Re: [Cfrg] A draft merging rpgecc and thecurve25519function.

Mike Hamburg <mike@shiftleft.org> Fri, 02 January 2015 03:12 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B14521A1B23 for <cfrg@ietfa.amsl.com>; Thu, 1 Jan 2015 19:12:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.502
X-Spam-Level: ***
X-Spam-Status: No, score=3.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_FUTURE_06_12=1.947, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSdA6i4-CgQI for <cfrg@ietfa.amsl.com>; Thu, 1 Jan 2015 19:12:29 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3FEA1A1B22 for <cfrg@irtf.org>; Thu, 1 Jan 2015 19:12:29 -0800 (PST)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 6D9223AA43; Thu, 1 Jan 2015 19:10:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1420168213; bh=1hxFGxLTfUYtn1d7DCC0HTzVWJaDdSKTMvsmrWnFxso=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=E/jKXQ+2C5dNgw9A8MLjcflFgujVt7Va42hEPA+Ic/Awz7Jf/pnAokJBb6NVHFeGh 7n83V7/uor2UjfJYk1nNm4BjRhrKRWV1daN6RI8SZwEWoe+dkdXMemOaaHDJfZg+y6 kRsFL/6A+pTp7GYrkKv3YiQk2xiwqVBVv/23wiFE=
Message-ID: <54A67D1B.50804@shiftleft.org>
Date: Fri, 02 Jan 2015 03:12:27 -0800
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Adam Langley <agl@imperialviolet.org>, Watson Ladd <watsonbladd@gmail.com>
References: <CAMfhd9Vi=VJw2NW1CX1aE_qjXFmQ1Cmd1F4s7C9eEvuVog-f=Q@mail.gmail.com> <CAMfhd9UAkNBXvof3SgJLQ4Ld6=jNdvLnpCUrMsJFUCepGZytqA@mail.gmail.com> <CACsn0c=GVLh3vYm=dxW=FKKx3Zd=5L6qdh8m_xzjZpb+mk9+0w@mail.gmail.com> <CAMfhd9XJiatX7KoXmYbgoMPkyEV=kprEhZGW33wGZHZ4XbUX7w@mail.gmail.com>
In-Reply-To: <CAMfhd9XJiatX7KoXmYbgoMPkyEV=kprEhZGW33wGZHZ4XbUX7w@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/IEfIPvuyVLScEZ4TxrDyNpYbWvs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] A draft merging rpgecc and thecurve25519function.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jan 2015 03:12:30 -0000

On 1/1/2015 4:51 PM, Adam Langley wrote:
> (As an aside: does the existing algorithm output Curve41417, 
> Goldilocks or E-521 when given the corresponding prime? I suspect not 
> for Curve41417 since the curve/twist cofactors are {8,8} not {4,4}. 
> Goldilocks might work though.)
I believe that Goldilocks and E-521 come out of this procedure; the 
twist of Ridinghood comes out (because I restricted my parameters to #E 
< #E'); and Curve41417 does not come out because it has cofactor 8.  
These all have different generators from the Safecurves site, but that 
doesn't really matter because nobody has deployed implementations AFAIK.

Section 6.1 is fine in terms of "let's be clear that this is the 
simplest safe thing".  But you may want to switch the conditions for 
clarity/simplicity/speed.  In particular, I think only negative d can 
come out of 6.1.  Also cofactor 4 and twist cofactor 4 imply d nonsquare 
and 1-d nonsquare, so you can remove the one condition or add the other 
if you want.

Happy 2015,
-- Mike