Re: [Cfrg] A draft merging rpgecc and thecurve25519function.

[Adam Langley <agl@imperialviolet.org>]

On Thu, Jan 1, 2015 at 4:08 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> Is it just me, or is this the draft I uploaded a couple weeks ago,
> plus typos, and a section about an algorithm that gets used only to
> have its result ignored?

Is "the draft I uploaded a couple weeks ago" referring to
draft-turner-thecurve25519function-01? If so, then somewhat yes. (The
only other draft I see from you is draft-ladd-spake2 but it's quite
possible that I've missed something in all the recent emails.)

However, I don't agree that the algorithm is simply ignored. It's
clearly important to some that the generation algorithm be explicit
and transparent. Yes, it's odd that at the end we have to do an
arbitrary isogeny but I think the motivation for that is clear and
it's a "safe" step (i.e. we can't have hidden anything dodgy in there
to my knowledge.)

The algorithm could be written to reflect how curve25519 was
developed: i.e. that it output a Montgomery curve and then the twisted
Edwards is the obvious isomorphism from there (if needed). That might
well be clearer if we don't recommend any other curves.

But dealing with Edwards curves and having the algorithm generate them
makes it easier if we recommend another, or in the optimistic scenario
that we also end up specifying a signature scheme.

As far as making the wording clearer: lots of rewriting is called for
*if* this draft isn't dead-on-arrival.

(As an aside: does the existing algorithm output Curve41417,
Goldilocks or E-521 when given the corresponding prime? I suspect not
for Curve41417 since the curve/twist cofactors are {8,8} not {4,4}.
Goldilocks might work though.)

> Should cat be a coauthor?

If there's anyone I've left out, I'll add them immediately. And if
anyone wants to move from the "credit" section to the list of authors
I'll do that too. (The reason for not listing people as authors is in
section 1.)


Cheers

AGL