, but there's also
>> no benefit to using ‘T25519’ instead of the (more efficient) form
>> specified for Ed25519.
>
> On 17/01/2014 15:17, Watson Ladd wrote:
>> On reflection the a=-1, d=-121665/121666 form saves an an
>> addition, but the multiplication is by a bigger number in the
>> complete form. Anyway, I don't have strong thoughts on the matter.
>
> Well then, there's little or no benefit in specifying a new form when
> we already have the Ed25519 parameters ready-made and people already
> have routines working with it?
>
>
> On 17/01/2014 14:33, Robert Ransom wrote:
>>> I have a strong preference for throwing out T25519 and using
>>> Ed25519 with its standard basepoint.
>
> On 17/01/2014 15:17, Watson Ladd wrote:
>> I'll follow that preference, but ugh, the number in front of
>> x^2y^2 is big.
>
> If it doesn't really have a performance impact in practice, it's no
> big deal.
>
> Ed25519 it seems to be, then. Though, that said, the name might be
> confusing. Maybe we'd better call that form something else.
>
> Perhaps: 'te25519', for Twisted Edwards (2^255)-19?

Okay. I'll follow the Ed25519 paper and call it te25519 and add the
paper as a reference.
Are rationals fine, or do people want me to write big numbers?
>
> (Deliberately referring to the curve names in lower-case. Thinking
> ahead to when people put these things on command-lines or config files
> and argue about capitalisation; none of the other curves in IETF
> protocols get capitals.)
>
> • If we called it 't25519', people might confuse it with the one in the
>   draft here.

it's an ID: names change.

>
> • But if we call it 'Ed25519', people might confuse it with the whole
>   Ed25519 signature scheme.
>
>   (Sure it's used _in_ that signature scheme, although it seems likely
>   to me at this stage that we might be heading more in the general
>   direction of a cleaner, fresher version which works with te25519,
>   curve3617 and e521, and quite possibly uses a new hash. Demand seems
>   stronger for curve25519 ECDHE first, however.)
>
> - --
> /akr
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJS2X1EAAoJEOyEjtkWi2t6tR0QALl42L1yV84EFgckps6R2rOe
> 30UOcOWx1XZGnU/Kdwt0w7YP8SvUbAtX97RgVlcgWQbG9CyYldELJ/39lZw7uyFF
> iNyNmIGYvXdrlxpWTNMry0lB8SLjZts+RJX0/ZcDD0qguGnmsP+IHUH7Q80hsjJ0
> CB9rvVVfuuAmDU5pWWOWHt8hEVhX9jl7vRuF4Yb51ngqHrS/NpasK2qaZ88Gw4Fp
> ns/b8OzZNoChxkAHYBlGVrkuCq6O9d8gpRaoxkl0ujsndvsZlQ2ud0FhVg/FXcRs
> le6YCig5rEuEoS/XwGUc4Mb6Py2BRJZ4C0Ax6ZTP1pOzH8OhwKskuEeLe7SVvKGu
> WhC5hgGz/Sub1nKBI/mTZNwZrY5kjEzg21iZ1kIbpK37V59TwplLOJzu/aalXDbU
> Sq0U1aW73Y6p+KSQKsGpSfeUpmY/6e19emoUQRbZ9J1eER/o2vjPAJcCmv+zfugx
> uE2moiZoc1mfCV5E7wIxZvUrU5bPk4ARSzHxhw7o/higqc/PZbtosFKEqeRBOz1I
> paqlewTRs7tQTwoSx9mn3+dln47Kz2y18pBAUM7BitUyWghMoJRq6Mm6crKkGG2O
> f2ZAkmKDlpEuLix9/ENlmGDl2i9ZXH7tALnOeYZ/txlFtagpUBSdLWSBGo0erEwp
> Q0AWcvz2wr81lOwpPuBq
> =w0/6
> -----END PGP SIGNATURE-----
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin