Re: [Cfrg] Consensus and a way forward

Watson Ladd <watsonbladd@gmail.com> Thu, 27 November 2014 05:26 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C681A8879 for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 21:26:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJqdfIuycHNI for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 21:26:11 -0800 (PST)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553911A8876 for <cfrg@irtf.org>; Wed, 26 Nov 2014 21:26:11 -0800 (PST)
Received: by mail-yk0-f181.google.com with SMTP id 142so1892273ykq.26 for <cfrg@irtf.org>; Wed, 26 Nov 2014 21:26:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RsxJuSnHgy2fFR+4Z6GBK7uUlbaFHWRKWfBFxAfYStI=; b=YUtlYC4izfQ3Uf7+gd068C3K6ng4VZL/0EuXPNYAMSGX2rFvkRlq8EIJVwqAnRrE6n DoVcrsiWDuTkctLsn7O1WtZRLmT0/Q0pEIuMeKq6iMhDHv/xcJ2QGk6KyxjPbDqD1rg2 GPEtxQK4XOFPTh/1jutd3vMaLVbqq66fN2PMkb6/80m6XQDddhlpbmJkMZum5z5t8qhX szvAMPJWaF2q61yZXZ9NFJAs5VXYU/dMUecUiwMWobSv1NAB7JBzj6fUPGpV+DJo858T OYYp3toc+7jwhwkkV3HQ/Ac46AwXMdwefXPHjhnWatv0IX1aHyWgqT4zzg9T403nIeAw MyjQ==
MIME-Version: 1.0
X-Received: by 10.170.214.6 with SMTP id g6mr40592269ykf.34.1417065970522; Wed, 26 Nov 2014 21:26:10 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Wed, 26 Nov 2014 21:26:10 -0800 (PST)
In-Reply-To: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com>
References: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com>
Date: Wed, 26 Nov 2014 21:26:10 -0800
Message-ID: <CACsn0cmcP=9s53kGPUdNjHyJpZMfEbCkWHEGiEwPCzfMWPGPnA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Benjamin Black <b@b3k.us>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/_CgyaULbrYny45oWrYpVAwcMUyw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Consensus and a way forward
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 05:26:14 -0000

On Wed, Nov 26, 2014 at 8:25 PM, Benjamin Black <b@b3k.us>; wrote:
> All,
>
> Over the past couple of weeks we have been working with Adam Langley to see
> if we could find a compromise with which we could all live. I'm pleased to
> say we have been successful in accommodating our respective performance and
> trustworthy generation concerns, and I hope the resulting proposal will be
> attractive to others, as well. The generation procedure is document in a
> draft I've just posted that can be found at
> http://www.ietf.org/id/draft-black-rpgecc-00.txt .

This document doesn't address the most important questions:

1: What goes on the wire for ECDH? Montgomery points, points native to
each curve formula, or Weierstrass points?
2: How are signatures computed?
3: Clear bits, multiply by cofactors, or check group membership?
4: Point compression or no point compression?

Given that generators are recorded for a prime order subgroup, it
would seem that we are checking group membership, which will lead to
the check being omitted and resultant, albeit minor, security issues.

>
> The simplest summary is that we have combined the prime preferred by Adam
> and others at the 128-bit security level with the rigid parameter generation
> we view as essential for producing the most trustworthy curves. We have used
> the generation procedure to produce a new twisted Edwards curve based on
> 2^255 - 19 and a new Edwards curve based on 2^384 - 317. These new curves
> are given as test vectors in the draft, and are also given below.

Why 2^384-317 and not 2^383-31 or 2^389-21? This choice of prime
really pinches the allowable radixes for carry-free multiplication
reduction, and thus hurts efficiency, more than the 2^255-19 vs
2^256-189 decision at the lower security level. Far from being a
simultaneous accommodation of the performance concerns and the
generation concerns, this is clearly horse trading, with performance
being given the choice of the 255 bit prime, and a similar improvement
not happening at the 384 bit prime.

>
> These 2 curves are sufficient for meeting the request from TLS. However, if
> there is strong interest in a 3rd curve for the 256-bit security level, the
> generation procedure gives the same curve with p =2^521 - 1 as several teams
> produced.

Sincerely,
Watson Ladd
>
>
> b
>
> --
>
> 2^255 - 19
>
>    p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>          FFFFFFFFFFED
>    d = 0x15E93
>    r = 0x2000000000000000000000000000000016241E6093B2CE59B6B9
>          8FD8849FAF35
> x(P) = 0x3B7C1D83A0EF56F1355A0B5471E42537C26115EDE4C948391714
>          C0F582AA22E2
> y(P) = 0x775BE0DEC362A16E78EFFE0FF4E35DA7E17B31DC1611475CB4BE
>          1DA9A3E5A819
>    h = 0x4
>
>
> 2^384 - 317
>
>      p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>            FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3
>      d = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>            FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F
>      r = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1
>            CB46BE1CF61E4555AAB35C87920B9DCC4E6A3897D
>   x(P) = 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA
>            8F33163406FF292B16545941350D540E46C206BDE
>   y(P) = 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F
>            7F645964B0072B0F946EC48DC9D8D03E1F0729392
>      h = 0x4
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin