Re: [Cfrg] ECC reboot (Was: When's the decision?)

"David Leon Gil" <> Fri, 17 October 2014 16:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EE4681A1B5B for <>; Fri, 17 Oct 2014 09:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iNKR9UyGlgRh for <>; Fri, 17 Oct 2014 09:07:43 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ECC6C1A1A52 for <>; Fri, 17 Oct 2014 09:07:42 -0700 (PDT)
Received: by with SMTP id a108so768084qge.14 for <>; Fri, 17 Oct 2014 09:07:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=date:mime-version:message-id:in-reply-to:references:from:to:subject :content-type; bh=affzjkzrbzKBDkATT96ieaddZsR1ZdWBrhGfQOUB1dc=; b=l5JHJCohHpkekY4QLy9IcaGIhHQBdW4oJ1YGPl2yhYpGbuYD8rQlp2j148AFqAqDkl D8HeFNPKTPGXoPVKt3Efd640W1ieYfIFeobKz3LYvT95kITLNzo1LCPkVgEoZnbJ4M+J vT5ExSkh9Xt3t4+LSnAJXQyvbMdGmEJCnix48jAcX+msmzT1DR4D23YuQqWwATVdxdhs 59puAqSkiCZTJ57Uk5Qob8/wZohY+bQJ55jTkbBAHWfpmIfejO3IHB69fZgR2n6LuuoW /yz1nuPGPCRHYmBWnmUZtnocBFkIlWJUe5rtL2dNuzxYzkI1SMn4M0qWf9X1szCytufk FYTg==
X-Received: by with SMTP id t9mr13721720qap.0.1413562062048; Fri, 17 Oct 2014 09:07:42 -0700 (PDT)
Received: from ( []) by with ESMTPSA id o7sm1212317qgd.11.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 17 Oct 2014 09:07:40 -0700 (PDT)
Date: Fri, 17 Oct 2014 09:07:40 -0700 (PDT)
X-Google-Original-Date: Fri, 17 Oct 2014 16:07:39 GMT
MIME-Version: 1.0
X-Mailer: Nodemailer (0.5.0; +
Message-Id: <1413562059625.99476af5@Nodemailer>
In-Reply-To: <>
References: <>
X-Orchestra-Oid: 35E76E90-2CB0-4EF9-9439-30B9AD0ADA83
X-Orchestra-Sig: 193b27009f40380fdd2da4ff5621169f2fe2de37
X-Orchestra-Thrid: TA0A48A94-F93D-4145-9A0F-E0395A71098E_1482136742507386550
X-Orchestra-Thrid-Sig: 25270b4c11286b5aa8a2cacd930854b0787e83fd
X-Orchestra-Account: 016f880b96449a4a7af50f5448cf76e26ded3e5a
From: "David Leon Gil" <>
To: "Alyssa Rowan" <>,
Content-Type: multipart/alternative; boundary="----Nodemailer-0.5.0-?=_1-1413562060892"
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Oct 2014 16:07:45 -0000

Re the primes 2^521-1 and 2^607-1. Mersenne may be particularly good for hardware. Most of the large (expensive) blocks can be shared with side-channel-protected DSP blocks. And hardware designs for Mersenne multiplication are sufficiently old (Rader gives one), that there are no IP issues. (And this, I submit, should be a CFRG priority.)

They're obviously good software performers as well.

There is no problem with generating random curves mod M521; there are O(2^521-1) isomorphism classes. (About 1/4 are Edwards as well, IIRC.)

(Because of the width of DSPs needed in some applications, the prime M607 may not be significantly more expensive than M521 in hardware.)