Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]

Alyssa Rowan <akr@akr.io> Thu, 27 November 2014 07:54 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7508D1A879D for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 23:54:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8QziukSEqXA for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 23:54:46 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 024EE1A00F2 for <cfrg@irtf.org>; Wed, 26 Nov 2014 23:54:45 -0800 (PST)
In-Reply-To: <CAMfhd9XxkZsVPMcevWOgvvqbBK0JqLVCGBYfwWu0QFO5rsfbJQ@mail.gmail.com>
References: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com> <5476CB73.7090206@akr.io> <CAMfhd9XxkZsVPMcevWOgvvqbBK0JqLVCGBYfwWu0QFO5rsfbJQ@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: Alyssa Rowan <akr@akr.io>
Date: Thu, 27 Nov 2014 07:54:45 +0000
To: Adam Langley <agl@imperialviolet.org>
Message-ID: <68E73FEE-8598-48B3-8A27-50AB63AB9079@akr.io>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Wo5z3zYvgGLtjpCBTCmQBFYznZc
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 07:54:47 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 27 November 2014 07:22:34 GMT+00:00, Adam Langley <agl@imperialviolet.org>; wrote:

>> I note that if you run your algorithm on 2^521-1 you get E-521. If you ran it on 2^255-19, why didn't you get the twisted Edwards form of Curve25519? Kindly elucidate your objections to the same.
>As djb noted in the curve25519 paper[1], the A value for curve25519 is
>not minimal. draft-black-rpgecc-00 finds a curve isogenous to the
>minimal A. The minimal (and second minimal) value was originally
>rejected because, when generating private keys, there's a possibility
>of generating a multiple of the order. This can be taken care of with
>(I think) a single memcmp, although I need to confirm that just one is
>sufficient when I'm back home.

Yes,  that's just what I thought.

As the greater value of A used in Curve25519 produces a simpler secure implementation with no weak private keys to check for, and that is the only big difference between Curve25519 and this proposal, I should prefer Curve25519 according to our selection criteria. Why *not* that, then?

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJUdtjFGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t6tWoQAKSas/6p0zTN5Xr6IDMZCl0Qa48SZCeDJGBa4qhndGMW1ekVsfyN
9jHvNcsI0enX/29RvNV22CVfez4yZ4XlwdL+HRCYh/VlcXzNOfaLluPPM5LUgh7f
L19mUtufBSRblxc3bn0X7f/4hPUUQvDii8pK0kATsYXTa9k2n9d917eS/WE5xXJT
2rkuXuuzIb5mOTeFQVxH1zZdCqz1ZhRjvIFai2m1iNxKjpoVxdGe8QouhFQ3kLdg
x2Znqe3zIxmEy03he1FmU0QCavIp15JiPszaKuoMIvmzp96CnemqCMenUaIXV8pF
Nhnga0IrXMyvSGmK2iu6I5dog1FkhevPzRucUsXfhpvXM1nNOJ5DMubtFrje2HCp
t45BK54idv7nxH+ALOGjvbKrVSo+zxBvku9qLkvOkVSVmViTRKSzMAeu0ii22ZQb
bRy/3iCEUoqUp5RiJdstcrTpMgtwfmqWX1s671J3nj3an/7DEWl186mkPsHtt7Zy
beqNeZAAgpMFQm4j+QDrviwHjurhoghz1QdTahzbIqCyXGT4/hthO43nSujoPxSW
ps3pFrAHTH9/DCB3pcBlp9euIrbvpNPkhPVu4zFNj1wu0oNbvulsPc1i2RB0oBCd
LcofuSTvXeVxixLrHwPVtVoZJDU7syhuIeEECRoJdxk9ohXyH8th8Ner
=+GT/
-----END PGP SIGNATURE-----