Re: [Cfrg] Summary

Watson Ladd <> Thu, 01 January 2015 15:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 88C641A1BEE for <>; Thu, 1 Jan 2015 07:50:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ShZblB20FTD2 for <>; Thu, 1 Jan 2015 07:50:50 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A23301A1BED for <>; Thu, 1 Jan 2015 07:50:50 -0800 (PST)
Received: by with SMTP id a41so8563329yho.10 for <>; Thu, 01 Jan 2015 07:50:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=K2o89sQ/dBse8ZpEi1qJVOqX02pmBKecpNEPYWN52zs=; b=TzwDMJH2NYwtx05LHkNGF/0u/1J9vhv/stc2cF4/c1vUpoZQECoAB0ho3iWC1lLaog U+KvExOXw076xE4s1Omram2KeeWqPub5HZGTMkn58XwnVfabU9Z5TzpXdqk5YwncXyc9 AB0097zGL7QTdDJbn6eHF0dEUBBm4bT0DKJUyqJ1EN0Wh435eP+EQttFjDfLGH3B8XEl NzAaJnwnqh/Jr1hqXPBHNpfCKzcZtU4LLHuYsQhVtm4rUBfY5NAvBVaFW+vcnOVii3dF frCo6NActyVWa6o7UinpiQnF1cT7/3A39Iu8Zg1brtgvJF/gnMXxrtBQiAa97J1C6BZe qqtw==
MIME-Version: 1.0
X-Received: by with SMTP id z6mr12441378yhc.65.1420127449787; Thu, 01 Jan 2015 07:50:49 -0800 (PST)
Received: by with HTTP; Thu, 1 Jan 2015 07:50:49 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Thu, 01 Jan 2015 10:50:49 -0500
Message-ID: <>
From: Watson Ladd <>
To: Kurt Roeckx <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] Summary
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Jan 2015 15:50:52 -0000

On Thu, Jan 1, 2015 at 9:49 AM, Kurt Roeckx <> wrote:
> Hi,
> I'm new to this list and I've been reading the archive.  It's all
> very unclear to me on what is really going on.  Could someone
> please make a summary?  It should probably include:
> - What are the things being worked on?  I understand that at least
>   part is recommending things for use in TLS, but I guess there
>   are also other things being worked on.

The curves issue is really the big one, and the drastically overdue
one. I would suggest not trying to follow the discussion through the

> - What are the various proposals?  The IETF datatracker doesn't
>   seem to known all proposals, and I think there are proposals
>   that just don't have a document yet.

Good question: the answer is that at the 255 bit level, for ECDH the
current proposals are both Curve25519. But one uses the same basepoint
as existing code, and the other doesn't. This difference doesn't
affect security in any way. It's the only difference.

Above 255 bits, life gets more interesting. Assuming we want to use
X-coordinate Montgomery (sorry Mike) for ECDH and compressed Edwards
for sigs, we've got 3 or 4 different proposals for around 380, and 1
for 521.

-For 521 it's E521 as described on, the prime being 2^521-1
-2^389-21: I've not calculated the curve yet, but I think Ilari may have
-2^384-317: the NUMS proposal
-2^448-2^224-1: Goldilocks, which has extremely fast arithmetic due to
its shape.

We don't have exactly equivalent numbers for each of these: some
report scalar mult times, others arith times. But what we do know from
the recent batch of measurements is Goldilocks is about as fast as
2^384-17, and 2^389-21 is 8-9% faster than Goldilocks. 2^521-1 is
slower, but much bigger.

For signatures, NUMS proposes what I've called FrankenECDSA, and they
call ECDSA (but isn't really): doing ECDSA but with Edwards curves.
The other proposal is EdDSA, which is a Schnorr signature variant.
NUMS has been open to an additional signature algorithm, and we can
use ECDSA on an isomorphic Weierstrass curve if we really want. There
are some differences over which of the isogenous or isomorphic Edwards
curve to use, with NUMS using an isogenous one and the current Ed25519
an isomorphic one.

This is very different from the original NUMS proposal.

> - Is there some document with requirements, and maybe a comparison
>   of how the proposals meet the requirements?

No. The chairs suggested making one, but then didn't. Part of the
problem is everyone was gaming the requirements to make their own
proposals look better.

Watson Ladd

> Kurt
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin