Re: [Cfrg] Proposed requirements for curve candidate evaluation

Michael Hamburg <mike@shiftleft.org> Thu, 07 August 2014 20:46 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBAEF1A0185 for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 13:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cpx_OuebxhYv for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 13:46:06 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E11A1A0535 for <cfrg@ietf.org>; Thu, 7 Aug 2014 13:46:06 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 738E33AA27; Thu, 7 Aug 2014 13:45:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1407444317; bh=2AL9myJpd2quLWvJnhfriylZvfQpM3WuGJcYeTGvriw=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=b5NKUPHETRTizzBLNB1n5lqSs1FP42dmUyTrRahwwrZDvNScLqKfQfov3l9zj7ESA y+KSyKCf8aFGmNZkwVxExD13l724hZQvZj5cnwAqPr0YQDDrrVKPDDBvdcZ+R6Rpnm uuHhxVsUbBXOFtVRJfe24cYBJtjROS2VqJLt1HJw=
Content-Type: multipart/alternative; boundary="Apple-Mail=_4A576F4E-D95B-4B81-86BA-69DB13089771"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1971.5\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71859CD7E2B@USMBX1.msg.corp.akamai.com>
Date: Thu, 7 Aug 2014 13:46:03 -0700
Message-Id: <97AA7854-2BCD-4A37-B26F-850C8F9C9A7F@shiftleft.org>
References: <f9d9c886d08e4a4eb09c4a57584f950b@BL2PR03MB242.namprd03.prod.outlook.com> <4EBC943C-77A4-417C-B29C-D18E00F1AEAD@shiftleft.org> <CA+Vbu7xEQzXBdc8R6YYaeu0bQSTUo93ppJp+cUJVr9WGs0sjPQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C71859CD7E2B@USMBX1.msg.corp.akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
X-Mailer: Apple Mail (2.1971.5)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/_hdInaPgBKplrxMO8ZprM-mrU08
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Proposed requirements for curve candidate evaluation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 20:46:08 -0000

> On Aug 7, 2014, at 12:19 PM, Salz, Rich <rsalz@akamai.com> wrote:

> [Benjamin Black wrote:]
> > This requirement permits twisted Edwards. What it excludes is using different models for different purposes.


Does it?  ANSI X9.62 specifies ECDSA only over curves in short Weierstrass form.

If this requirement is not intended to force short Weierstrass, perhaps it should be rephrased as:

“”"
At each security level, the CFRG-recommended curve must be specified in a single curve model that is used for both digital signatures and key exchange algorithms without transformation to other models.  It must be suitable for ECDSA and ECDHE with a straightforward transformation to and from short Weierstrass form.
“”"

> And why is that important?  To reduce code size?


Or perhaps for simplicity of specification?

Interestingly, I think that in combination with Requirement 1, this might nix both Curve25519 and the Microsoft NUMS curves.

— Mike