Re: [Cfrg] big-endian short-Weierstrass please

Nico Williams <> Thu, 29 January 2015 19:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A4DF21A049A for <>; Thu, 29 Jan 2015 11:59:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aRYhE6A9ihuo for <>; Thu, 29 Jan 2015 11:59:20 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 95BAC1A1AF2 for <>; Thu, 29 Jan 2015 11:59:20 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 37BB3778070; Thu, 29 Jan 2015 11:59:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s=; bh=fvZuUl25s+bJTLI5mb9qlF8QNrc=; b=Mp+Ld16p6K6 tweratoS7a9TV3wXW024IGkI2vBBnBfRT6XpYX/XxmrSjf+xZ5Y+zr+W4j+GV+Uc 2irzqmmK0mZx/WAaX5f3S6Eo/5BSdV/71m6iMgPdypAyz5Wmj7htdQMmyMFD5dmz S/5pNZ9aDjinOisilrpexaGtUKgRxM6E=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id AD96B77805F; Thu, 29 Jan 2015 11:59:19 -0800 (PST)
Date: Thu, 29 Jan 2015 13:59:19 -0600
From: Nico Williams <>
To: Yoav Nir <>
Message-ID: <20150129195915.GX3110@localhost>
References: <> <> <> <> <20150128231006.GJ3110@localhost> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jan 2015 19:59:22 -0000

On Thu, Jan 29, 2015 at 09:05:47PM +0200, Yoav Nir wrote:
> > We are not having trouble with that  in this group. Nobody disputes that any of the proposed curves are secure, or the details of generation.
> > 
> > Instead, we're arguing about endiannes. I've tried to gather which primes everyone wants in one list, crickets.  Tony Arceli posts about signatures, 5 messages. Big v. Little, 40.
> > 
> That's Parkinson’t law of triviality at work. Few understand why one prime is better than another. A few more understand about implementing signature algorithms, but we all understand endianness.

It's not.

I sent Watson a private response about that, but I guess we must have
this discussion on the list instead.

It seems consensus on curves is almost there.  The basepoint discussion
for Curve25519 could be restarted and it could draw lots of posts (I bet
it will), but otherwise I think it unsurprising that there's little

Signature algorithms will be next up, but first things first.  Again, no
surprise about relative post numbers on this.

ECDH point representation on the wire, OTOH, may seem trivial in theory,
but it's not trivial in reality because there exists running code and
because there are patent issues.  It's utterly unsurprising that a
proposal that would instantly obsolete running, unencumbered code just
to generalize point representation so any arbitrary curve anyone can
think of can just be plugged in..., and which would also likely have the
side-effect of patent-encumbering new implementations.... would draw
many comments.

> Although that would make the signature algorithms the bike shed, and
> the endianness coffee.

We're past endianness.  Much of this thread has been about generic point
encoding (Dan Brown's proposal).

Some details really matter.  These aren't trivialities.