Re: [Cfrg] Consensus and a way forward
Watson Ladd <watsonbladd@gmail.com> Thu, 27 November 2014 05:26 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C681A8879 for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 21:26:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJqdfIuycHNI for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 21:26:11 -0800 (PST)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553911A8876 for <cfrg@irtf.org>; Wed, 26 Nov 2014 21:26:11 -0800 (PST)
Received: by mail-yk0-f181.google.com with SMTP id 142so1892273ykq.26 for <cfrg@irtf.org>; Wed, 26 Nov 2014 21:26:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RsxJuSnHgy2fFR+4Z6GBK7uUlbaFHWRKWfBFxAfYStI=; b=YUtlYC4izfQ3Uf7+gd068C3K6ng4VZL/0EuXPNYAMSGX2rFvkRlq8EIJVwqAnRrE6n DoVcrsiWDuTkctLsn7O1WtZRLmT0/Q0pEIuMeKq6iMhDHv/xcJ2QGk6KyxjPbDqD1rg2 GPEtxQK4XOFPTh/1jutd3vMaLVbqq66fN2PMkb6/80m6XQDddhlpbmJkMZum5z5t8qhX szvAMPJWaF2q61yZXZ9NFJAs5VXYU/dMUecUiwMWobSv1NAB7JBzj6fUPGpV+DJo858T OYYp3toc+7jwhwkkV3HQ/Ac46AwXMdwefXPHjhnWatv0IX1aHyWgqT4zzg9T403nIeAw MyjQ==
MIME-Version: 1.0
X-Received: by 10.170.214.6 with SMTP id g6mr40592269ykf.34.1417065970522; Wed, 26 Nov 2014 21:26:10 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Wed, 26 Nov 2014 21:26:10 -0800 (PST)
In-Reply-To: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com>
References: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com>
Date: Wed, 26 Nov 2014 21:26:10 -0800
Message-ID: <CACsn0cmcP=9s53kGPUdNjHyJpZMfEbCkWHEGiEwPCzfMWPGPnA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Benjamin Black <b@b3k.us>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/_CgyaULbrYny45oWrYpVAwcMUyw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Consensus and a way forward
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 05:26:14 -0000
On Wed, Nov 26, 2014 at 8:25 PM, Benjamin Black <b@b3k.us> wrote: > All, > > Over the past couple of weeks we have been working with Adam Langley to see > if we could find a compromise with which we could all live. I'm pleased to > say we have been successful in accommodating our respective performance and > trustworthy generation concerns, and I hope the resulting proposal will be > attractive to others, as well. The generation procedure is document in a > draft I've just posted that can be found at > http://www.ietf.org/id/draft-black-rpgecc-00.txt . This document doesn't address the most important questions: 1: What goes on the wire for ECDH? Montgomery points, points native to each curve formula, or Weierstrass points? 2: How are signatures computed? 3: Clear bits, multiply by cofactors, or check group membership? 4: Point compression or no point compression? Given that generators are recorded for a prime order subgroup, it would seem that we are checking group membership, which will lead to the check being omitted and resultant, albeit minor, security issues. > > The simplest summary is that we have combined the prime preferred by Adam > and others at the 128-bit security level with the rigid parameter generation > we view as essential for producing the most trustworthy curves. We have used > the generation procedure to produce a new twisted Edwards curve based on > 2^255 - 19 and a new Edwards curve based on 2^384 - 317. These new curves > are given as test vectors in the draft, and are also given below. Why 2^384-317 and not 2^383-31 or 2^389-21? This choice of prime really pinches the allowable radixes for carry-free multiplication reduction, and thus hurts efficiency, more than the 2^255-19 vs 2^256-189 decision at the lower security level. Far from being a simultaneous accommodation of the performance concerns and the generation concerns, this is clearly horse trading, with performance being given the choice of the 255 bit prime, and a similar improvement not happening at the 384 bit prime. > > These 2 curves are sufficient for meeting the request from TLS. However, if > there is strong interest in a 3rd curve for the 256-bit security level, the > generation procedure gives the same curve with p =2^521 - 1 as several teams > produced. Sincerely, Watson Ladd > > > b > > -- > > 2^255 - 19 > > p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > FFFFFFFFFFED > d = 0x15E93 > r = 0x2000000000000000000000000000000016241E6093B2CE59B6B9 > 8FD8849FAF35 > x(P) = 0x3B7C1D83A0EF56F1355A0B5471E42537C26115EDE4C948391714 > C0F582AA22E2 > y(P) = 0x775BE0DEC362A16E78EFFE0FF4E35DA7E17B31DC1611475CB4BE > 1DA9A3E5A819 > h = 0x4 > > > 2^384 - 317 > > p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3 > d = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F > r = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1 > CB46BE1CF61E4555AAB35C87920B9DCC4E6A3897D > x(P) = 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA > 8F33163406FF292B16545941350D540E46C206BDE > y(P) = 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F > 7F645964B0072B0F946EC48DC9D8D03E1F0729392 > h = 0x4 > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Consensus and a way forward Benjamin Black
- Re: [Cfrg] Consensus and a way forward Watson Ladd
- Re: [Cfrg] Consensus and a way forward Joppe Bos
- Re: [Cfrg] Consensus and a way forward Hannes Tschofenig
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] Consensus and a way forward Ilari Liusvaara
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Adam Langley
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Mike Hamburg
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Michael Hamburg
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Adam Langley
- Re: [Cfrg] Consensus and a way forward Lochter, Manfred
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Ilari Liusvaara
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tony Arcieri
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… D. J. Bernstein
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paul Hoffman
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Harry Halpin
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paul Hoffman
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tanja Lange
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Salz, Rich
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tony Arcieri
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tanja Lange
- Re: [Cfrg] Mishandling twist attacks Paterson, Kenny
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Salz, Rich
- Re: [Cfrg] Mishandling twist attacks Stephen Farrell
- Re: [Cfrg] Mishandling twist attacks Adam Back