Re: [Cfrg] Outline -> was Re: normative references

Watson Ladd <> Thu, 16 January 2014 15:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E41F71AE38C for <>; Thu, 16 Jan 2014 07:33:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_12=0.6, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5OzYVIl-utzr for <>; Thu, 16 Jan 2014 07:33:25 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::22a]) by (Postfix) with ESMTP id D23DE1AE377 for <>; Thu, 16 Jan 2014 07:33:24 -0800 (PST)
Received: by with SMTP id ex4so839327wid.3 for <>; Thu, 16 Jan 2014 07:33:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=vTOA5uvfor75s8j7raY5+vkRXG2v7FF5XP2vcvYT7MM=; b=INykN+QjHCdrL4GOhOMVJytQoB7oNpNWk8gUbVFDtx+qMfXUYzu+f3J9N+NTwEo9ZS DyLWapH8FmvRCkIbjb0sh/+RrXYoV7/BfCsjBK37cCan3fbTe4xdVX0/DPaj7Lk/fjyE pgqml1VTjdLM9WcIGykUWB78FwnPlaiG3UdUKf/FJ3+dc26vfrq1gC9jZvsA40NG1Z34 ssEf/Ckw5bejVbsX9zK0MU8imGt5actmmqVHaESymXgXOJvogv3bhwTp4lMS8TwzCFEB EgOkSBuB+xratIOx07/P2Y1+ptFsxFZk4H5LfS+mMIWvSC64nVntyZBJloLix40tQUA2 KgEw==
MIME-Version: 1.0
X-Received: by with SMTP id bz19mr8674122wib.44.1389886392322; Thu, 16 Jan 2014 07:33:12 -0800 (PST)
Received: by with HTTP; Thu, 16 Jan 2014 07:33:12 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Thu, 16 Jan 2014 07:33:12 -0800
Message-ID: <>
From: Watson Ladd <>
To: Paul Lambert <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Yaron Sheffer <>, David McGrew <>, "" <>
Subject: Re: [Cfrg] Outline -> was Re: normative references
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 16 Jan 2014 15:33:27 -0000

On Wed, Jan 15, 2014 at 10:42 PM, Paul Lambert <> wrote:
>>Signatures are going separately.
>>>       - Signature Alg with Edwards Curve
>>>       - Montgomery Curve Signatures ...
>>If you have a method that will work on a Montgomery curve naturally I
>>would love to hear it.
> That’s the point of having the section … you need a section to say it
> is not a good idea… or transform or whatever.
>>Montgomery curves are here for their blazing speed in ECDH without large
>>Edwards curves are here for their blazing speed in signatures where we
>>can't toss out
>>one coordinate. I'ld much rather use Montgomery for ECDH and Edwards
>>for signatures
>>than Edwards for everything.
> Again the point of the outline was to provide a framework to possibly make
> such recommendations.
> These all seem like severe issues with these new curves.  The Weierstrass
> curves
> work well for signatures and key establishment.
> A truly ‘unified' public key system would support both signatures and key
> establishment
> with the same key.

ECDH with Edwards is still extremely fast, and if you have devices with code
size limitations, is a fine way to fit signatures and ECDH into a limited space.
However, there is a mandatory check of the square root when decompressing
points that must take place, and whose omission harms security without affecting
interoperability. I'll add text explaining this more clearly.

As for same key, I'm not an expert on the security implications of key reuse.
So far the draft is silent on this issue, and I don't feel capable of
saying anything
about it.

>>>   - Curve Catalogue
>>>     (include curves def’s, origins, refs, strength, NUM+NUTS whatever)
>>>      - Overview
>>>      - Edwards
>>>      - Twisted Edwards
>>>      - Montgomery
>>>   - References
>>>  Annex
>>>    - int to string / string to int per ANSI
>>>      (could be up front also in intro )
>>>    - other stuff / recomendations / math options
>>>>> I was pointing to specific examples that we could emulate in a perhaps
>>>>> more simple manner.  The next step would be get a summary of the
>>>>> details required and emulate one or more of these documents.
>>>>>>>  ⨳|If we aren't specifying any twisted Edwards curves, why would we
>>>>>>>  ⨳|define the formulas?
>>>>>>>  ⨳|I suppose for use with Montgomery form, ala Ransom's suggestion.
>>>>>>> [ ⨳]
>>>>>>> Yes ... and why did you leave out Ed25519?       It's being used and
>>>>>>>should at least be discussed/reviewed/
>>>>>>It's the same as Curve25519, and not in safecurves. Let's be real
>>>>>>clear: isogenies don't change anything substantial.
>>>>> Substantial???
>>>>> Curve22519 is not interoperable with Ed25519. What could be more
>>>>> substantial.  A point on one curve would have a different x and y
>>>>> than a curve on the other.
>>>>If I transmit to you a Curve25519 point, you can treat it as an
>>>>Ed25519 point (after appropriate transformations) and I
>>>>will never know the difference.
>>> But if you do not identify that it is a Curve25519 point versus a
>>> Ed25519 point you will not know when to do the ‘appropriate
>>> So .. both are needed - especially if we are restricting Montgomery
>>> Curves to DH operations … which you imply.
>>Well, there are Edwards curves of about the same size. I've put it in
>>because I
>>take your point: we do need something that has a strongly unified
>>complete addition law
>>with that size that can be used for signatures.
>>The only way I know of to use Montgomery curves for signatures loses
>>the extreme speed.
>>As for the transformation, if I tell you that protocol x uses
>>Curve25519 ECDH, I hopefully
>>have told you enough to know exactly what will be sent, regardless of what
>>you chose to do to think about it. Anything in the draft that makes that
>>not the case is a major issue.
> … And if you are using Ed25519a or Ed25519b you also need to identify the
> curve.
>>> My point above on Weierstrass was for clarity of implementation.  The
>>> parameters have names (like ‘a’).  NIST curves have an ‘a’ that is
>>> different
>>> from the usage in Montgomery curves.  You simply need to show both
>>> equations
>>> and define what an ‘a’ means in each context (text already provided to
>>> you).
>>> That was the point of an early discourse on these being ‘new’ curves.
>>I'm having trouble visualizing why putting in the short Weierstrass form
>>helps an implementor understand what the document says about Montgomery
>>Edwards curves.
> You simply need to put the new curves in the context of the old.
> No need to describe everything about them since they are well known.
> They should be mentioned to show that the math is not the same.
> The outline provided a section to briefly mention the old to introduce the
> new.
> Paul
>><rest omitted>
>>Watson Ladd
>>"Those who would give up Essential Liberty to purchase a little
>>Temporary Safety deserve neither  Liberty nor Safety."
>>-- Benjamin Franklin

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin