[Cfrg] A draft merging rpgecc and thecurve25519function.

Adam Langley <agl@imperialviolet.org> Thu, 01 January 2015 22:00 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 522121A1B00 for <cfrg@ietfa.amsl.com>; Thu, 1 Jan 2015 14:00:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.122
X-Spam-Status: No, score=0.122 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id wK9_tVfzuujU for <cfrg@ietfa.amsl.com>; Thu, 1 Jan 2015 14:00:31 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 629381A1ADB for <cfrg@irtf.org>; Thu, 1 Jan 2015 14:00:30 -0800 (PST)
Received: by mail-lb0-f176.google.com with SMTP id p9so14343146lbv.21 for <cfrg@irtf.org>; Thu, 01 Jan 2015 14:00:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=TrbYhFruNBf0e/+HF0wqLiFYu+IJH4X/ktKDU5ngFpo=; b=TPENw4Ac+HpvLwwHmuQUmqcoh2retnyovYFrSppHmty7WjB/q7PpVbKjN0IihGYlek GkUuyWFEQCiNphwhetzaQF5oDL+fzTqRJmVs2fKBhL6dXFFKFP69I3s1CgKMTv1PNtYU 6jfiV9ixCmepEoOExL5rmzoRu/br/Xu0WsmYXqisWEPAko5lmv0MLjBRxfinxFTRwnim RHY6+tbhm/4EGg84n7kCrraBq8K6sqPDhHOPQDkNYzp0whd2ibEuFFr/KykpIDj7Y4HJ NIL1CGe1PqHYWdPaokEtWT2L099xVfYxLhpwZN2lJ5+cIJ6nLOjIvFOjmtyA45DbZqOf XgdA==
MIME-Version: 1.0
X-Received: by with SMTP id w4mr73190149lag.75.1420149628554; Thu, 01 Jan 2015 14:00:28 -0800 (PST)
Sender: alangley@gmail.com
Received: by with HTTP; Thu, 1 Jan 2015 14:00:28 -0800 (PST)
Date: Thu, 1 Jan 2015 14:00:28 -0800
X-Google-Sender-Auth: vemlLrVPM5qgQC13tV05XZ9HHqQ
Message-ID: <CAMfhd9Vi=VJw2NW1CX1aE_qjXFmQ1Cmd1F4s7C9eEvuVog-f=Q@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/8e2ujcxuRG0FawQiDF7xZ5ijXqQ
Subject: [Cfrg] A draft merging rpgecc and thecurve25519function.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jan 2015 22:00:35 -0000

Since everyone is agreed to within an isogeny of curve25519 at ~128
bits, and since there's no performance reason to pick one isogeny over
another (see my mail from yesterday), I've created an outline for what
currently appears (to me) to be the only way that we might reach

It takes the generation procedure from draft-black-rpgecc-01,
generates the resulting curve with p=2^255-19 and then ends up with
curve25519 by pointing out that there's no difference in security
between isogenies and motivates it by compatibility with existing

Then it includes draft-turner-thecurve25519function in order to nail
down the wire-format and describe how to perform ECDH.

The resulting agglomeration is at
https://cdn.rawgit.com/agl/cfrgcurve/master/cfrgcurve.xml (requires
XSLT support in the browser) and https://github.com/agl/cfrgcurve.
(Although, until there's clarity on whether the outline is viable, the
details in the draft are unimportant.)

I have not listed the authors of the two source documents as authors
yet because that might suggest that they support the result. Instead
I've made the sources clear in section 1.

It does not suggest a signature scheme, despite several people
suggesting that it would be required in recent days, because I don't
think that we're at that point yet.



Adam Langley agl@imperialviolet.org https://www.imperialviolet.org