IETF Logo Mail Archive

Re: [Cfrg] New names for draft-ladd-safecurves

Paul Lambert <paul@marvell.com> Tue, 21 January 2014 20:07 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DCF81A01EA for <cfrg@ietfa.amsl.com>; Tue, 21 Jan 2014 12:07:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.566
X-Spam-Level:
X-Spam-Status: No, score=-1.566 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ngaofe8rYjyg for <cfrg@ietfa.amsl.com>; Tue, 21 Jan 2014 12:06:59 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id D1A2D1A01B9 for <cfrg@irtf.org>; Tue, 21 Jan 2014 12:06:58 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s0LK6o6e019027; Tue, 21 Jan 2014 12:06:50 -0800
Received: from sc-owa01.marvell.com ([199.233.58.136]) by mx0b-0016f401.pphosted.com with ESMTP id 1hfp05uymu-15 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 21 Jan 2014 12:06:50 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA01.marvell.com ([10.93.76.21]) with mapi; Tue, 21 Jan 2014 12:06:45 -0800
From: Paul Lambert <paul@marvell.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 21 Jan 2014 12:06:44 -0800
Thread-Topic: [Cfrg] New names for draft-ladd-safecurves
Thread-Index: Ac8W5E8e/OtQBp1MRY2m8JxunZQerg==
Message-ID: <CF04120A.2CF06%paul@marvell.com>
References: <CACsn0ck02mnETBUfuyJjLV9K8Yuiki8_-RG0tVszL8BDhkK27w@mail.gmail.com> <6489F7D3-BF54-416F-94BE-64FD1CFCCB1E@callas.org> <CADMpkc+fxfXL8A21bGKgobKFvHxhQaiCEzROQmX4uH_73bgk1Q@mail.gmail.com> <CACsn0c=yrO5WiqshQ0z-eF+u1boyUYK5OQdr_XORXKTzJ7=KKA@mail.gmail.com> <CF03FB51.2CEE5%paul@marvell.com> <CACsn0c=n+jdJF3B_BJW8xpsbsJnQD-j9fQh_+ZVW-k9JiydDyg@mail.gmail.com>
In-Reply-To: <CACsn0c=n+jdJF3B_BJW8xpsbsJnQD-j9fQh_+ZVW-k9JiydDyg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CF04120A2CF06paulmarvellcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-21_07:2014-01-21, 2014-01-21, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401210142
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Jon Callas <jon@callas.org>
Subject: Re: [Cfrg] New names for draft-ladd-safecurves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2014 20:07:01 -0000


On Jan 21, 2014 10:30 AM, "Paul Lambert" <paul@marvell.com<mailto:paul@marvell.com>> wrote:
>
>
>
> On 1/21/14, 8:33 AM, "Watson Ladd" <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote:
>
> >On Tue, Jan 21, 2014 at 7:28 AM, Bodo Moeller <bmoeller@acm.org<mailto:bmoeller@acm.org>> wrote:
> >> Jon Callas <jon@callas.org<mailto:jon@callas.org>>:
> >>
> >>> I spent time talking to Dan and Tanja this weekend at ShmooCon about
> >>>this
> >>> sort of thing and I think that our agreement was that names like "Curve
> >>> 255-19" (which covers both Curve25519 and Ed25519) or "Curve 414-17"
> >>>(for
> >>> the curve formerly known as Curve3617) made sense.
>
> Two names would be better to differentiate between a Edwards or Montgomery
> based point representation for the same curve.
>
> WE also are working on the assumption that there are just one curve choice
> for a particular field size. We should provide a extensible naming scheme
> that would allow the later introduction additional options (e.g. Ed255
> would be #1 of that size and flavor).
>
Why would we need these other options? If you have a new curve it needs to look different to have a speed advantage. The security picture for ECC has been stable for decades now.

Your particular metrics for speed may not always the primary consideration for a system design. We should not be limiting diversity.

Clearing having two names for the Montgomery and Twisted Edwards version of a 'curve set' facilities the description of the processing and gives clarity in the point representation sent over a protocol.

Paul


> Paul
>
>
> >
> >My one concern which I've stated before is that we would then need a
> >single wire format for Curve25519 and Ed25519.
> >Robert Ransom's idea (sorry for the hijack) is the following: Suppose
> >Bv^2=u^3+Au^2+u is isogenous to ax^2+y^2=1+dx^2y^2, with the isogenies
> >u=(1+y)/(1-y), v=(1+y)/(1-y)x=ux. Then we represent points as u and
> >the sign of x.
> >
> >A=2(a+d)/(a-d)
> >B=4/(a-d).
> >
> >An implementation using the Montgomery ladder to multiply proceeds as
> >usual, using the fact that A is the reciprocal of a small integer
> >to rewrite the equations. It then reconstructs v (there is a fast
> >formula), and uses that to compute the sign of x. One using the
> >Edwards curves proceeds as usual, then inverts the isogeny to get u,
> >and uses x to get the sign bit.
> >The argument for this is we can specify all our curves in twisted
> >Edwards form with d small, a=+/-1, and life is nice for everyone.
> >Unfortunately Curve25519 doesn't fit this nice pattern, and people
> >want to use that exact curve. This form also involves a bit of extra
> >field math for everyone, even if they are all going to do ECDH or
> >Edwards addition afterwards, and so will want that form anyway. There
> >is also a problem of exceptional cases if a and d are nonsquares
> >modulo p for example.
> >
> >Have I rendered correctly the arguments for and against?
> >>
> >>
> >> Yes, it does. This would fix the single major flaw of Curve25519 --
> >> concatenating base-10 numbers to spell out a tuple just doesn't make
> >>sense
> >> (except as a trap, so that if anyone reads it out as "twenty-five
> >>thousand
> >> ..." you'll know they don't know what they're saying).  I also don't
> >>really
> >> like having whitespace in those names, so I'd prefer "Curve-255-19" over
> >> "Curve 255-19".
> >>
> >> ("Curve" isn't very descriptive, but I've yet to see a more descriptive
> >>name
> >> for this curve that is actually helpful.)
> >
> >NIST isn't useful either as a prefix, but we live with it.
> >Anyway, my view is whatever people want to call these they can call
> >them, bobo and kiki aside.
> >>
> >> Bodo
> >>
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org<mailto:Cfrg@irtf.org>
> >> http://www.irtf.org/mailman/listinfo/cfrg
> >>
> >
> >
> >
> >--
> >"Those who would give up Essential Liberty to purchase a little
> >Temporary Safety deserve neither  Liberty nor Safety."
> >-- Benjamin Franklin
> >_______________________________________________
> >Cfrg mailing list
> >Cfrg@irtf.org<mailto:Cfrg@irtf.org>
> >http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email