Re: [Cfrg] Curve manipulation, revisited
David Gil <dgil@yahoo-inc.com> Fri, 26 December 2014 21:51 UTC
Return-Path: <dgil@yahoo-inc.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 008911AC3C0 for <cfrg@ietfa.amsl.com>; Fri, 26 Dec 2014 13:51:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.001
X-Spam-Level:
X-Spam-Status: No, score=-15.001 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_DEF_WHITELIST=-15] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Drxz6Eh3SNpi for <cfrg@ietfa.amsl.com>; Fri, 26 Dec 2014 13:51:06 -0800 (PST)
Received: from mrout1.yahoo.com (mrout1.yahoo.com [216.145.54.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 630751AC399 for <cfrg@irtf.org>; Fri, 26 Dec 2014 13:51:06 -0800 (PST)
Received: from omp1039.mail.ne1.yahoo.com (omp1039.mail.ne1.yahoo.com [98.138.88.239]) by mrout1.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id sBQLowH1065507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <cfrg@irtf.org>; Fri, 26 Dec 2014 13:50:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1419630659; bh=8Uhjzov5AZAJCw0DQ1sm09ZcSR6HclAUH9MJa164naE=; h=Date:From:Reply-To:To:Cc:Subject; b=wOxRagYL3sod4YLI7CgcYLYKk3I0OMDqLjMqRYN72DZeBYLMcT9osyJW0C1/KpFnZ /B2fYXeECio5Yvymwi5vIhbbtJm2yewTCdBGKwiCsG5SfsQz2MVof8BCqAha+WewHF atpYHlIfD7k56s0qOhej7VPTlfrwAgBP5FIA+k+w=
Received: (qmail 41316 invoked by uid 1000); 26 Dec 2014 21:50:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1419630658; bh=YvJsHIkH0iqc2Uvk3d3Z/oI+2Z2Tms81yPBxUGCyK+4=; h=Date:From:Reply-To:To:Cc:Message-ID:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; b=aCi09VTTwcfnSsTtT7QJ1nX+FgmotsUZUIL7YECA5QHg1KEElIDVC9DAL+vtUmW1TQdfY+KQFyFJcmSRSZ/j0kGKVuW/QMOr+MqTUyO3raV3eiWYrZfgr3bgMOYqB7SLjFGHS24B53gkcw3mg5CWXkDozOPRjy6MNEitmntYvbI=
X-YMail-OSG: ENX9ZUIVM1mXcPANwSN3C7XUrgbMpjTuLr9nipyqbZ3PM23GT1qI3jjy7VBsGeR uR6M8oTkLUavRv1GniqYopOW_4GNvDLDgxLJ8GXlsPyR5bNdoM3NKWMCe7gHwieu7JtEDDMbWxCT CGXQqDHxffIQEXt6ObFO3b3yEAEmoIeulEzJp9Myd3bFTctin_OByPn_OZn_xg4Xu2qdZRMplLBl ZWcv4289PUZJws4J9NX7rdaX9B3Xb6CYbYpKc_Q--
Received: by 98.138.105.219; Fri, 26 Dec 2014 21:50:58 +0000
Date: Fri, 26 Dec 2014 21:50:57 +0000
From: David Gil <dgil@yahoo-inc.com>
To: Adam Langley <agl@imperialviolet.org>
Message-ID: <1223557431.954984.1419630657780.JavaMail.yahoo@jws100194.mail.ne1.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/JkF5_ucXZx6if8NehCqmyBH0CWA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Gil <dgil@yahoo-inc.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Dec 2014 21:51:08 -0000
On Thursday, December 25, 2014 1:05 PM, Adam Langley <agl@imperialviolet.org> wrote: [replying to someone else] > . . . On the other hand, each additional curve dilutes > implementation resources and implementation bugs happen. I assume that you mean finite fields, not curves? (This would seem to be just as good of an argument for generating Edwards curves over the Salinas primes, which are rather widely implemented...) On Thu, Dec 25, 2014 at 8:38 PM, David Gil <dgil@yahoo-inc.com> wrote: >> In particular, w.r.t. Yahoo's eventual release of an End-to-End >> messaging extension, we will generate EC keys for extension users >> on a curve subgroup with log2(#K) >= 376. The additional computational >> expense is, frankly, negligible. > > I think my argument here is the same as above. (Although, in this > situation, you would have the advantage of being able to use the > simplest, clearest code possible . . . Alas, no, I don't have that advantage: WebCrypto [has more-or-less decided][w3c_curves] that they will only implement CFRG-recommended curves. I need WebCrypto support -- for non-extractable keys. But I also need to have something that is relatively clean to implement in JS, for support of legacy-ish browsers. And I'm not convinced that the NUMS curve proposal can be implemented with decent performance in simple and clear JS. > . . . because performance isn't a concern.) And alas, it is: JavaScript is not particularly ideal for k-time bignum arithmetic. The choice of finite field has a major impact on performance. -- > TOP SECRET just needed to have a bigger number than SECRET :) Sure; but why then not secp224r1/SHA-224 and secp256r1/SHA-256? And does a code-breaking agency have any reason to publicly *overestimate* the probability a cryptosystem might be broken? (Or: perhaps they chose randomly ;) -- [w3c_curves]: http://lists.w3.org/Archives/Public/public-webcrypto/2014Sep/0011.html "[W3C Web Crypto WG] CfC : Call for Consensus on the integration of new curves in Web Crypto API - vote before the 16th of sept"
- [Cfrg] Curve manipulation, revisited D. J. Bernstein
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Mike Hamburg
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Tony Arcieri
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Nico Williams
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman
- Re: [Cfrg] Curve manipulation, revisited Harry Halpin
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman