IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)

Nico Williams <nico@cryptonector.com> Thu, 12 March 2015 20:23 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71DA11A8946 for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 13:23:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvHJ9JCHPf4h for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 13:23:16 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 548811A8873 for <cfrg@irtf.org>; Thu, 12 Mar 2015 13:23:16 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTP id F0415B8094; Thu, 12 Mar 2015 13:23:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=YTvi5GwvKpJLaM 7MZXfNjL1a7cM=; b=KjjUh9v0fJ0TARM9GBPD1bOsFc5t1bIIktDK8WytFY5Vxd W47gpW5UbkPdb99saSg2g1YRtqCvzA8F1tCcwS9oIbnS6UzOpeaJLVwTqcGR3N94 Vjq9zxBD2xUCP4mkWsDXUi6SnOsNcZ5QZxNNJeevkH0nu+kbU/QfXQt82VOQk=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTPA id 99B46B8087; Thu, 12 Mar 2015 13:23:15 -0700 (PDT)
Date: Thu, 12 Mar 2015 15:23:14 -0500
From: Nico Williams <nico@cryptonector.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <20150312202314.GZ7286@localhost>
References: <54F8E735.2010202@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54F8E735.2010202@isode.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/HE-TXoFkt674NRZA2z0WpgR5obU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 20:23:20 -0000

On Thu, Mar 05, 2015 at 11:31:01PM +0000, Alexey Melnikov wrote:
> CFRG chairs are starting discussion of the next topic:
> 
> Q4: draft-irtf-cfrg-curves-01 currently contains curves in both
> Montgomery form and Edwards form. The scalar multiplication routine
> is specified using Montgomery form (and is specific to Curve25519,
> which will need to be changed given our decision to include a higher
> security level curve). Its input is a scalar and the u-coordinate of

I don't understand the parenthetical.  What does including a higher
security-level curve have to do with whether Curve25519 uses Montgomery
form?

> a point on a Montgomery-form curve; its output is the u-coordinate
> of a point on a Montgomery-form curve. The DH function builds on
> this routine. Do we want to stay with specifying the inputs and
> outputs in Montgomery form for these routines? Or do we want to
> switch to an alternative curve form and coordinate system for
> defining the routines? If so, which form and coordinate system?

Stay, not switch.

Yesterday I posted an extended reply about this as a follow-up to
Watson's reply about this:

http://www.ietf.org/mail-archive/web/cfrg/current/msg06438.html

> [Chairs are aware that it is possible to switch back and forward
> between different curve forms and coordinate systems, with
> associated costs, no matter which form is specified for the inputs
> and outputs of the routines. But we now have to decide *which* form
> we want to use for inputs and outputs, so as to ensure
> interoperability between Alice and Bob. Chairs did not want to
> implicitly force the choice of Montgomery form/coordinates without
> polling the group first.]

There is no need to switch back and forth between code representations
unless one wishes to use a private key both for ECDH *and* other ECC
purporses (e.g., signatures) where Montgomery is a pessimization.  Even
should such a use-case arise, as you point out, conversions are
possible.

> Once this issues is settled, we will be discussing (in no particular
> order. Chairs reserve the right to add additional questions) wire
> format, byte order and signature schemes. Please don't discuss any
> of these future topics at this time.

Sure, though of course, if we accept that each curve can dictate what
point representation to use [up to and including separately for each use
type, ECDH, signatures, ...], then there's no point getting exercised
about Curve25519's choice of marshalling format (including endianness)
(but there would be a point to getting exercised about changing that).

Nico
--

v2.23.0 | Report a Bug | By Email