Re: [Cfrg] New names for draft-ladd-safecurves

Watson Ladd <> Tue, 21 January 2014 16:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A6E6A1A0340 for <>; Tue, 21 Jan 2014 08:33:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zex9i4CN5oVB for <>; Tue, 21 Jan 2014 08:33:39 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c00::234]) by (Postfix) with ESMTP id 1AA761A0157 for <>; Tue, 21 Jan 2014 08:33:38 -0800 (PST)
Received: by with SMTP id b13so8091381wgh.31 for <>; Tue, 21 Jan 2014 08:33:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=F92RC6dOcpIcT4OLFIMGwAdtsNXuawNgw9OxsrRJP2E=; b=R176rHLrq0Pz9oCAVecahxIBwst38APIypdD6FFWYt9l6R0XoTMm+Rz/TgV4yD6BI7 P4t59l9sI++eKw49cHgsyXD02UGLqTYN02IX3A0GIx1/4rhfIDL2GFh75uTbK/KGRQ7a Or031STMUI0i6I/ewb83NKBwS0WxyWJSVVB7jEPzbG99+gGIIvbJyrWPuRV/mueF36mx zuugMkaLU2XQFmWkXIsNKInkw2nQbq/LF6hQA/mbHD23nrcLDdM6p6iyEyA7ISh3kE0j yE6ceKCegU+zqiPpcx8Z6PJf+YWBlJDIglObzRIqFo1TOcPnSxpizm7JVBmSoI+kl51l YUIw==
MIME-Version: 1.0
X-Received: by with SMTP id ub15mr15410615wib.44.1390322018207; Tue, 21 Jan 2014 08:33:38 -0800 (PST)
Received: by with HTTP; Tue, 21 Jan 2014 08:33:38 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Tue, 21 Jan 2014 08:33:38 -0800
Message-ID: <>
From: Watson Ladd <>
To: Bodo Moeller <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>, Jon Callas <>
Subject: Re: [Cfrg] New names for draft-ladd-safecurves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Jan 2014 16:33:41 -0000

On Tue, Jan 21, 2014 at 7:28 AM, Bodo Moeller <> wrote:
> Jon Callas <>rg>:
>> I spent time talking to Dan and Tanja this weekend at ShmooCon about this
>> sort of thing and I think that our agreement was that names like "Curve
>> 255-19" (which covers both Curve25519 and Ed25519) or "Curve 414-17" (for
>> the curve formerly known as Curve3617) made sense.

My one concern which I've stated before is that we would then need a
single wire format for Curve25519 and Ed25519.
Robert Ransom's idea (sorry for the hijack) is the following: Suppose
Bv^2=u^3+Au^2+u is isogenous to ax^2+y^2=1+dx^2y^2, with the isogenies
u=(1+y)/(1-y), v=(1+y)/(1-y)x=ux. Then we represent points as u and
the sign of x.


An implementation using the Montgomery ladder to multiply proceeds as
usual, using the fact that A is the reciprocal of a small integer
to rewrite the equations. It then reconstructs v (there is a fast
formula), and uses that to compute the sign of x. One using the
Edwards curves proceeds as usual, then inverts the isogeny to get u,
and uses x to get the sign bit.
The argument for this is we can specify all our curves in twisted
Edwards form with d small, a=+/-1, and life is nice for everyone.
Unfortunately Curve25519 doesn't fit this nice pattern, and people
want to use that exact curve. This form also involves a bit of extra
field math for everyone, even if they are all going to do ECDH or
Edwards addition afterwards, and so will want that form anyway. There
is also a problem of exceptional cases if a and d are nonsquares
modulo p for example.

Have I rendered correctly the arguments for and against?
> Yes, it does. This would fix the single major flaw of Curve25519 --
> concatenating base-10 numbers to spell out a tuple just doesn't make sense
> (except as a trap, so that if anyone reads it out as "twenty-five thousand
> ..." you'll know they don't know what they're saying).  I also don't really
> like having whitespace in those names, so I'd prefer "Curve-255-19" over
> "Curve 255-19".
> ("Curve" isn't very descriptive, but I've yet to see a more descriptive name
> for this curve that is actually helpful.)

NIST isn't useful either as a prefix, but we live with it.
Anyway, my view is whatever people want to call these they can call
them, bobo and kiki aside.
> Bodo
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin