Re: [Cfrg] When's the decision?
Watson Ladd <watsonbladd@gmail.com> Tue, 07 October 2014 04:56 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCA31A911E for <cfrg@ietfa.amsl.com>; Mon, 6 Oct 2014 21:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q2_4o00l_2Bq for <cfrg@ietfa.amsl.com>; Mon, 6 Oct 2014 21:56:57 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C5211A911B for <cfrg@irtf.org>; Mon, 6 Oct 2014 21:56:57 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id t59so2648692yho.15 for <cfrg@irtf.org>; Mon, 06 Oct 2014 21:56:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ZOmymMqLHIFkPREPhyiAavzLjBKUYPPyJ3Xm2N04HoA=; b=sYngJq3wmqVZklVSz6sMEVfsW1+gjVoATfae4UlonfRPlAhDxKeRvx41VQuFju+2U5 XvNktY0wyMn9E7788ir0v4KhgPiOk/xMUwhNTtn+RJnZTaVWL/FclC5zg/2wwuCXXyLE 3tN9OyuwzJo7G/jA+Mz26Jd8VjyKWIznncfns+0Rt8YlHxeL1t18rQguQsB456JV5kxW obhvDhuvQ77SkEiJA/ixmknb0yNM3Lpqwa304+sykYtkx1IJSPgrnoTIZ7lOnynMWo/q G/vwRLeC3R1tKGfTJN9KfvEd2kKIUHIDEV0TcJ/qPhkRwLdhQOHwf5GeDDzN9emG2k5y AOAA==
MIME-Version: 1.0
X-Received: by 10.236.35.116 with SMTP id t80mr2093468yha.49.1412657816618; Mon, 06 Oct 2014 21:56:56 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Mon, 6 Oct 2014 21:56:56 -0700 (PDT)
In-Reply-To: <5433671E.9080308@sbcglobal.net>
References: <CACsn0cnHDc6_jWf1mXc5kQgj5XEc6dBBZa7K8D2=4uLti5e3aA@mail.gmail.com> <3EE5AEA5-3ADE-4D67-AC51-478074349D1B@gmail.com> <5432BBF1.5060003@cs.tcd.ie> <CACsn0cmwJh295=R8Ns3Y01UTLBwoQAg5g_PB=yN6nJUCYxgqnw@mail.gmail.com> <5433671E.9080308@sbcglobal.net>
Date: Mon, 06 Oct 2014 21:56:56 -0700
Message-ID: <CACsn0cm8-V6D0E_B_x8c91nQeKkdnrzGO3Azkm+Y02zFJ8AWWw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: David Jacobson <dmjacobson@sbcglobal.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/SxZ2rc9XGeVojD5VvMAbEK0dqJ8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] When's the decision?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2014 04:56:59 -0000
On Mon, Oct 6, 2014 at 9:07 PM, David Jacobson <dmjacobson@sbcglobal.net> wrote: > On 10/6/14, 4:28 PM, Watson Ladd wrote: > > > On Oct 6, 2014 8:57 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: >> >> >> Hiya, >> >> On 06/10/14 16:53, Yoav Nir wrote: >> > They’re all good enough >> >> Tend to agree. But CFRG, pretty-please don't pick them all! > > This ignores the significance of choices such as which coordinates to use on > the wire, whether to use compression, and which signature scheme to use. > > These are not make or break items, and any curve could be used several ways, > but these issues do not go away with the choice of curve. >> >> If you do we'll just have to pick elsewhere (e.g. saag or >> specific IETF wgs) with less clue immediately involved. > > Agreed: the buck stops here. >> >> S. >> > > > I've implemented elliptic curve systems quite a few times. But never with > compression. (The patent just expired.) Could someone with experience > implementing compression and with the short list of candidates, comment, for > each curve, on how much of a hassle compression is to write, how much it > expands the code, and how much it slows down the computation? Huh? The choice of formula doesn't have much of an impact. For any prime not 1 mod 8, a single square root is pretty quick: equivalent to a single modular exponentiation. Compression doesn't add much time. Montgomery form never needs compression: the question is whether Edwards points should be compressed. This reduces the size of signatures, but isn't as critical for security as compression/validation of points for use in ECDH. The code bloat is another addition chain, but you can probably take advantage of the relation between (p+1)/4 and p-1 when code size is a concern. Sincerely, Watson Ladd > > If the hassle, code bloat, and slowdown are minor, I suggest we just do > compressed. (Rationale: Compression is always a win so do compressed. > Keep it simple---no options) > > If the hassle, code bloat, or slowdown are considerable, I suggest we > require uncompressed and make compressed optional. (Rationale: Compression > is sometimes a win, e.g. for applications were bits on the wire are > precious, and sometimes a lose. For guaranteed interoperability there > should be one variant that is always there, and that one should be the > simpler, smaller.) > > This probably interacts with the on-the-wire representation. That will make > the deciding a bit harder, but such is life. > > --David Jacobson > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] When's the decision? Watson Ladd
- Re: [Cfrg] When's the decision? Yoav Nir
- Re: [Cfrg] When's the decision? Stephen Farrell
- Re: [Cfrg] When's the decision? Watson Ladd
- Re: [Cfrg] When's the decision? David Jacobson
- Re: [Cfrg] When's the decision? Watson Ladd
- Re: [Cfrg] When's the decision? Michael Hamburg
- Re: [Cfrg] When's the decision? David Jacobson
- Re: [Cfrg] When's the decision? D. J. Bernstein
- [Cfrg] Publicly verifiable benchmarks D. J. Bernstein
- Re: [Cfrg] When's the decision? Parkinson, Sean
- Re: [Cfrg] When's the decision? Watson Ladd
- Re: [Cfrg] When's the decision? Parkinson, Sean
- Re: [Cfrg] When's the decision? Mike Hamburg
- Re: [Cfrg] When's the decision? Parkinson, Sean
- Re: [Cfrg] When's the decision? Phillip Hallam-Baker
- Re: [Cfrg] When's the decision? Mike Hamburg
- Re: [Cfrg] When's the decision? Parkinson, Sean
- Re: [Cfrg] Publicly verifiable benchmarks David Jacobson
- Re: [Cfrg] Publicly verifiable benchmarks Michael Hamburg
- Re: [Cfrg] Publicly verifiable benchmarks Andrey Jivsov
- Re: [Cfrg] Publicly verifiable benchmarks Watson Ladd
- Re: [Cfrg] Publicly verifiable benchmarks Parkinson, Sean
- Re: [Cfrg] Publicly verifiable benchmarks D. J. Bernstein
- Re: [Cfrg] Publicly verifiable benchmarks Michael Hamburg
- [Cfrg] Constant-time implementations D. J. Bernstein
- Re: [Cfrg] Constant-time implementations David Jacobson
- Re: [Cfrg] Constant-time implementations Adam Langley
- Re: [Cfrg] Constant-time implementations Yoav Nir
- Re: [Cfrg] Constant-time implementations Watson Ladd
- Re: [Cfrg] Constant-time implementations Mike Hamburg
- Re: [Cfrg] When's the decision? Paterson, Kenny
- Re: [Cfrg] When's the decision? Parkinson, Sean
- Re: [Cfrg] When's the decision? Ilari Liusvaara
- Re: [Cfrg] When's the decision? Yoav Nir
- [Cfrg] ed448goldilocks vs. numsp384t1 and numsp51… D. J. Bernstein
- Re: [Cfrg] ed448goldilocks vs. numsp384t1 and num… Ilari Liusvaara
- Re: [Cfrg] ed448goldilocks vs. numsp384t1 and num… Michael Hamburg
- Re: [Cfrg] ed448goldilocks vs. numsp384t1 and num… Ilari Liusvaara
- Re: [Cfrg] ed448goldilocks vs. numsp384t1 and num… Michael Hamburg