Re: [Cfrg] Suggestions for draft-irtf-cfrg-curves-01.txt
Evgeny Alekseev <eamsucmc@gmail.com> Mon, 02 February 2015 15:07 UTC
Return-Path: <eamsucmc@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2CC1A1B7C for <cfrg@ietfa.amsl.com>; Mon, 2 Feb 2015 07:07:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gq3V5Jv57SS0 for <cfrg@ietfa.amsl.com>; Mon, 2 Feb 2015 07:07:37 -0800 (PST)
Received: from mail-yk0-x242.google.com (mail-yk0-x242.google.com [IPv6:2607:f8b0:4002:c07::242]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10DBC1A1BA5 for <cfrg@ietf.org>; Mon, 2 Feb 2015 07:07:28 -0800 (PST)
Received: by mail-yk0-f194.google.com with SMTP id 131so5583718ykp.1 for <cfrg@ietf.org>; Mon, 02 Feb 2015 07:07:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Tu4+LYkuwXuMaLKQsY9LwVJbVBFyXc4M4zCs4CdIIfM=; b=tRMNgM634fuYj6p7HEGIONTxXHeMTgVXYS0M+ralnmHi9kQ8L4Yu8cr5FP3JSmdfRm swumwtzOqp5ZzQUr9TNbkQSBBNxVP61QcHVdRpfzq/P0UFlTx0oGVu4f/V3ZX/XzxGHK roDmp0oVCZSg+LXQi6VhpEXj7rieHcc228andbJ5V9tCcHKJC+Sk2ZGMkWHHu2GSHYoc KRkVYxYWssV2sUtUcMEKfpLlt2Ir5hQ+zBvsysYvo3u+GEBkGvHkd3DaF7rxiXunGXCC furQ2XRNvZCjsRC97h74I/Q/ZmJgd9WE69VvHioCe1LYB8RoTA0Q+zNGBkp8JP38BxfT +Eog==
MIME-Version: 1.0
X-Received: by 10.236.13.79 with SMTP id a55mr8402382yha.50.1422889647312; Mon, 02 Feb 2015 07:07:27 -0800 (PST)
Received: by 10.170.202.136 with HTTP; Mon, 2 Feb 2015 07:07:27 -0800 (PST)
Date: Mon, 02 Feb 2015 18:07:27 +0300
Message-ID: <CAOVPyjxPUhF1mK9C3vEbM4ABxW0P46Wi7JxQSbFRF01i45WmQg@mail.gmail.com>
From: Evgeny Alekseev <eamsucmc@gmail.com>
To: cfrg@ietf.org
Content-Type: multipart/alternative; boundary="001a11c29906fb959c050e1c4f3f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/YrswZKSG0uiZaDMxWyh3Phbln9w>
Subject: Re: [Cfrg] Suggestions for draft-irtf-cfrg-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 15:10:13 -0000
Stanislav V. Smyshlyaev wrote:
> Dear colleagues,
>
> We would like you to consider several proposals on the latest variant of
draft (draft-irtf-cfrg-curves-01).
>
> 1) In our opinion, some important clarifications have to be done
explicitly in the document, though needed references are given.
> a) In Section 3.3 declare explicitly what "r” denotes.
> b) In Section 5 mention explicitly Schoof–Elkies–Atkin algorithm as an
algorithm used to calculate number of curve points or even fully cite it
there.
> c) Add explicit description of algorithms used to examine curve on MOV-,
CM- and twist-security as well as Frobenius trace calculation formula. Add
“perform checks” step in algorithms proposed in sections 5.1 and 5.2.
> 2) Select and add a higher security curve (512- or 521-bit).
> 3) Add some explanations on parameter d of the selected 255-bit
curve (the current draft leaves the question whether it is the first d to
be returned by 5.2 algorithm and the reason of choice if it is not).
> 4) Introduce a rigid base point generation algorithm (either the one
that was proposed in the previous version of the draft or one using
cryptographic hash function). We consider that important to ensure the
generated points > could be safely used in applied protocols like
password-based key establishment protocols (PAKE, EKE, PACE etc.) and RNGs
like Dual EC DRBG.
>
>
> Best regards,
> Stanislav V. Smyshlyaev, Ph.D.,
> Head of Information Security Department,
> CryptoPro LLC
I agree with Stanislav Smyshlyaev’s questions and suggestions about current
draft version. I would like to draw attention to the 3d remark. If the
answer to this question ("... whether it is the first d to be returned by
5.2 algorithm ...") is “no” then it turns out that extra requirements that
are not mentioned in the draft are implicitly applied to the curve. Also it
seems strange that the recommended curve is not the one with the smallest
d, but the isogeny of this curve. Also I would like to add that it would be
convenient if the recommended Edwards curve is included in the document in
the same way as twisted Edwards curve.
Kind regards, Evgeny Alekseev, Doctor of Philosophy,
Moscow State University, Faculty of Computational Mathematics and
Cybernetics
- [Cfrg] Suggestions for draft-irtf-cfrg-curves-01.… Stanislav V. Smyshlyaev
- Re: [Cfrg] Suggestions for draft-irtf-cfrg-curves… Evgeny Alekseev
- Re: [Cfrg] Suggestions for draft-irtf-cfrg-curves… Watson Ladd
- Re: [Cfrg] Suggestions for draft-irtf-cfrg-curves… Paul Lambert
- Re: [Cfrg] Suggestions for draft-irtf-cfrg-curves… Evgeny Alekseev