Re: [Cfrg] Mishandling twist attacks
Alyssa Rowan <akr@akr.io> Fri, 28 November 2014 06:37 UTC
Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 072BA1A1A3E for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 22:37:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0wPKd05zthy8 for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 22:37:03 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE36D1A1A2E for <cfrg@irtf.org>; Thu, 27 Nov 2014 22:37:03 -0800 (PST)
Message-ID: <54781812.9000801@akr.io>
Date: Fri, 28 Nov 2014 06:37:06 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <20141128014059.26622.qmail@cr.yp.to>
In-Reply-To: <20141128014059.26622.qmail@cr.yp.to>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Ntw5GARzpAh0vfTkiSiapsd-bJo
Subject: Re: [Cfrg] Mishandling twist attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 06:37:05 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28/11/2014 01:40, D. J. Bernstein wrote: > Given the fact that Microsoft's curve-generation procedure is > clearly subject to change, let me suggest a possible way forward. > Microsoft adds further security criteria to its generation > procedure, such as requiring the twist cofactor to divide the curve > cofactor. For 2^255-19 it ends up with Curve25519---what a > surprise! Microsoft then switches to proposing the latest edition > of its "most trustworthy curve", namely Curve25519. This wouldn't > resolve everything---I'd have to ask Microsoft to stop saying "new" > for curves that really aren't new, and presumably there would still > be discussion of larger primes---but surely it would help. +1. This seems like an excellent way forward! If the rpgecc authors (Microsoft Research/agl, et al) adopt this approach, then I think we could perhaps (finally) reach consensus about the choice of the ≈WF128 curve! We'd then be able to move on to discussion about the "jumbo" curve (which then would also have this useful security criteria). Thoughts? - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUeBgSAAoJEOyEjtkWi2t6S3wQAI+6BpyPaWNb7yh537G7TgTe s95c6aiPZZj4hlynbccCOgQDsuS2fyUO8VbZoA+6D9CWfsVzVLmPgGr8fE8vbZuj +p0K+XTepYFzdX2WZqNQcq4KtOH4SeIPRBcFC/zx2VIAUcLX2b36FxJmxnvpPSar Yl9Dno8S0T9+X+K2iOF+ZC0bKOwowuFf1idEY+9DnH+BIIvyiSNkn2meGSxm56Qf WqMxnB/JhHfcZo4QT3bMZH8OHsBlVPPu+ohSO0+rt0li4esKM0kX3iQWze28DgrZ GEBMVrXPk90RzahO1myI37mse1voFCTgHsk8+jYJmPSFVp+2KlkLd0Lw57cf3bQ0 B3/CoFNPhasoUsQSe65CPnbA5OVrWnNfp4OI5zBDxeTEiXMhd8u/2czV6Cro1tKF owZj2IIWwQ4wC4rm4c+CHXTr4xlY5v+H9pw6Q5OWxvQ2bRkLVbp7M2JY/DOnJhmo dSXwfFlx8kpF8KPjz3jlH+Y5KrKsjtY3Ul3k0G1T5ksje7vF4wJyh13rbO13gBKq 5OQoM7R2Qdk3z4GycsE9wT1/3VsnF9Vbrmr7iltq2mdxEcXPvWqniGKOmZKAYUj2 TCKpsVJ1lvmsbgZYUNu3784OKG6GPiQKqagwjdXI7gDI9P5GEITnpsiL5VHa808I sngg6C2/5njrIOOWav9Z =Dnwm -----END PGP SIGNATURE-----
- Re: [Cfrg] Mishandling twist attacks Watson Ladd
- [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Michael Hamburg
- Re: [Cfrg] Mishandling twist attacks Alyssa Rowan
- Re: [Cfrg] Mishandling twist attacks Samuel Neves
- Re: [Cfrg] Mishandling twist attacks David Leon Gil
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Ilari Liusvaara
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks Watson Ladd
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks Watson Ladd