[Cfrg] Outline -> was Re: normative references

[Paul Lambert <paul@marvell.com>]

Watson,

>> I’ve been trying to be helpful, but your arguments against well intended
>> suggestions is frustrating.   It’s difficult to contribute if you’re
>> arguing for a sloppy RFC because the code is the reference.
>
>I'm arguing for a precise statement of what needs to be calculated,
>and nothing else. 

Likewise … but precision of math is not the same as precision of
protocol interoperability.

Many of the precise words in the latest draft are unnecessary
from an implementation perspective. An implementor does not
need to know anything about abelian groups - just that
there are:
 - algorithm parameters (curve type and domain parameters)
 - x,y coordinate points used as input/output to
   Algorithms using the defined parameters
 - clear algorithm descriptions using just, input, output
   And domain parameters to perform a specific operation
   (point addition and point multiplication)

>That's not sloppy. And in fact I'm supplying
>what has been requested in terms of implementation details, against my
>preference for black-box standards. The next
>version is almost done in fact.

Box is still fuzzy - more suggestions:
 - make an outline to the following form:
  - Elliptic Curve Crypto Background
    (curve types and parameters)
    - Trival intro Fp and points
    Define p, order, generator, curve types
    - background on notation and other necessary functions
  - Montgomery curves
    - short overview for reference
      and pointer to other specs
      (basically - beware new math ahead)
  - Edwards curves
    - point representation
    - point addition
      Just one clear set of equations
    - point multiplication
  - Twisted Edwards curves
  - Montgomery Curves
     - point representation
     - point addition
     - multiplication
  - Cryptographic operations
    - DH
      - DH with Edwards Curve
      - DH with Montgomery Curve
    - Signature Alg(s)
      - Signature Alg with Edwards Curve
      - Montgomery Curve Signatures ...
  - Curve Catalogue
    (include curves def’s, origins, refs, strength, NUM+NUTS whatever)
     - Overview
     - Edwards
     - Twisted Edwards
     - Montgomery
  - References
 Annex
   - int to string / string to int per ANSI
     (could be up front also in intro )
   - other stuff / recomendations / math options
     
   
>
>>
>> I was pointing to specific examples that we could emulate in a perhaps
>> more simple manner.  The next step would be get a summary of the
>>relevant
>> details required and emulate one or more of these documents.
>>
>>
>>>>  ⨳|If we aren't specifying any twisted Edwards curves, why would we
>>>>  ⨳|define the formulas?
>>>>  ⨳|I suppose for use with Montgomery form, ala Ransom's suggestion.
>>>> [ ⨳]
>>>> Yes ... and why did you leave out Ed25519?       It's being used and
>>>>should at least be discussed/reviewed/
>>>
>>>It's the same as Curve25519, and not in safecurves. Let's be real
>>>clear: isogenies don't change anything substantial.
>> Substantial???
>> Curve22519 is not interoperable with Ed25519. What could be more
>> substantial.  A point on one curve would have a different x and y value
>> than a curve on the other.
>
>If I transmit to you a Curve25519 point, you can treat it as an
>Ed25519 point (after appropriate transformations) and I
>will never know the difference.
But if you do not identify that it is a Curve25519 point versus a
Ed25519 point you will not know when to do the ‘appropriate transformation’

So .. both are needed - especially if we are restricting Montgomery
Curves to DH operations … which you imply.

>Again, implementations are different
>from the results
>they calculate.
>
>> This is one of my core issues with having mathematicians write
>>protocols …
>> the apparent mathematical precision make the implementations very fuzzy.
>>
>>
>>>If you want to discuss it separately, go ahead: plenty of people have
>>>been discussing alternatives on this list already.
>> Discuss …  no, let me be clear and rephrase.  Please add Ed25519 to the
>> RFC.
>
>By Ed25519 do you mean the twisted Edwards curve, or the Edwards curve?
>Becuase
>the Ed25519 paper uses the Edwards curve, which has a giant parameter,
>and the twisted
>Edwards curve is going to be a unique form in the RFC. Either way
>there is a lot of revising to do, also
>to the explanation of why the curves were chosen.

Explaining why they were chosen should come after explain what we have.
We should document both forms of Ed25519 and give them each unique new
names.
Once named, we can chose to ignore or recommend any named curve.

>
>Do you want to basepoint that corresponds to the choice of basepoint
>9, or should I pick one?
>
>>>
>>>I'm also going to explain the Montgomery ladder and double-and-add on
>>>Edwards and that's it. RFC 6090 doesn't talk about
>>>radix-k either, nor does it explain Shamir's trick, or fun with the
>>>Brier-Joyce ladder, or w-NAF, etc.
>>>>
>>>>
>>>>  ⨳|
>>>>  ⨳|>
>>>>  ⨳|>   2) reuse where possible terminology and variables from
>>>>Weierstrass
>>>>  ⨳|ECC
>>>>  ⨳|>      E.g.  P for prime defining Fp,  n for order, h for cofactor
>>>>  ⨳|>          This would allow all classes of curves to viewed equally
>>>>in
>>>>  ⨳|>          an implementation catalog
>>>>  ⨳|>           E.g.
>>>>  ⨳|>
>>>>  ⨳|>         curveId = 'curve25519'
>>>>  ⨳|>         strength = 127
>>>>  ⨳|>         oid = None
>>>>  ⨳|>         p  = 2**255-19
>>>>  ⨳|>         a  = 486662
>>>>  ⨳|>         xG = 9
>>>>  ⨳|>         yG =
>>>>...
>>
>> ...
>>>
>>>I still don't see why this form is much better than a paragraph
>>>listing these things.
>>>
>>>>  ⨳|Also, different things should be written differently.
>>>> [ ⨳]
>>>>
>>>> On the Edwards curves with cofactors >1 I believe the strength
>>>>estimate
>>>>may be a little less
>>>> than simply taking the bit length of the size / 2
>>>>
>>>> Advice on this small adjustment would be appreciated.
>>>
>>>Size of the group generated by g, not the size of the curve.
>> Oh … of course, thanks.
>>
>>>
>>>>
>>>>
>>>>  ⨳|
>>>>  ⨳|>     Also Š long numbers should be consistently represented hex
>>>>  ⨳|versus
>>>>  ⨳|> decimal
>>>>  ⨳|
>>>>  ⨳|Why hex? Most math papers use decimal, and more importantly GP/PARI
>>>>  ⨳|doesn't accept hex.
>>>>  ⨳|MAGMA, PARI and Sage are going to be used for test vector
>>>>validation.
>>>> [ ⨳]
>>>> By you maybe ...
>>>>
>>>> Hex fits better in an RFC ...  decimal would be fine also.
>>>
>>>Six of one, half-dozen of the other.
>>>
>>>>
>>>>  ⨳|
>>>>  ⨳|>     Note also - Weierstrass Œa¹ is not the same as Edwards Œa¹,
>>>>but
>>>>  ⨳|>     can be written around Š and we should keep Edwards equations
>>>>  ⨳|consistent
>>>>  ⨳|>     where possible with literature.
>>>>  ⨳|
>>>>  ⨳|When we define DH exchange on a group yes. With setting the
>>>>parameters
>>>>  ⨳|like you did we're tempting fate.
>>>> Not really ... just another area for clear specification, eg:
>>>>
>>>> Suggested RFC text:
>>>>
>>>>     The ECC definitions include three classes of curves defined over
>>>>the field
>>>>     of integers modulo a prime p (Fp).  Each class of curve has an
>>>>equation and
>>>>     assoicated parameters unique to the class type.  Three classes of
>>>>curves
>>>>     are described:
>>>>
>>>>       SmallWeierstrassCurveFp       y**2 = x**3 + a*x + b  mod p
>>>>       EdwardsCurveFp         x**2 + y**2 = c*(1 + d*x**2 * y**2)  mod
>>>>p
>>>>       MontgomeryCurveFp             y**2 = x**3 + a*x**2 + x  mod p
>>>>
>>>>     The defintions include for each curve type:
>>>>
>>>>       curveId - An ASCII string used to identify the curve parameters
>>>>       strength - an integer providing the estimated cryptographic
>>>>strength
>>>>                  of the curve as a power of 2
>>>>       oid - a list of integers that correspond to the associated ASN.1
>>>>object
>>>>             identifier. The oid is listed as 'None' if there is no
>>>>assigned oid
>>>>       p - The prime modulus of the group (Fp). Often p is a Mersenne
>>>>prime
>>>>           to facilitate more efficient modular inversion
>>>>       xG - the x-coordinate of a generator point G for the curve
>>>>       yG - the y-coordinate of a generator point G for the curve
>>>>       n  - the order of the generator point G
>>>>       seed - included for reference when available
>>>>       h - the cofactor of the curve
>>>>
>>>>     Each curve type has the following unique parameters
>>>>
>>>>       Small Wierstrass      y**2 = x**3 + a*x + b  mod p
>>>>         a - often set to p-3 for efficiency
>>>>         b - elected for the security properties of the curve shape
>>>>         z - used by 'twisted' Brainpool curves for isogenous transform
>>>>             of untwisted curve to a curve with a = p-3
>>>>
>>>>       Montgomery            y**2 = x**3 + c*x**2 + x  mod p
>>>>         a - selected for the security properties of the curve shape
>>>>
>>>>       Edwards               x**2 + y**2 = c*(1 + d*x**2 * y**2) mod p
>>>>         c - typically set to 1 so the equation is reduced to:
>>>>                             x**2 + y**2 = 1 + d*x**2 * y**2  mod p
>>>>         d - selected for the security properties of the curve shape
>>>>
>>>> Hummm .. could add Twisted Edwards to the above
>>>
>>>But none of the curves in safecurves are presented in twisted Edwards
>>>form,
>>>I'm not going to rehash short Weierstrass here, (RFC 6090 already
>>>exists).
>>
>> Ok … but introducing Weierstrass allows comparisons and clarity of
>> specification.
>> No eed to fully define Weierstrass … it’s just easier to have a complete
>> view
>> of all options.
>
>Unless I include operation counts and real timings from optimized code,
>that
>won't be a complete guide to the choice to make. Look at eBATS for
>performance
>info.

My point above on Weierstrass was for clarity of implementation.  The
parameters have names (like ‘a’).  NIST curves have an ‘a’ that is
different
from the usage in Montgomery curves.  You simply need to show both
equations
and define what an ‘a’ means in each context (text already provided to
you).

That was the point of an early discourse on these being ‘new’ curves.

>
>RFC's are standards, not how to guides for the terminally lazy.

Sigh …   


>>
>> Paul
>>
>>
>>>
>>>Anyway, I think this conversation would be far more productive when I
>>>finish the revisions and put it before
>>>the group again. You can follow on github in between.
>>>
>>>>
>>>>  ⨳|
>>>>  ⨳|>
>>>>  ⨳|>
>>>>  ⨳|>   3) Use math representation in RFCs that maps directly to a
>>>>  ⨳|computer
>>>>  ⨳|>      language notation - Python would be a good choice for
>>>>  ⨳|>      readability.
>>>>  ⨳|>      E.g. Twisted Edwards point addition definition
>>>>  ⨳|>
>>>>  ⨳|>        x3 = ((x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2)) % p
>>>>  ⨳|>        y3 = ((y1*y2-a*x1*x2) * inv(1-d*x1*x2*y1*y2)) % p
>>>>  ⨳|
>>>>  ⨳|The math notation I am using maps directly to that of most CAS
>>>> [ ⨳]
>>>> No - for example:
>>>> " On Montgomery curves, curves of the form y^2=x^3+Ax^2+x, the
>>>>typical"
>>>> is Ax a variable 'Ax' or A*x ... this is sloppy non-parseable notation
>>>
>>>>  ⨳|systems. Anyway, at some point I will be done with the major
>>>>revision,
>>>>  ⨳|and kick it around for comments.
>>>> [ ⨳]
>>>> CAS???
>>>> I prefer running code useable for a protocol implementation.
>>>
>>>So I can just copy the relevant parts of tweetnacl.c and be done with
>>>it?
>>>
>>>>
>>>> Paul
>>>>
>>>>  ⨳|
>>>>  ⨳|>
>>>>  ⨳|>    4) curve names need consolidation and should clearly indicate
>>>>  ⨳|curve
>>>>  ⨳|> type
>>>>  ⨳|
>>>>  ⨳|Blame Tanja. I really do not like the idea of changing existing
>>>>names
>>>>  ⨳|especially when referring people to papers with them. SEC/NIST has
>>>>  ⨳|already caused enough confusing as it is.
>>>> [ ⨳]
>>>> No need to blame, just make the change but  include reference to
>>>>original author and curve name.
>>>> NIST did not add confusion ... just branded the results.
>>>> CFRG branding would be valuable.  More curves will happen and  a
>>>>consistent notation is a good thing.
>>>
>>>What do you propose for the name scheme? E,M with prime in the expc
>>>format is my best proposal, but this might not be unique all the time.
>>>>
>>>> Paul
>>>>
>>>>  ⨳|
>>>>  ⨳|>
>>>>  ⨳|>
>>>>  ⨳|>
>>>>  ⨳|>
>>>>  ⨳|> Paul
>>>>  ⨳|>
>>>>  ⨳|>
>>>>  ⨳|>
>>>>  ⨳|> >
>>>>  ⨳|> >David
>>>>  ⨳|> >
>>>>  ⨳|> >>
>>>>  ⨳|> >> Thanks,
>>>>  ⨳|> >>     Yaron
>>>>  ⨳|> >>
>>>>  ⨳|> >> _______________________________________________
>>>>  ⨳|> >> Cfrg mailing list
>>>>  ⨳|> >> Cfrg@irtf.org
>>>>  ⨳|> >> http://www.irtf.org/mailman/listinfo/cfrg
>>>>  ⨳|> >>
>>>>  ⨳|> >
>>>>  ⨳|> >_______________________________________________
>>>>  ⨳|> >Cfrg mailing list
>>>>  ⨳|> >Cfrg@irtf.org
>>>>  ⨳|> >http://www.irtf.org/mailman/listinfo/cfrg
>>>>  ⨳|>
>>>>  ⨳|> _______________________________________________
>>>>  ⨳|> Cfrg mailing list
>>>>  ⨳|> Cfrg@irtf.org
>>>>  ⨳|> http://www.irtf.org/mailman/listinfo/cfrg
>>>
>>>
>>>
>>>--
>>>"Those who would give up Essential Liberty to purchase a little
>>>Temporary Safety deserve neither  Liberty nor Safety."
>>>-- Benjamin Franklin
>>
>
>
>
>-- 
>"Those who would give up Essential Liberty to purchase a little
>Temporary Safety deserve neither  Liberty nor Safety."
>-- Benjamin Franklin