Re: [Cfrg] Safecurves draft

Robert Ransom <rransom.8774@gmail.com> Fri, 10 January 2014 02:43 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D7AF1ADFA5 for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 18:43:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBZrnzkoB4rI for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 18:43:07 -0800 (PST)
Received: from mail-qe0-x22d.google.com (mail-qe0-x22d.google.com [IPv6:2607:f8b0:400d:c02::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 14F771ADF89 for <cfrg@irtf.org>; Thu, 9 Jan 2014 18:43:06 -0800 (PST)
Received: by mail-qe0-f45.google.com with SMTP id 6so3990329qea.32 for <cfrg@irtf.org>; Thu, 09 Jan 2014 18:42:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TDxYc0cXdPMRjO+zlCHog6pnO/7OU8iNFcd6OEyDNSU=; b=fqaajQwFAd6qsO2fRrVnpRE3it15Lp+uW4qDVS6uwz5BjUhMwQYWk0AuJG2PJ0FfH2 PxNiKYGqmm9pOzM+lDARhaeS5DdLSxfMOL8fdufIPl7mhzSvaPYYIsBF96yufJ6kDV+B UjfDP1R75W2pnjV+89lN14RF0volzzqk6Fa1cvWjxmzL6YLx2TkUG+ohD9iGb3QzG1XM 6D7NIuO/i67P1lv6RI/15hpZ5qjP7hI+jsGjHbiguUVcFJwEMVs0HucKIccUL4TWrlD7 bYvkOeZ+n785jt6t7xB2m/Kxr7wKVzvVUM0c0j1EfvDJs25ctq3DOgJsWTW03Um/qtuQ MQAw==
MIME-Version: 1.0
X-Received: by 10.224.2.6 with SMTP id 6mr2211777qah.12.1389321777184; Thu, 09 Jan 2014 18:42:57 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Thu, 9 Jan 2014 18:42:57 -0800 (PST)
In-Reply-To: <B29AD107-69D0-4EF5-9D5B-137C1E333AEA@shiftleft.org>
References: <20140109031144.6111382.52184.8264@certicom.com> <20140109094731.GA12327@netbook.cypherspace.org> <CADMpkc+giuSZgrYmusRJmj5SyN9Dcu_Mdaqx5KQPyXGMmosFUw@mail.gmail.com> <CABqy+soXxjY+fEzpHP+_yn9Y1Xtapm_9OWbgDcA_J_Lukz_YLw@mail.gmail.com> <CADMpkcJFk2C5DPQX9RVWphUH25atsUX2vPA7RwNf8zbmR6dXJQ@mail.gmail.com> <CABqy+soX0xVWG0+vJs-_7O1Ur_hkDW0u0acCGZYrrtEci5QRXw@mail.gmail.com> <CADMpkcKptQrtXyaarkXiMpRyGmobEcywbTeTkkcb6uWB-yttwg@mail.gmail.com> <B29AD107-69D0-4EF5-9D5B-137C1E333AEA@shiftleft.org>
Date: Thu, 9 Jan 2014 18:42:57 -0800
Message-ID: <CABqy+srqeZx+bPtmxGMKhb1V6Kbs9mBZTzKn3=CnEZ2fJ8HR7A@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Mike Hamburg <mike@shiftleft.org>
Content-Type: text/plain; charset=UTF-8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Safecurves draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 02:43:08 -0000

On 1/9/14, Mike Hamburg <mike@shiftleft.org> wrote:

> I wonder, though, if the standard encoding of the spec should have the sign
> of the y-coordinate.  That way if we want to use the format for something
> other than ECDH -- signatures or PAKE or whatever -- we won't have to
> specify a new encoding.

I've implemented some routines that generate and use Curve25519 keys
represented as the Montgomery-form x coordinate, with the high bit
used to transmit the sign bit of the Edwards-form x coordinate.

I would still recommend distinguishing the case where the party who
generated the key did not compute the sign bit from the case where
that party did compute the sign bit, and the sign bit was 0.  That
calls for two point formats (or three if anyone wants an uncompressed
point with the whole Edwards-form x coordinate).


Robert Ransom