[Cfrg] Status of draft-ladd-safecurves-03
Watson Ladd <watsonbladd@gmail.com> Fri, 28 February 2014 16:26 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C1611A00FF for <cfrg@ietfa.amsl.com>; Fri, 28 Feb 2014 08:26:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jUsIFdgub24 for <cfrg@ietfa.amsl.com>; Fri, 28 Feb 2014 08:26:04 -0800 (PST)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 380851A00EF for <cfrg@irtf.org>; Fri, 28 Feb 2014 08:26:04 -0800 (PST)
Received: by mail-yk0-f171.google.com with SMTP id q9so2458097ykb.2 for <cfrg@irtf.org>; Fri, 28 Feb 2014 08:26:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=m5DWVRd7nDdYtKIbrMMpOKU0VA4Oi08+FdQBz3zV+CI=; b=LkFeeC2OrLnDRSsi+XhrwuBFRuQJEO+LC6c5gdM14VOYlDe4b+1Y/DsRjui4WuaMKc LAbcJWjVJXXA6aXIlYcUhh9LMgtU3giwkJp/dKWn13T85alibWpssnS6XqJjZwgkICwd RYnrQ94gPfJc/V10DYQAjHa8Ggow8E7oEl9BG8gVw7P+WyLDoq5blIMHxjAIPW0KNqcf 2GjkqEQYzzGlrMh55nRCo2lYzqyfKbSaY0eclu/vr7D+qdNvFeZEFSVzXYOGX0k9vD/X sRGj3KPNQT7dDdbkypbJj/9mzkWGCxbVcfLgcwpH6Jo7t3k6rlFxvU2lJSqDhHJ+r2hA Xj5g==
MIME-Version: 1.0
X-Received: by 10.236.7.84 with SMTP id 60mr2781705yho.107.1393604762041; Fri, 28 Feb 2014 08:26:02 -0800 (PST)
Received: by 10.170.92.85 with HTTP; Fri, 28 Feb 2014 08:26:02 -0800 (PST)
Date: Fri, 28 Feb 2014 08:26:02 -0800
Message-ID: <CACsn0cnZJJQFmd1QQYs054t=v0V61Y_UH9-K2vOu1OEhfyxKcw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/VsBru3hwxqE9YKZWMX3VPOvpRAc
Subject: [Cfrg] Status of draft-ladd-safecurves-03
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2014 16:26:07 -0000
Dear all, Currently we do not know what point format to use if we want a unified one . Robert Ransom has a suggestion for one which is somewhat reasonable, but I still need to dig up formulas, check they work, etc to put it into the draft. Anyone can send me a diff if they so desire. The endianness issue is as stupid as it is important: I'm not attached to big endian and can change it if there is consensus, but given that IETF protocols use big-endian all the time, I was hesitant to do so. (There is also a private key coding issue with existing implementations) Some proposed representations aren't total: I really don't like that. We also need to reduce the number of curves. These are the technical issues I can deal with. The name and formatting have generated a vast amount of unimportant controversy, and I have zero desire to encourage the propagation of this fencepainting. Hex v. dec is somewhat more reasonable, except my favorite CAS for number theory doesn't support hex. Someday I suppose I'll switch to Sage. The major issue from a non-normative perspective is that people want pseudocode that implements the algorithms safely, or an explanation of how to do DH in groups with large prime order subgroups. Fine, I'll add it. The explanation of signatures wasn't going to be a part of this draft: I wanted it to be in a separate document. The bigger problem is people want things like "these curves aren't Weierstrass curves" or "here is the double-and-add formula found in every elementary book on computation". I've added much of this, but 1) it's completely non-normative, and 2) you should know it already if you are an implementor. Lastly, just because this says encoding should be done one way, nothing stops a protocol from doing it another way for whatever reasons. I don't see why we should consider things like existing implementations etc. here, when they can be considered much closer to the pointy end where other considerations show up. In particular Elligator has not featured in this draft, but some protocols will want to use it. Sincerely, Watson Ladd
- [Cfrg] Status of draft-ladd-safecurves-03 Watson Ladd