Re: [Cfrg] Chopping out curves

Alyssa Rowan <akr@akr.io> Fri, 17 January 2014 18:58 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72791A1F3D for <cfrg@ietfa.amsl.com>; Fri, 17 Jan 2014 10:58:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hO6ludkjisj for <cfrg@ietfa.amsl.com>; Fri, 17 Jan 2014 10:58:21 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 0A71D1ADF78 for <cfrg@irtf.org>; Fri, 17 Jan 2014 10:58:19 -0800 (PST)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) by entima.net (Postfix) with ESMTPSA id 5ABE76031B for <cfrg@irtf.org>; Fri, 17 Jan 2014 18:58:06 +0000 (GMT)
Message-ID: <52D97D44.6040401@akr.io>
Date: Fri, 17 Jan 2014 18:58:12 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: cfrg@irtf.org
References: <CACsn0cmJX2begH0q8vOUZhP2t3CFo_2Ad71Neke4EKejoYCPRg@mail.gmail.com> <CAGZ8ZG1qF4ba3ogjHQnMwgXV+0Fj7eR44QdvuSw3GYBvNVFZBA@mail.gmail.com> <c406386b6fc67d11332141423f2f0f40.squirrel@www.trepanning.net> <CACsn0c=Eh1J81JHq=u8WsTtVK4HAJDghyisTZnM6U61jdr2KUQ@mail.gmail.com> <20140117011414.GA3413@netbook.cypherspace.org> <20140117023629.GA4435@netbook.cypherspace.org> <52D8DEC1.9060805@akr.io> <20140117124159.GA9258@netbook.cypherspace.org> <3374f0a3-9998-44e9-a052-61a4a94fe00c@email.android.com> <CABqy+soq1uvuiMRyF2FVXZoQ1gpdiO92Gj9A+Ri5FQa=5yp3-w@mail.gmail.com>
In-Reply-To: <CABqy+soq1uvuiMRyF2FVXZoQ1gpdiO92Gj9A+Ri5FQa=5yp3-w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: Re: [Cfrg] Chopping out curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 18:58:23 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 17/01/2014 14:33, Robert Ransom wrote:
> Watson Ladd actually chose a point with small Edwards-form x, not 
> small Edwards-form y. […] ‘T25519’ is isomorphic to Curve25519, so 
> any non-identity group element of odd order on T25519 generates the
> same group as the standard basepoint of Curve25519 (and has the 
> same order).

Ah, thankyou. I missed that (and had mistakenly assumed he'd go for
small y to match the Edwards curves).

Clearly, I haven't had enough tea today!


On 17/01/2014 14:33, Robert Ransom wrote:
> There is no benefit to choosing a new basepoint, but there's also 
> no benefit to using ‘T25519’ instead of the (more efficient) form 
> specified for Ed25519.

On 17/01/2014 15:17, Watson Ladd wrote:
> On reflection the a=-1, d=-121665/121666 form saves an an
> addition, but the multiplication is by a bigger number in the
> complete form. Anyway, I don't have strong thoughts on the matter.

Well then, there's little or no benefit in specifying a new form when
we already have the Ed25519 parameters ready-made and people already
have routines working with it?


On 17/01/2014 14:33, Robert Ransom wrote:
>> I have a strong preference for throwing out T25519 and using 
>> Ed25519 with its standard basepoint.

On 17/01/2014 15:17, Watson Ladd wrote:
> I'll follow that preference, but ugh, the number in front of
> x^2y^2 is big.

If it doesn't really have a performance impact in practice, it's no
big deal.

Ed25519 it seems to be, then. Though, that said, the name might be
confusing. Maybe we'd better call that form something else.

Perhaps: 'te25519', for Twisted Edwards (2^255)-19?

(Deliberately referring to the curve names in lower-case. Thinking
ahead to when people put these things on command-lines or config files
and argue about capitalisation; none of the other curves in IETF
protocols get capitals.)

• If we called it 't25519', people might confuse it with the one in the
  draft here.

• But if we call it 'Ed25519', people might confuse it with the whole
  Ed25519 signature scheme.

  (Sure it's used _in_ that signature scheme, although it seems likely
  to me at this stage that we might be heading more in the general
  direction of a cleaner, fresher version which works with te25519,
  curve3617 and e521, and quite possibly uses a new hash. Demand seems
  stronger for curve25519 ECDHE first, however.)

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS2X1EAAoJEOyEjtkWi2t6tR0QALl42L1yV84EFgckps6R2rOe
30UOcOWx1XZGnU/Kdwt0w7YP8SvUbAtX97RgVlcgWQbG9CyYldELJ/39lZw7uyFF
iNyNmIGYvXdrlxpWTNMry0lB8SLjZts+RJX0/ZcDD0qguGnmsP+IHUH7Q80hsjJ0
CB9rvVVfuuAmDU5pWWOWHt8hEVhX9jl7vRuF4Yb51ngqHrS/NpasK2qaZ88Gw4Fp
ns/b8OzZNoChxkAHYBlGVrkuCq6O9d8gpRaoxkl0ujsndvsZlQ2ud0FhVg/FXcRs
le6YCig5rEuEoS/XwGUc4Mb6Py2BRJZ4C0Ax6ZTP1pOzH8OhwKskuEeLe7SVvKGu
WhC5hgGz/Sub1nKBI/mTZNwZrY5kjEzg21iZ1kIbpK37V59TwplLOJzu/aalXDbU
Sq0U1aW73Y6p+KSQKsGpSfeUpmY/6e19emoUQRbZ9J1eER/o2vjPAJcCmv+zfugx
uE2moiZoc1mfCV5E7wIxZvUrU5bPk4ARSzHxhw7o/higqc/PZbtosFKEqeRBOz1I
paqlewTRs7tQTwoSx9mn3+dln47Kz2y18pBAUM7BitUyWghMoJRq6Mm6crKkGG2O
f2ZAkmKDlpEuLix9/ENlmGDl2i9ZXH7tALnOeYZ/txlFtagpUBSdLWSBGo0erEwp
Q0AWcvz2wr81lOwpPuBq
=w0/6
-----END PGP SIGNATURE-----