Re: [Cfrg] draft-ladd-safecurves-02

Robert Ransom <rransom.8774@gmail.com> Sat, 11 January 2014 16:17 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5C6E1AE031 for <cfrg@ietfa.amsl.com>; Sat, 11 Jan 2014 08:17:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 291FLBvXs1g7 for <cfrg@ietfa.amsl.com>; Sat, 11 Jan 2014 08:17:28 -0800 (PST)
Received: from mail-qc0-x231.google.com (mail-qc0-x231.google.com [IPv6:2607:f8b0:400d:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id A41281ACCFF for <cfrg@irtf.org>; Sat, 11 Jan 2014 08:17:28 -0800 (PST)
Received: by mail-qc0-f177.google.com with SMTP id i8so1518898qcq.36 for <cfrg@irtf.org>; Sat, 11 Jan 2014 08:17:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=SVjM52fY3BBRR0+oRuNm+CmVJmDlGMEJHfMRvJAIrq4=; b=xQHIjVqb6kt7rzj6VLM4Uqziv79gfMeqUi2a7zcQdtrow4EA4yurRu8maHtorCspxa UhWIBhzhrOGQHeoWvqJxohHqs2E8AnLWrx9iqZkgtDifJnyEqj2HZmxqnKvRGyk32nW4 AOT8LUYd9I9OnfYuxj3YjRVSPehFToXdUzTbvTheqRrzr3tV4+v/O1ZvGK8nXCACH7wS CpRU5tmRahzr0i3I4VXAnaJEAidn1IEMpLqAecPGzL+PP/cndK+JR8YhO6sLm8zl1B9X UubJVNCJeTwsUMDuwaS8iE4v2RJ4rvC3OqzI63BwdNrAR1ngq5DSNswSFBVYIcQb/RKs uLog==
MIME-Version: 1.0
X-Received: by 10.224.3.10 with SMTP id 10mr20303910qal.58.1389457038318; Sat, 11 Jan 2014 08:17:18 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Sat, 11 Jan 2014 08:17:18 -0800 (PST)
In-Reply-To: <6D692972-8A38-4588-B666-A5E481759003@shiftleft.org>
References: <CACsn0c=uuzsH3Zd-tPEAMsxAbk-RpQEHpfbTh9gHJi5ggjT+qg@mail.gmail.com> <CAGZ8ZG1D6284J35hgtBvcT3U46C30wSxZ=c+dV-csoXzPTGxZg@mail.gmail.com> <CACsn0c=Kq3TjCyBmU7xcEorFFjZ7T4u4DboOw68FXC_QKeMQ5Q@mail.gmail.com> <6D692972-8A38-4588-B666-A5E481759003@shiftleft.org>
Date: Sat, 11 Jan 2014 08:17:18 -0800
Message-ID: <CABqy+sqHK0mp+2JsR=XXuo=C_pxzepre8d-1jJGZjmLyw3g6zQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Michael Hamburg <mike@shiftleft.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Trevor Perrin <trevp@trevp.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-ladd-safecurves-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2014 16:17:30 -0000

On 1/10/14, Michael Hamburg <mike@shiftleft.org> wrote:

> Well, you can do it in any coordinate system where negating one coordinate
> negates the point.  You just have to change section 4.3 to use the curve’s
> formula instead of the short Weierstrass formula.  For example, you can do
> it with Edwards curves and negate x instead of y.

Or, in any application where (a) points should be transmitted or
stored in Edwards form, and (b) points can or will be doubled at least
once before use, one can negate the Edwards y coordinate iff the
Edwards x coordinate is ‘negative’.  (This corresponds to adding (0,
-1) (the point of order 2) in order to fix the sign of x.)

If one can also discard the point's sign or modify the secret key, one
can combine the above trick with Jivsov's suggestion: negate the
Edwards y coordinate to fix its sign bit, and discard it.  (This could
be useful for applications where public keys must be transmitted in
base 32 or base 64 and the coordinate field has one extra bit, e.g.
using points on the minimal-Edwards-parameter curve mod 2^206 - 5 as
DHT addresses.)


Robert Ransom