Re: [Cfrg] Safecurves draft

Watson Ladd <watsonbladd@gmail.com> Thu, 09 January 2014 20:46 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00F121AE572 for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 12:46:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CkJQ1uIGX4y3 for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 12:46:19 -0800 (PST)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 50C081AE571 for <cfrg@irtf.org>; Thu, 9 Jan 2014 12:46:19 -0800 (PST)
Received: by mail-wi0-f172.google.com with SMTP id en1so7484737wid.17 for <cfrg@irtf.org>; Thu, 09 Jan 2014 12:46:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=psTO0C/kOLbeGjEeecfObMXwMHKeOExv3rHw/ENuDBA=; b=G+U3alIiNReMEsqeBLEpuRzBVOL+zHM6ShVk9iT+qP43fMZnPEsFfUrCqmuCB9krWp 2Lc6XYcU5mL0PFok02RG/MK4oWQQWOc1s7mSDeWLMN1Se3o6ut1/UtCqSbX2h2SZfC9K kIJgT0Kul0w4qzZJqAIH0WVIDDaWwS4RvHMeWBhmMtD1Nu3Ygf2Uf43AZxGrOGggCfYE 6jXjTe59Brx8Ka6cersu96Wos/1okAmakb0XzTv4D0+PHGbAXm4u2xYwN2foP+Zi6lSm 7LDebSz8iOudTepG6gm0R4jaxoO2fBqta7+kkyyYDdd1S50Mm7skmQaQX1ZiQIwzjk+/ 5MWA==
MIME-Version: 1.0
X-Received: by 10.194.187.101 with SMTP id fr5mr4927188wjc.76.1389300369107; Thu, 09 Jan 2014 12:46:09 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Thu, 9 Jan 2014 12:46:08 -0800 (PST)
In-Reply-To: <CEF43F31.2BF71%paul@marvell.com>
References: <20140109031144.6111382.52184.8264@certicom.com> <20140109094731.GA12327@netbook.cypherspace.org> <CADMpkc+giuSZgrYmusRJmj5SyN9Dcu_Mdaqx5KQPyXGMmosFUw@mail.gmail.com> <CABqy+soXxjY+fEzpHP+_yn9Y1Xtapm_9OWbgDcA_J_Lukz_YLw@mail.gmail.com> <CADMpkcJFk2C5DPQX9RVWphUH25atsUX2vPA7RwNf8zbmR6dXJQ@mail.gmail.com> <CABqy+soX0xVWG0+vJs-_7O1Ur_hkDW0u0acCGZYrrtEci5QRXw@mail.gmail.com> <CADMpkcKptQrtXyaarkXiMpRyGmobEcywbTeTkkcb6uWB-yttwg@mail.gmail.com> <B29AD107-69D0-4EF5-9D5B-137C1E333AEA@shiftleft.org> <CACsn0ckufy9jfOXcMDA7WE+SzZUuuibucod8CkQeACnQam63-w@mail.gmail.com> <CEF43F31.2BF71%paul@marvell.com>
Date: Thu, 9 Jan 2014 12:46:08 -0800
Message-ID: <CACsn0c=wfpmQRL5axi0T-eB-M=+sxni54t8EjQK7ZbdU9eW8kg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Lambert <paul@marvell.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Safecurves draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 20:46:21 -0000

On Thu, Jan 9, 2014 at 12:01 PM, Paul Lambert <paul@marvell.com> wrote:
>
>
>>> I agree.  The sender might well use Edwards internally -- it's about 3x
>>> faster -- but the point should be sent in Montgomery form.
> Totally undefined in the draft.  Critical for interoperability.

Whether or not Montgomery or Edwards form is used depends on what the protocol
is doing with the points. Montgomery form does not support addition,
but has advantages
in ECDH representations because it eliminates some validations without
point compression issues.

>
>
>>
>>This draft doesn't specify an encoding: it's up to whichever standard
>>uses this draft
>>to pick one.
> Wrong answer Š  we need interoperability of public key representation
> Since a key may be used in multiple applications.

Most reasonable representations can be interconverted. However, there
are popular implementations
of these curves that make strange representation choices: a format
switch might not be popular if everyone
implementing a protocol wants to use NaCl.

Furthermore, some people (like me) want fixed length encodings sized
to cover the necessary range exactly, while
others like ASN.1 (for inexplicable reasons). The fewer choices we
make here, the faster this can get through. The new version explains
what
representations should do, while leaving it up to the end user
protocols to decide what makes sense.

>
>
> Paul
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin