Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]

Alyssa Rowan <akr@akr.io> Thu, 27 November 2014 09:19 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE6E1A0065 for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 01:19:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t9PGf7yFInd7 for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 01:19:13 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3C261A0007 for <cfrg@irtf.org>; Thu, 27 Nov 2014 01:19:12 -0800 (PST)
In-Reply-To: <5476DD79.3000509@shiftleft.org>
References: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com> <5476CB73.7090206@akr.io> <CAMfhd9XxkZsVPMcevWOgvvqbBK0JqLVCGBYfwWu0QFO5rsfbJQ@mail.gmail.com> <68E73FEE-8598-48B3-8A27-50AB63AB9079@akr.io> <5476DD79.3000509@shiftleft.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: Alyssa Rowan <akr@akr.io>
Date: Thu, 27 Nov 2014 09:19:10 +0000
To: Mike Hamburg <mike@shiftleft.org>,Adam Langley <agl@imperialviolet.org>
Message-ID: <32360AA7-C672-41AF-99E8-6487FD0372E1@akr.io>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/YcTStigoOFxqiAhCbkl7PjeIvgw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 09:19:15 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 27 November 2014 08:14:49 GMT+00:00, Mike Hamburg <mike@shiftleft.org>; wrote:
>> Why *not* [Curve25519], then?
>Ask anyone who's implemented ECDSA on NIST-P160 :-)

Yes, I think the first question I'd ask anyone who did that would also be: "why?" :)

>Curve25519 has no weak keys because its order is 2^252+O(2^126), i.e. slightly over a power of 2.  Many curve generation procedures specify that the order must be slightly under a power of 2 rather than slightly over, because that also has advantages.

...this curve generation procedure doesn't, so that's a bit of a stretch.

We'll need to weigh advantages (MQV? Not exactly a key-exchange frontrunner anymore... When does the FHMQV patent expire again? I prefer Axolotl's approach) against disadvantages (such as the https://xkcd.com/927/ point, given Curve25519 already achieved pretty wide adoption while we dithered).

It almost matches Curve25519, and the reasoning for it not matching is weak: the value of convergence for consensus and rigidity is far greater than the value of differing for just this reason, in my mind.

It does seem like a sensible way of generating the ultra-strong security curve, certainly, to me. What happens if we constrain 2^x-n to n<32 for efficiency reasons, x=384 and step x upwards until this criteria is met? How similar is that to djb's Curve41417? Is Curve41417 faster than this... I suppose it'd be rpg384r1 curve?

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJUduyOGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t6EjUQAJdY20o1n1ZquPNtG9Rq/ImAxIlO+neYOaG98J56yZ+lHTIINM22
Ue2Jnn90MJa4UgN7xEqkpOnAfnsnN35SnRQJAn/px6a3YzMYuPK4RWsT5yGSpwuT
ZhQ9q1sC4IjWPR+nme4iCJZTe+qoWc1BayDqjygqFb7ziBIa1MBZ6TmN1Ib0rpCz
SSH2YWpXJLE8KhL0YY0OfY5KIJnGnRugXsBADlQohuqZ00FLmyUpUw11OMW9JMAH
BtRNb+HILj5J6JJLkqJkI8pCaY+2bMcwdV93jN2tei6w8yI7W496coR/ZxG8mjDw
f3T5ItLA0gLfxDhpCSuPu3Db6yn/IKDY6fWDKyJxjl/aBc71MtmQWClmFpatMxcu
6b02Ne6XvkDRzaKc3Z5ZqYJSvRCKAIQhg8dv9W9mYDUoYjEWDST87EApQW+ObFqC
EQyNVI06aHbHxFzoMIAgxL7ee/BkU/cz6QKvyiXDTiEJovP0WSlG8jhNT/FuyeNP
LVObm0+OYv0n5T9A/5pdyAJ2pO0b3QnZx0qsNy/IppuYOusy/xocezobTvpNaQel
EgicghGmi53SSSmDlxKPumqqKDzabJqVxlu93E8guIi0OU2zIePkRycXqlAa3yy+
NnA7wL+d2ZN/a0DKyFvJWg+QNd331Z0pfUr1LDzyIVDHYEFnQj4wL1FE
=T/wx
-----END PGP SIGNATURE-----