Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document

Michael Hamburg <mike@shiftleft.org> Mon, 05 January 2015 22:11 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75C031A9024 for <cfrg@ietfa.amsl.com>; Mon, 5 Jan 2015 14:11:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FjyX1ao4CnI for <cfrg@ietfa.amsl.com>; Mon, 5 Jan 2015 14:11:02 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96B8A1A901E for <cfrg@irtf.org>; Mon, 5 Jan 2015 14:11:02 -0800 (PST)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 1AF983AA43; Mon, 5 Jan 2015 14:08:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1420495711; bh=Jduwa0jl1T2Vh3+g5Ca0zQv1eNwnf+lRa+34BpHKh8Y=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=EuEpwYGpfP+Rx/2tVHs25eAxBciH/mUNw2CGhQr/Z/eloF0z++AqhGoA3TjTb72mO pORaWBf2hDLopjhqVGKj30DO8PsRU8ZrV6sMxrmTcDpnQyF19hT+po+/RZAIvbWHEB fRZWwPp/sNZvPplFh1Uys8xXo6p5fPbsCrVlQHiI=
Content-Type: multipart/alternative; boundary="Apple-Mail=_EB7CD01D-1E2D-4E89-B458-CA21414614BA"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2064\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <CAA7UWsWpMj13XawvbUGM65RJVJ=xG9-BdHX6yZhe5Y2UNFbO3Q@mail.gmail.com>
Date: Mon, 5 Jan 2015 14:11:00 -0800
Message-Id: <656B184C-9B2C-4853-B028-A2874CD28CC9@shiftleft.org>
References: <54AAE2CA.1080701@isode.com> <CAHOTMV+GAk_+0nqLn_cVf1AkQmSeG12WdYeANP_S19i+nC8ctQ@mail.gmail.com> <CAA7UWsWpMj13XawvbUGM65RJVJ=xG9-BdHX6yZhe5Y2UNFbO3Q@mail.gmail.com>
To: David Leon Gil <coruus@gmail.com>
X-Mailer: Apple Mail (2.2064)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/JyfGzpzPailUI2B0uGcPa3_WtmU
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 22:11:04 -0000

Support, though I agree that minor changes are important for clarity.

Also, I thought Curve25519 used minimal (2 mod 4) A.  Isn’t that equivalent to minimal d due to the isogeny?

Cheers,
— Mike

> On Jan 5, 2015, at 2:08 PM, David Leon Gil <coruus@gmail.com> wrote:
> 
> Is there any particular need to choose between minimal A and minimal d? Why not simply specify that both are acceptable options?
> 
> This is a minuscule loss to rigidity; two curves versus one per prime. 
> On Mon, Jan 5, 2015 at 2:01 PM Tony Arcieri <bascule@gmail.com <mailto:bascule@gmail.com>> wrote:
> On Mon, Jan 5, 2015 at 11:15 AM, Alexey Melnikov <alexey.melnikov@isode.com <mailto:alexey.melnikov@isode.com>> wrote:
> This message starts 2 weeks adoption call (ending on January 19th 2015) on:
> 
> https://www.imperialviolet.org/cfrgcurve/cfrgcurve.xml <https://www.imperialviolet.org/cfrgcurve/cfrgcurve.xml>
> 
> as the starting point for the CFRG document which describes an algorithm for safe curve parameter generation for a particular security level and also recommends a specific curve (2^255-19) for the 128-bit security level.
> 
> Please reply to this message or directly to CFRG chairs, stating whether you support (or not) adoption of this document. If you do not support adoption of this document, please state whether you support adoption of any alternative document or whether you want a particular change be made to the document before adoption.
> 
> My support of this document is contextual: at present it does not provide a similar defense for Ed25519 (despite the rigid curve selection guidelines dealing primarily in Edwards curves) as it does for Curve25519 (which is Montgomery)
> 
> I hope the CFRG does not paint itself into a corner with this document, and when the question of a signature system arises, I hope Ed25519 will not be struck down due to an incompatibility with the outlined rigid curve selection guidelines.
> 
> I'm not saying the CFRG should adopt Ed25519, but I would prefer the door remained open for them to do so.
> 
> tl;dr: I would accept this draft so long as it's not a blocker for Ed25519
> 
> -- 
> Tony Arcieri
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> http://www.irtf.org/mailman/listinfo/cfrg <http://www.irtf.org/mailman/listinfo/cfrg>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg