Re: [Cfrg] Safecurves draft

Paul Lambert <paul@marvell.com> Thu, 09 January 2014 19:56 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EE9D1AE563 for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 11:56:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZ-H4qST9vTG for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 11:56:33 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id D18261AE55F for <cfrg@irtf.org>; Thu, 9 Jan 2014 11:56:32 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s09JuIZ6001328; Thu, 9 Jan 2014 11:56:19 -0800
Received: from sc-owa01.marvell.com ([199.233.58.136]) by mx0b-0016f401.pphosted.com with ESMTP id 1h9ydbrjtp-55 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 09 Jan 2014 11:56:19 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA01.marvell.com ([10.93.76.21]) with mapi; Thu, 9 Jan 2014 11:56:14 -0800
From: Paul Lambert <paul@marvell.com>
To: Jon Callas <jon@callas.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Thu, 9 Jan 2014 11:56:12 -0800
Thread-Topic: [Cfrg] Safecurves draft
Thread-Index: Ac8NdNnglyw3SgCjSaiO4rJgEuCs6A==
Message-ID: <CEF43D88.2BF3D%paul@marvell.com>
References: <20140109031144.6111382.52184.8264@certicom.com> <20140109094731.GA12327@netbook.cypherspace.org> <CADMpkc+giuSZgrYmusRJmj5SyN9Dcu_Mdaqx5KQPyXGMmosFUw@mail.gmail.com> <CABqy+soXxjY+fEzpHP+_yn9Y1Xtapm_9OWbgDcA_J_Lukz_YLw@mail.gmail.com> <CADMpkcJFk2C5DPQX9RVWphUH25atsUX2vPA7RwNf8zbmR6dXJQ@mail.gmail.com> <CABqy+soX0xVWG0+vJs-_7O1Ur_hkDW0u0acCGZYrrtEci5QRXw@mail.gmail.com> <CADMpkcKptQrtXyaarkXiMpRyGmobEcywbTeTkkcb6uWB-yttwg@mail.gmail.com> <B29AD107-69D0-4EF5-9D5B-137C1E333AEA@shiftleft.org> <CACsn0ckufy9jfOXcMDA7WE+SzZUuuibucod8CkQeACnQam63-w@mail.gmail.com> <D186F1ED-DD2B-4A05-9E4C-617EA1249D24@callas.org>
In-Reply-To: <D186F1ED-DD2B-4A05-9E4C-617EA1249D24@callas.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-09_07:2014-01-08, 2014-01-09, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401090131
Subject: Re: [Cfrg] Safecurves draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 19:56:34 -0000

+1 on a different name Š

Other comments:

1) Curve definitions really badly need clear parameterization.  Cutting
and pasting the referenced web site does provide all the right numbers,
but no context to implement. For the parameterization Š the curve math is
different so merging old and new in some fashion might make for
interesting comparison of the differences.

2) Is there any provenance on the generator selection for the curves?  I
hear critical comments on the NIST seeds, if we add new curves, should we
also document the process used for the selection of the Œarbitrary¹ values?

3) test vectors ..

Paul


On 1/9/14, 10:43 AM, "Jon Callas" <jon@callas.org> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I concur that we shouldn't call it "safecurves" or anything like that. I
>think that definitely this needs to heed Paul Hoffman's advice on names
>coming back to bite us.
>
>All crypto parameter sets have a lifespan where they're new and shiny,
>older and trusted, then kinda dodgy but accepted, and then outmoded or
>insecure. Each phase might be there for years or perhaps minutes. I've
>seen things go the entire lifecycle in an hour. We don't want the
>premature aging of one to tarnish the whole thing. Think about what you'd
>say when the Buzzfeed reporter calls you up for comment or background on
>their article "Ten Shocking Reasons Why SafeCurves are The Spawn of
>Satan" after a Eurocrypt paper has a new banana attack that shows a curve
>has ten fewer bits of security with 2^300 memory.
>
>I also think there should be a quick set of names where we specify what's
>a Montgomery and what's Edwards. This is already needed and the reason
>why there's 25519 and Ed25519 in current parlance. If we *don't* do it
>here, then someone else will. It's too useful not to have it.
>
>You can have a table with common names and extended names and have the
>extended names have something simple like a suffix of M or E. It's easy
>to fit 25519 and Ed25519 into this as well.
>
>	Jon
>
>
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP Universal 3.2.0 (Build 1672)
>Charset: us-ascii
>
>wj8DBQFSzu3CsTedWZOD3gYRAvjQAJ9B7cbpze9iHhwEtb7V93IAuz2o3QCghrND
>YuOdLybBrq7s0mdSfKRcbK8=
>=uq7Y
>-----END PGP SIGNATURE-----
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg