Re: [Cfrg] Chopping out curves

Alyssa Rowan <akr@akr.io> Fri, 17 January 2014 07:42 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D4BE1ADFAF for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 23:42:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QoNxZeiVH_EB for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 23:42:01 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 1602D1ADFAA for <cfrg@irtf.org>; Thu, 16 Jan 2014 23:42:00 -0800 (PST)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) by entima.net (Postfix) with ESMTPSA id 6AFDB6034A for <cfrg@irtf.org>; Fri, 17 Jan 2014 07:41:47 +0000 (GMT)
Message-ID: <52D8DEC1.9060805@akr.io>
Date: Fri, 17 Jan 2014 07:41:53 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: cfrg@irtf.org
References: <CACsn0cmJX2begH0q8vOUZhP2t3CFo_2Ad71Neke4EKejoYCPRg@mail.gmail.com> <CAGZ8ZG1qF4ba3ogjHQnMwgXV+0Fj7eR44QdvuSw3GYBvNVFZBA@mail.gmail.com> <c406386b6fc67d11332141423f2f0f40.squirrel@www.trepanning.net> <CACsn0c=Eh1J81JHq=u8WsTtVK4HAJDghyisTZnM6U61jdr2KUQ@mail.gmail.com> <20140117011414.GA3413@netbook.cypherspace.org> <20140117023629.GA4435@netbook.cypherspace.org>
In-Reply-To: <20140117023629.GA4435@netbook.cypherspace.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: Re: [Cfrg] Chopping out curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 07:42:03 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 17/01/2014 02:36, Adam Back wrote:

> Uh I meant the Curve25519 and Curve3617.

We have three key sizes for AES, and three hash sizes with SHA-2 and
SHA-3 (and the candidates).

I propose:
• curve25519 (plus twist t25519)
• curve3617
• e521

That gives us three curves with strength roughly congruent to the 128,
192 and 256 key sizes, and about as good performance as we're going to
get for those levels.

curve25519 is likely to be used for high-performance ECDH; its twist
is likely to be used for high-performance encryption and signing.

curve3617 seems likely to be used for higher-assurance encryption and
signing (Silent Circle intends to use it, for one).

e521 is slower, but very conservative - maybe you'd want to use it for
very careful signatures or encryption; the prime field is of course a
well-known Mersenne prime people are already used to (thanks to
secp521r1), and it's so rigid, three people came up with the
parameters independently.

I wouldn't cry a river if we dropped e521 from that list.

Those are, I think, the two or three that applications are most likely
to actually want to use in practice.


Regarding the t25519 basepoint, the argument for using the ed25519
basepoint is that it's already out there and thus already rigid, but
yes, it is ugly.

If you do choose a new basepoint, Watson (and I can see the sense in
that), please rigidly document the choice criteria so the decision can
be independently verified and confirmed (minimal y, right?).

I haven't had my first cup of tea yet today, so I apologise if I'm
wrong, but I believe any new basepoint would need to go through the
SafeCurve verification tests again, because ℓ would change? - run it
yourself for sanity checking, and please post the source files on the
list so we can use Sage or something to verify it too, but please also
speak to Tanja and djb about that to get wider verification.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS2N7AAAoJEOyEjtkWi2t6OaUQAIyZsJdPlguckuHKMY+UdCJN
YEaRx4MXQ5BrBH2Z8HrMdrY+4mmNqogI23MzAUYjE5/TdKcQvfOYDtpW7D6ooKAx
K+SFj553BmE6By4F3woZ/5bsRH3oifnFaT7g6OMRijGpkaN//AWIx8PdMU3LbrrB
tXHG2ciEmlKr5rdve8EhA3c9dUZo3XE2qltiWplaK5kObskl+bpXibm0JmajMVzl
DLi0b5lzh3l7JZVqL0gR1Nk/swd5PSXqgET2k7NhBfrP0+NbJ7niGYUFT1gVtxVz
2Qg0aDusvlRTeFeVCxUiZV7oDQg1+JbaMxTUg6gAP6HuUCnuzy2A6D+0Dt9qajX2
UvHezZawZhC8PL2XPIgjXhTVCiUCz6oexy1V2OCKFO+ZIGcvypIMT6N5WbVZVzIb
G4YNv+IrUEFnfssfkueXr4huBat4gZ2HXArG4hWd/85EOvxbTng4tAkShSRJl5bS
cYaej5Tlz5WC4evzZC+VvnHeyzVInPn9AFJdkKjQeuPgXaANeluI9SdpFW5hY3w4
o6wmLDdnX2lxVeq8rY0pz0aXvxTm/IFpn7SlVs7RZU0upmuCzquKfAUgcjcaYaj0
JkLPu8Iq/aSpfIF4foC7jNJn43yNN76rqpxUjXICQosbg3ybqZTzs+ppjB10SPOr
n8JoVsmG08Boh8FpVHo2
=8vwB
-----END PGP SIGNATURE-----