IETF Logo Mail Archive

Re: [Cfrg] Consensus and a way forward

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Thu, 27 November 2014 10:44 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67AAD1A88CF for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 02:44:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8uk39objphmZ for <cfrg@ietfa.amsl.com>; Thu, 27 Nov 2014 02:44:17 -0800 (PST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0648.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::648]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 898B61A88C6 for <cfrg@irtf.org>; Thu, 27 Nov 2014 02:44:16 -0800 (PST)
Received: from DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) by DBXPR03MB541.eurprd03.prod.outlook.com (10.141.232.141) with Microsoft SMTP Server (TLS) id 15.1.26.15; Thu, 27 Nov 2014 10:20:19 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) with Microsoft SMTP Server (TLS) id 15.1.26.15; Thu, 27 Nov 2014 10:20:17 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.01.0026.003; Thu, 27 Nov 2014 10:20:17 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>, "b@b3k.us" <b@b3k.us>
Thread-Topic: [Cfrg] Consensus and a way forward
Thread-Index: AQHQCfpEJvmjPqb6m0eCglKXiG8J75xz8VkAgABSIAA=
Date: Thu, 27 Nov 2014 10:20:17 +0000
Message-ID: <D09CA864.3828D%kenny.paterson@rhul.ac.uk>
References: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com> <CACsn0cmcP=9s53kGPUdNjHyJpZMfEbCkWHEGiEwPCzfMWPGPnA@mail.gmail.com>
In-Reply-To: <CACsn0cmcP=9s53kGPUdNjHyJpZMfEbCkWHEGiEwPCzfMWPGPnA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [134.219.148.47]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;UriScan:;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-forefront-prvs: 040866B734
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(24454002)(199003)(52314003)(51704005)(52044002)(377454003)(479174003)(189002)(99396003)(15975445006)(54356999)(31966008)(76176999)(97736003)(50986999)(120916001)(19580405001)(83506001)(40100003)(122556002)(19580395003)(21056001)(105586002)(19273905006)(95666004)(107046002)(101416001)(106116001)(92726001)(106356001)(87936001)(92566001)(4396001)(561944003)(575784001)(86362001)(15202345003)(74482002)(77156002)(64706001)(2656002)(36756003)(62966003)(46102003)(66066001)(20776003)(2501002)(1720100001)(781001)(563064011); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB384; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C10869F505DA434D9EFB821F915EC049@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB541;
X-OriginatorOrg: rhul.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/f2W94JAtJ53meEqfGgimg6xMiR8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Consensus and a way forward
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 10:44:19 -0000

Hi Watson,

On 27/11/2014 05:26, "Watson Ladd" <watsonbladd@gmail.com> wrote:

>On Wed, Nov 26, 2014 at 8:25 PM, Benjamin Black <b@b3k.us> wrote:
>> All,
>>
>> Over the past couple of weeks we have been working with Adam Langley to
>>see
>> if we could find a compromise with which we could all live. I'm pleased
>>to
>> say we have been successful in accommodating our respective performance
>>and
>> trustworthy generation concerns, and I hope the resulting proposal will
>>be
>> attractive to others, as well. The generation procedure is document in a
>> draft I've just posted that can be found at
>> http://www.ietf.org/id/draft-black-rpgecc-00.txt .
>
>This document doesn't address the most important questions:
>
>1: What goes on the wire for ECDH? Montgomery points, points native to
>each curve formula, or Weierstrass points?
>2: How are signatures computed?
>3: Clear bits, multiply by cofactors, or check group membership?
>4: Point compression or no point compression?

These things would all follow in due course, if the proposal were
acceptable to CFRG.

Anyway, as far as I can see, none of these is very hard, given the many
discussion we've had on the list and the education I've thereby received.
Here's some suggestions that we can come back to later (once we've agreed
whether we want to go down this route or not):

1. Points in Montgomery form for ECDH (remember, we are at liberty to
specify new point formats on the wire for these curves for TLS).
2. Using EC-DSA (oh yes!).
3. Multiply by co-factors, as per the EC-DSA standards, IIRC; plus
whatever Montgomery form needs (please feel free to re-inform me).
4. Not relevant for EC-DSA signatures; for Montgomery form, x-coordindate
only would be best, right?

Cheers

Kenny


>
>Given that generators are recorded for a prime order subgroup, it
>would seem that we are checking group membership, which will lead to
>the check being omitted and resultant, albeit minor, security issues.
>
>>
>> The simplest summary is that we have combined the prime preferred by
>>Adam
>> and others at the 128-bit security level with the rigid parameter
>>generation
>> we view as essential for producing the most trustworthy curves. We have
>>used
>> the generation procedure to produce a new twisted Edwards curve based on
>> 2^255 - 19 and a new Edwards curve based on 2^384 - 317. These new
>>curves
>> are given as test vectors in the draft, and are also given below.
>
>Why 2^384-317 and not 2^383-31 or 2^389-21? This choice of prime
>really pinches the allowable radixes for carry-free multiplication
>reduction, and thus hurts efficiency, more than the 2^255-19 vs
>2^256-189 decision at the lower security level. Far from being a
>simultaneous accommodation of the performance concerns and the
>generation concerns, this is clearly horse trading, with performance
>being given the choice of the 255 bit prime, and a similar improvement
>not happening at the 384 bit prime.
>
>>
>> These 2 curves are sufficient for meeting the request from TLS.
>>However, if
>> there is strong interest in a 3rd curve for the 256-bit security level,
>>the
>> generation procedure gives the same curve with p =2^521 - 1 as several
>>teams
>> produced.
>
>Sincerely,
>Watson Ladd
>>
>>
>> b
>>
>> --
>>
>> 2^255 - 19
>>
>>    p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>          FFFFFFFFFFED
>>    d = 0x15E93
>>    r = 0x2000000000000000000000000000000016241E6093B2CE59B6B9
>>          8FD8849FAF35
>> x(P) = 0x3B7C1D83A0EF56F1355A0B5471E42537C26115EDE4C948391714
>>          C0F582AA22E2
>> y(P) = 0x775BE0DEC362A16E78EFFE0FF4E35DA7E17B31DC1611475CB4BE
>>          1DA9A3E5A819
>>    h = 0x4
>>
>>
>> 2^384 - 317
>>
>>      p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>            FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3
>>      d = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>            FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F
>>      r = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1
>>            CB46BE1CF61E4555AAB35C87920B9DCC4E6A3897D
>>   x(P) = 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA
>>            8F33163406FF292B16545941350D540E46C206BDE
>>   y(P) = 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F
>>            7F645964B0072B0F946EC48DC9D8D03E1F0729392
>>      h = 0x4
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>
>
>
>-- 
>"Those who would give up Essential Liberty to purchase a little
>Temporary Safety deserve neither  Liberty nor Safety."
>-- Benjamin Franklin
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email