Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization

Paul Hoffman <> Wed, 28 January 2015 17:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3409E1A1B35 for <>; Wed, 28 Jan 2015 09:33:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8wnEYVn9cz5h for <>; Wed, 28 Jan 2015 09:33:25 -0800 (PST)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1ED001A00F6 for <>; Wed, 28 Jan 2015 09:33:25 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.15.1/8.14.9) with ESMTPSA id t0SHXM2W079440 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2015 10:33:23 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <>
In-Reply-To: <>
Date: Wed, 28 Jan 2015 09:33:22 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Tony Arcieri <>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jan 2015 17:33:26 -0000

On Jan 28, 2015, at 9:22 AM, Tony Arcieri <> wrote:
> Dan Bernstein and Tanja Lange have already demonstrated that such "verifiably random" generation procedures can be used to surreptitiously tweak specific curve parameters:

That is a huge overstatement of what they showed. They showed that if a group of people with a common interest pick the form for the verifiably random value, they can tweak parameters. There are obvious procedures that prevent the number being chosen by such a group, and instead have the number chosen by a group where even if a single person is trusted, the randomness is trusted.

> I for one would not feel particularly inclined to trust a curve generated with this method, and would personally prefer the sort of rigid curve generation approach that this committee and others have been working on to any curve with large unexplained mystery constants.

If there were no downside to using a trustable random number, we could use one, but it seems that there are performance penalties and difficulty to make such calculations constant-time (if I understand earlier arguments correctly).

--Paul Hoffman