Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization

Alyssa Rowan <akr@akr.io> Wed, 28 January 2015 13:28 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7871A0084 for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 05:28:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UVmQPL1pfUCo for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 05:28:07 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC5F91A0081 for <cfrg@irtf.org>; Wed, 28 Jan 2015 05:28:06 -0800 (PST)
In-Reply-To: <CAMr0u6=prmjMv7e+S5UAGVw+uCQWPk-f86Koa04GVx8CZs4J4Q@mail.gmail.com>
References: <CAMr0u6=prmjMv7e+S5UAGVw+uCQWPk-f86Koa04GVx8CZs4J4Q@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Wed, 28 Jan 2015 13:28:05 +0000
To: Станислав Смышляев <smyshsv@gmail.com>, cfrg@irtf.org
Message-ID: <C877C13D-0178-4BDD-BC58-4E7C417600D1@akr.io>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9chS-QQN_heVKwCQFYBupHlrHUw>
Subject: Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 13:28:08 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 27 January 2015 15:57:40 GMT+00:00, "Станислав Смышляев" <smyshsv@gmail.com> wrote:

>The curve parameters have been generated using random nonce W in such way that e = 1, d = hash(W), where hash() is Russian national standard GOST R 34.11-2012 hash function (also known as “Streebog”, https://www.streebog.net/en/). The seed value W is equal to:
>W = 1F BB 79 69 B9 1B 3E A0 81 17 FB 10 74 BF BF 55 49 DD 66 07 63 F6 A5 AF 09 57 77 5B 66 4C B1 13 CF CB 91 C4 A7 7D 27 98 06 BC F2 4A 56 77 F2 5E AF FE C6 67 76 70 2E E2 C7 AA 84 16 07 50 DA 1D D1 50 AE D2 8C 30 26 AC 7E D6 D1 9B 97 AC 2C B5 82 7C 00 03 18 47 13 53 5B FA 65 24 B3 E4 60 83,

...and the million-rouble question, if I may be the first to ask:

How was that seed W generated, and under what criteria?

There is now a strong preference for open curve generation processes whose criteria are all explicitly shown, chosen for clearly-defined "rigid" reasons, and whose generation can be replicated and verified.

I can't see the procedure you show here has that property, due to the unexplained seed; a property it shares with the US standard NIST curves we've been asked to replace, so I'm not too sure as to the merits of your curve?

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJUyOPlGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t6rbAP/0/Cz+7r1IIf8spVLUVeAxtrgdsuKvtRt6Dpz5vkNiiS/pwRXpVF
/70MbeBQA4M2ak7enzYGnRI/I2hGAv6nV6ybTwwnPDjq33iBS6F16sV7KsBaLRcy
7KmUTYKIT7oTncTWTDO0zlgo2k+/Hy1G/ChmnOLBFH6peKSwgt8OJgEPe0rZbg8E
pTukrmr8lDw18MiGPhoqnj7Ug46ydJhqqZkP0aT3xtSF8Y+lVEpn7O36QV03QnAU
d/0oQCQHkHJBfcI9w2W6tiyI6iHFH40U3c78kdASLdWjHyOfYZ/P00BasQudWcvD
kgqYVGrZMXkrIQvn1JnMt5PD5Wl+XN6/6csAkeUOBr9oTwwWnX9xmvT+Ly14TFw2
fw5/WaMKYht9K//qPh0hQLHCZuG0NEx/0pcoTTgYSGyXOIlAx19gDSbybmd/+ssj
9/ttSN+t9eENghr1IcXRMCrPcxbwnQRS2dQYGzCmqohf0ZS3DIzYAI2ChMT5eLNl
lD9iSluaf7ss2/qlzwu+4kw25qDR/JwgKL8gmC0jhDE1ID4e8P4/ovpj3EwlW47S
2tRBD1XhRR0L1ZLiA5za+LLHPg9kUgFVnZ9kMhpm0ATE/bZzAujwFG1rlHmhLxiC
RsU3euvrcb8QPcdLkNLunoCv71QSiCyABeUIG0jFKdU+oA4VoTkP+LWV
=BuQY
-----END PGP SIGNATURE-----