Re: [Cfrg] Curve manipulation, revisited

Alyssa Rowan <akr@akr.io> Tue, 30 December 2014 18:39 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11D221A1A1F for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 10:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61xP7YiF_3mE for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 10:39:40 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 573BA1A0273 for <cfrg@irtf.org>; Tue, 30 Dec 2014 10:39:40 -0800 (PST)
Message-ID: <54A2F174.3050704@akr.io>
Date: Tue, 30 Dec 2014 18:39:48 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <CAHOTMV+jO+8pvU4-McPb+t-4=0jp0-5Gg-3Psis+zZ-FRu-R3w@mail.gmail.com> <FA87F77E-5709-4F4D-858E-A98F390283AB@vpnc.org> <CACsn0cmTu8ja=ogC1iCNHwYp0VK62S9bZC7o7aQ+Hy_zz67d9w@mail.gmail.com>
In-Reply-To: <CACsn0cmTu8ja=ogC1iCNHwYp0VK62S9bZC7o7aQ+Hy_zz67d9w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/BYlI2nszYFhorMRmN-1cttCweqk
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 18:39:42 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 30/12/2014 17:45, Watson Ladd wrote:

> We already have agreement: It's a Montgomery x-coordinate solution 
> modulo the prime 2^255-19, with the curve equal to that of
> Curve25519.

I think we are at, or very near, agreement on Curve25519 (although of
course we would need to confirm that with everyone).

> Literally the only difference is the basepoint, which is irrelevant
> to security.

Yes; that is one of the only remaining sticking points with Ben's
draft, other than the changes he's already agreed to make.

If the draft can be changed to match Curve25519's x=9 basepoint, then
yes, I think that we would have agreement to recommend Curve25519 and
the associated X25519 Montgomery-x key agreement (and people could
more or less go ahead and start rolling that out!).

It's a gratuitous incompatibility with no security justification
otherwise, which makes no sense to me.

> I strongly urge that we finish off the 128-bit level ASAP.

That I definitely agree with.

Would it be beneficial to take the 384-bit curve out of the draft for
now? Or can we relatively quickly reach agreement on something like
2^389-21? If we run with just the WF128 curve for now, we could always
follow it up later.

I'm a little concerned that the twisted-Edwards form proposed by Ben
is not Ed25519's, as that may unnecessarily complicate the discussion
about signatures - but that discussion is (despite having raised it
months ago) in any case in a much earlier phase and I'm unsure where
it'll actually end up.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUovF0AAoJEOyEjtkWi2t6wsgQAK0rSjlB+4AbOrWK5uO0+Vma
/HubBmEE4/YaTP85N7qmw0fICLvYXxG+GzUfDzHfRN5T7chJvT6nqYRkmI/zkZL6
FZ3gE6XP3hPgLw65W3cbpgkeyfydLw6ru9dMfOdrY6qniKhDMTNlbmAE5joekuKO
EP9Dm73yN0YN4JLxO/S6WXPfsgaBeEBGszZtsfBOMIerbhCD7O5NruXUkimMw6QI
HnZs1/uK5+S9TdbhR99Wl3Kf71R8wvpKv1A+yNUC047e+j9SPJpqIiNR7LK4QXHr
1qpCSjLR0TCZwPyftXBBiNVHVJu7e8vR4OMDDnyyMcSwU4zD2w3iHRBcy1rVMu1S
uUCgMpoAcL7sGU2sr4IX2E2FJr77cTsOX8I084hbLfz2nyrefCquaaNDcKHoQxMB
LWWW19UqAQrLisENwvEdjqJ/yC0J3I9LFJ3wDgK03hyd5DGqzx6CX79lhe7x88lU
+lkfEOeKC/Epp/oRmysEs6T+QkclhoeVlWD3damFMjqDyMVnddopctuSmOhTqNJQ
dcG54u1uLlet3dtRzWNHzSimgIT7GSLiHmiyXgNub11jLh2vDGfT3bEaJq2FDXAe
zuPFinHjdD3vybSNxoF7kiyr51FkqaCS2JDP3N8GVMCWJ3kc90qCoJSnUTUFHiyf
7v9l/EI3JF2r/8EuBee9
=ljsD
-----END PGP SIGNATURE-----