IETF Logo Mail Archive

Re: [Cfrg] big-endian short-Weierstrass please

David Gil <dgil@yahoo-inc.com> Tue, 27 January 2015 17:55 UTC

Return-Path: <dgil@yahoo-inc.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CFBE1A88E5 for <cfrg@ietfa.amsl.com>; Tue, 27 Jan 2015 09:55:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.301
X-Spam-Level:
X-Spam-Status: No, score=-14.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_WHITELIST=-15] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRb28tbu_F2m for <cfrg@ietfa.amsl.com>; Tue, 27 Jan 2015 09:55:39 -0800 (PST)
Received: from mrout5.yahoo.com (mrout5.yahoo.com [216.145.54.154]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B18BA1A8906 for <cfrg@irtf.org>; Tue, 27 Jan 2015 09:55:29 -0800 (PST)
Received: from omp1029.mail.ne1.yahoo.com (omp1029.mail.ne1.yahoo.com [98.138.89.173]) by mrout5.yahoo.com (8.14.9/8.14.9/y.out) with ESMTP id t0RHsvtE095106 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <cfrg@irtf.org>; Tue, 27 Jan 2015 09:54:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1422381298; bh=decMLnJyNEb6iMlzJ/qZUyqRQIcN+smlfg6ymszmqGI=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject; b=kepbNlOLQjg3GE9aizseeD9+I+MxOHfz4phfVfUN9vd6qPSAvBVurQ9rmrqm1KAUk 0BByJH//xbB8Ui911YdEXlyrvto44Q+MAW31KyYXidLKcfRR363k8TpYRX/Ih8qcls 64Sfr1F9rqrrZxEzQYwS4IAvA/vKLv+nZYSVCuXU=
Received: (qmail 97853 invoked by uid 1000); 27 Jan 2015 17:54:57 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1422381297; bh=decMLnJyNEb6iMlzJ/qZUyqRQIcN+smlfg6ymszmqGI=; h=Date:From:Reply-To:To:Message-ID:In-Reply-To:References:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; b=fdNTNUFMtq+3k2Tgvvfh2Euv2Z5zJ33kx4mvXVNUYE1F3+epo8tPa7oNu8w5H6wsl/Y/lhGzNwNQUcHWC/5Q6XxvPK9CZg6qna/y60tB/DFFGbdKKIpIll0KMXDCRnvYIYXXJK1E33qZisLow+WPEeaglEgKHfb1cbz4xEi3y+4=
X-YMail-OSG: 61MGvTgVM1mogoD.NjAmFw7w_CNZ2MpJLy_hTXxORAh0KOMhPovlcbg0fDL637h fT.9Dg74lmZHiecM133r2nI0jIe_Yt4GpTr_4KaHC9R1ie4bmRaA.4.2F3Hx.y6yWYGwuOVfU3WM 3BDkoa19owxw_yHWAufYQIaJSSECUrHZD59Q75.3w5IfGaEWa9BNb6nnPA.iQMJB5wViDF41DFs3 GjGjO1DGH9_ljJHw_i2yH_HGw1LPck1sxa5Q-
Received: by 98.138.105.208; Tue, 27 Jan 2015 17:54:56 +0000
Date: Tue, 27 Jan 2015 17:54:56 +0000
From: David Gil <dgil@yahoo-inc.com>
To: Dan Brown <dbrown@certicom.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <260118468.805595.1422381296240.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5D42BDA@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5D42BDA@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 381297007
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/KG5DxKpotWAaSDBhEkinTZ6H7TQ>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Gil <dgil@yahoo-inc.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 17:55:41 -0000

A lot of older software (and hardware) that support arbitrary elliptic curves over Fq, q>3 assume that h=1. Those implementations will not handle Edwards curves correctly.

See, e.g., http://golang.org/pkg/crypto/elliptic/#CurveParams

I would prefer to break backwards compatibility for the sake of correctness. (And I would suspect that some implementations that claim to support arbitrary cofactor are broken: There has not been any reason before to really exercise the h!=1 case.)
- dlg

v2.23.0 | Report a Bug | By Email