IETF Logo Mail Archive

Re: [Cfrg] ECC mod 8^91+5

"D. J. Bernstein" <djb@cr.yp.to> Wed, 02 August 2017 16:00 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04D86132143 for <cfrg@ietfa.amsl.com>; Wed, 2 Aug 2017 09:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJrma28aGPTO for <cfrg@ietfa.amsl.com>; Wed, 2 Aug 2017 09:00:25 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 7A790132153 for <cfrg@irtf.org>; Wed, 2 Aug 2017 09:00:25 -0700 (PDT)
Received: (qmail 11821 invoked by uid 1010); 2 Aug 2017 16:00:24 -0000
Received: from unknown (unknown) by unknown with QMTP; 2 Aug 2017 16:00:24 -0000
Received: (qmail 10530 invoked by uid 1000); 2 Aug 2017 16:00:15 -0000
Date: Wed, 02 Aug 2017 16:00:15 -0000
Message-ID: <20170802160015.10529.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CAEX_ruGT52-A5m_Cj59HZ4hPQ6y4z-84MSCOmZH4GbTyOjpStQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/88nMVnRqxxipb17ShYr8iNvdvMk>
Subject: Re: [Cfrg] ECC mod 8^91+5
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 16:00:27 -0000

Samuel Neves writes:
> These formulas do exist, cf. [1] or [2], but they require curves of
> _odd_ order, which is not the case here.

The complete formulas from https://cr.yp.to/talks/2009.07.17/slides.pdf 
don't require odd order.

Fundamentally, incomplete implementations---and complete implementations
with timing leaks from branches between different incomplete formulas---
are not the result of complete formulas failing to exist. They are the
result of complete formulas failing to compete with the simplicity and
speed of incomplete formulas. This tension is what's nicely resolved by
Montgomery curves for DH, and by complete Edwards curves for more
general applications.

---Dan

v2.23.0 | Report a Bug | By Email