Re: [Cfrg] Curve manipulation, revisited
Alyssa Rowan <akr@akr.io> Tue, 30 December 2014 18:39 UTC
Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11D221A1A1F for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 10:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61xP7YiF_3mE for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 10:39:40 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 573BA1A0273 for <cfrg@irtf.org>; Tue, 30 Dec 2014 10:39:40 -0800 (PST)
Message-ID: <54A2F174.3050704@akr.io>
Date: Tue, 30 Dec 2014 18:39:48 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <CAHOTMV+jO+8pvU4-McPb+t-4=0jp0-5Gg-3Psis+zZ-FRu-R3w@mail.gmail.com> <FA87F77E-5709-4F4D-858E-A98F390283AB@vpnc.org> <CACsn0cmTu8ja=ogC1iCNHwYp0VK62S9bZC7o7aQ+Hy_zz67d9w@mail.gmail.com>
In-Reply-To: <CACsn0cmTu8ja=ogC1iCNHwYp0VK62S9bZC7o7aQ+Hy_zz67d9w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/BYlI2nszYFhorMRmN-1cttCweqk
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 18:39:42 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 30/12/2014 17:45, Watson Ladd wrote: > We already have agreement: It's a Montgomery x-coordinate solution > modulo the prime 2^255-19, with the curve equal to that of > Curve25519. I think we are at, or very near, agreement on Curve25519 (although of course we would need to confirm that with everyone). > Literally the only difference is the basepoint, which is irrelevant > to security. Yes; that is one of the only remaining sticking points with Ben's draft, other than the changes he's already agreed to make. If the draft can be changed to match Curve25519's x=9 basepoint, then yes, I think that we would have agreement to recommend Curve25519 and the associated X25519 Montgomery-x key agreement (and people could more or less go ahead and start rolling that out!). It's a gratuitous incompatibility with no security justification otherwise, which makes no sense to me. > I strongly urge that we finish off the 128-bit level ASAP. That I definitely agree with. Would it be beneficial to take the 384-bit curve out of the draft for now? Or can we relatively quickly reach agreement on something like 2^389-21? If we run with just the WF128 curve for now, we could always follow it up later. I'm a little concerned that the twisted-Edwards form proposed by Ben is not Ed25519's, as that may unnecessarily complicate the discussion about signatures - but that discussion is (despite having raised it months ago) in any case in a much earlier phase and I'm unsure where it'll actually end up. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUovF0AAoJEOyEjtkWi2t6wsgQAK0rSjlB+4AbOrWK5uO0+Vma /HubBmEE4/YaTP85N7qmw0fICLvYXxG+GzUfDzHfRN5T7chJvT6nqYRkmI/zkZL6 FZ3gE6XP3hPgLw65W3cbpgkeyfydLw6ru9dMfOdrY6qniKhDMTNlbmAE5joekuKO EP9Dm73yN0YN4JLxO/S6WXPfsgaBeEBGszZtsfBOMIerbhCD7O5NruXUkimMw6QI HnZs1/uK5+S9TdbhR99Wl3Kf71R8wvpKv1A+yNUC047e+j9SPJpqIiNR7LK4QXHr 1qpCSjLR0TCZwPyftXBBiNVHVJu7e8vR4OMDDnyyMcSwU4zD2w3iHRBcy1rVMu1S uUCgMpoAcL7sGU2sr4IX2E2FJr77cTsOX8I084hbLfz2nyrefCquaaNDcKHoQxMB LWWW19UqAQrLisENwvEdjqJ/yC0J3I9LFJ3wDgK03hyd5DGqzx6CX79lhe7x88lU +lkfEOeKC/Epp/oRmysEs6T+QkclhoeVlWD3damFMjqDyMVnddopctuSmOhTqNJQ dcG54u1uLlet3dtRzWNHzSimgIT7GSLiHmiyXgNub11jLh2vDGfT3bEaJq2FDXAe zuPFinHjdD3vybSNxoF7kiyr51FkqaCS2JDP3N8GVMCWJ3kc90qCoJSnUTUFHiyf 7v9l/EI3JF2r/8EuBee9 =ljsD -----END PGP SIGNATURE-----
- [Cfrg] Curve manipulation, revisited D. J. Bernstein
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Mike Hamburg
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Tony Arcieri
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Nico Williams
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman
- Re: [Cfrg] Curve manipulation, revisited Harry Halpin
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman