Re: [Cfrg] Complete additon for cofactor 1 short Weierstrass curve?

Watson Ladd <> Fri, 05 December 2014 04:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6723A1AC3F0 for <>; Thu, 4 Dec 2014 20:47:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1
X-Spam-Level: *
X-Spam-Status: No, score=1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jOwlL2_cfpik for <>; Thu, 4 Dec 2014 20:47:25 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 586851AC3EE for <>; Thu, 4 Dec 2014 20:47:25 -0800 (PST)
Received: by with SMTP id f73so8947993yha.6 for <>; Thu, 04 Dec 2014 20:47:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=N//i5P6VdSWl0+2pMrfQDrNj2nOt/779U7Fgjtcuv8s=; b=rg1CLXtJ/IdKG+1UH9hHM3tlESkvSJlVJ57mRe3gkIRg6zoB6sx7HCj7rl62YH/ZQh 7aTqaJRV7AL6SOzgR6z1BXtNBiNgBwNxcrKDxUDLFKVioDbXmNksGII23YFqC7Mxs4Ia oS4JUWQf39f+hrv0UHbY8er6S5rXMyrXS7PsUV1lL/i+D2bzXJ0AxXNULSuSZhTkW6ZX QyvQ7y+aMy7Hg/JaKXwltbVOyt4XhD5ArecuQSTWeBbJrKrHnkM50GxpF5yhhlSGhPBy Vx7ApDmWrOjUJhi4w161Z2RR0iIbbCWCJJpi096E5/P/X8dniofWCxzq5gbTexF33Bj+ 9CZA==
MIME-Version: 1.0
X-Received: by with SMTP id k45mr18018064yha.163.1417754844508; Thu, 04 Dec 2014 20:47:24 -0800 (PST)
Received: by with HTTP; Thu, 4 Dec 2014 20:47:24 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Thu, 4 Dec 2014 20:47:24 -0800
Message-ID: <>
From: Watson Ladd <>
To: =?UTF-8?Q?Manuel_P=C3=A9gouri=C3=A9=2DGonnard?= <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Dan Brown <>, "" <>
Subject: Re: [Cfrg] Complete additon for cofactor 1 short Weierstrass curve?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Dec 2014 04:47:27 -0000

On Thu, Dec 4, 2014 at 2:34 PM, Manuel Pégourié-Gonnard <>; wrote:
> Hi,
> On 04/12/2014 23:17, Dan Brown wrote:
>> If this is all correct, then I would suggest that cofactor 1 short
>> Weierstrass do not have a security problem compared to Edwards curves (e.g.
>> cofactor 4), in the sense of lacking a complete addition law, but rather,
>> just an efficiency problem, in the sense of not having any (known) efficient
>> complete law.
> I'm way too tired to check if the above is correct, but it seems to me that
> complete laws for general curves are known, see eg 29.1.2.a of the Handbook of
> Elliptic and Hyperelliptic Curve Cryptography (Cohen, Frey et al.).

That formula is accompanied by a discussion pointing out there is an
exceptional case, and so one has to switch between two different
formulas by reversing the order of coordinates under some conditions.
It's also unclear that infinity as an output or as an input is handled
correctly. (In fact, I think they aren't: if we add P to -P, the
denominator does not vanish, unless I'm missing something) Those
formulas would be "strongly unified" in the language of the EFD if I
understand correctly, but not "complete".

Watson Ladd