Re: [Cfrg] On the use of Montgomery form curves for key agreement

Benjamin Black <b@b3k.us> Tue, 02 September 2014 03:15 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2D4E1A6FB1 for <cfrg@ietfa.amsl.com>; Mon, 1 Sep 2014 20:15:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OI8UZE-lKqmS for <cfrg@ietfa.amsl.com>; Mon, 1 Sep 2014 20:15:10 -0700 (PDT)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA8B1A6FAB for <cfrg@ietf.org>; Mon, 1 Sep 2014 20:15:10 -0700 (PDT)
Received: by mail-wi0-f173.google.com with SMTP id cc10so6594722wib.12 for <cfrg@ietf.org>; Mon, 01 Sep 2014 20:15:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rFAUQjM7TG/YOh5X1e3oaYvB8tp7hFrfBw2+R355YK0=; b=kQzDzdVWPPziDvrM+S18iWveedIveRnFXiHoNB80Vak9Qb1Nf02M8V+qQJNhWSIqht GKedBCmcEgwuAlJA7iAgMR3uBUeZiPnjZahi1HC7yTW19RAhI4wgAXd/H2Ja++6FyqKk 29x8oGvwqFQEoZcSoTyktv52PA8R8Pc3vZAfYRZ4lwM/i50KGKoNxLIvutSfl0i/wx2x Ndnk2gHIfTOxvd65vDsIqkWNEvDjXd16LT9deglPu//E/U8xiLHBWArQ0MkyzjFOXCKW /Fp0uBXag6gwaKfZMFe8ZG8ZjfHB7CNzY+tBo4vIFfIyh79PN6Au2hvXO5IgJuSUe6L+ r4Rg==
X-Gm-Message-State: ALoCoQnp++7K7nu7USQ45HjRL74DHz4U6i7KW5WbZw/BT8JenPmLGi/21854EoU2jAdkmHqPljzM
X-Received: by 10.195.13.34 with SMTP id ev2mr35017207wjd.55.1409627708786; Mon, 01 Sep 2014 20:15:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.44.138 with HTTP; Mon, 1 Sep 2014 20:14:48 -0700 (PDT)
In-Reply-To: <CACsn0cnQ-WEkL0kJS5F-TZb5YJ_4RrL9JgsAmC95qQayQFQGuQ@mail.gmail.com>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <CALCETrUby2o5O3=tMkv20JTVkahSo5Wan4oSCPOspRnXhFCg+g@mail.gmail.com> <b53e2c5417d247199f4496e0c0d5c29c@BL2PR03MB242.namprd03.prod.outlook.com> <CACsn0cktxTyPpeaqKU-oL+DiP4Fu0risHB1Wx8-by+94s30h=g@mail.gmail.com> <CA+Vbu7yMvyPzRAGrtVH38mzaYy3XQ1wswEUQisqbwpT10JfQVg@mail.gmail.com> <CACsn0cnQ-WEkL0kJS5F-TZb5YJ_4RrL9JgsAmC95qQayQFQGuQ@mail.gmail.com>
From: Benjamin Black <b@b3k.us>
Date: Mon, 1 Sep 2014 20:14:48 -0700
Message-ID: <CA+Vbu7wiKFTMJGtDxd2gSK7jnR4+tZiVMzoKkDGkxHuMzv9-0Q@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=047d7bfd051ad91f6405020c865d
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/dNrdTzmMVzPFbCL_Cwu1MqKIptk
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 03:15:12 -0000

On Mon, Sep 1, 2014 at 7:05 PM, Watson Ladd <watsonbladd@gmail.com>; wrote:

> On Mon, Sep 1, 2014 at 6:50 PM, Benjamin Black <b@b3k.us>; wrote:
> >
> > The various working groups and standards bodies have already answered the
> > question of what goes on the wire. The TLS request was for new curves.
> As we
> > all seem to agree implementers are and should be free to use whatever
> form
> > they wish internally as long as the external representation is fixed,
> there
> > is general support for specifying curves in Edwards form, and existing
> > protocols all define X/Y coordinates on the wire, then I see an
> opportunity
> > for broad consensus here.
>
> The standards define short Weierstrass coordinates as what goes on the
> wire, not arbitrary pairs X,Y. Furthermore, things like the
> representability of the identity, small order points, etc. introduce
> enough differences from existing practice that one has to check
> carefully how well the specs deal with them.
>
>
In neither RFC4492 nor X9.62-1998 do I see anything that constrains X,Y
coordinate formats to being short Weierstrass only. I am aware that strict
compliance with ECDSA requires short Weierstrass, but that, too, is an
implementation detail for those electing to use the new curves. If you have
a specific section of a standard in mind, please point me to it.

The rest of your message would be good guidance to provide back to TLS-WG
along with the curves so they can correctly and securely implement them.


b