Re: [Cfrg] On curves
Watson Ladd <watsonbladd@gmail.com> Thu, 03 July 2014 03:35 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAC631B2810 for <cfrg@ietfa.amsl.com>; Wed, 2 Jul 2014 20:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPOSqr7Zw8-C for <cfrg@ietfa.amsl.com>; Wed, 2 Jul 2014 20:35:01 -0700 (PDT)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3D371B280A for <cfrg@irtf.org>; Wed, 2 Jul 2014 20:35:01 -0700 (PDT)
Received: by mail-qc0-f176.google.com with SMTP id w7so10586259qcr.21 for <cfrg@irtf.org>; Wed, 02 Jul 2014 20:35:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=mBepOHRJVydJ5iX/8uLL3uCRJLbKFWJg1PX6jbVjNRw=; b=NmR3PBuC2lrJTafU8jb5cjEwmDl0oF4GLd5Ia2Y3u4uEyLVzDEq9pdyAp6f+i9BSuB tBEdQS3dOINub9ZSk/ZQ8B2AqDV0GjJnnzu47sS8uC8PhR5hpU7IVWFWDz8/2L3VPTKG r02GTc7dV7L22OiIAk4jHPNNS8oZKC/hH4m1GaSadMKvBDtzyIoerWciSRRiLdbiDAD8 dUVuKdSCQWd257t5KRDIlvWgM0C/Nag7Mf9HtWQbg3t1codPy7/t7uTJ7lKwCYYQ5ce7 mQ4m2xov24O+4P93f1pgjTZ6E/rkxBlbwnPdFgO8YTMWceULzuI8ISr1avaBR7Euc0cF UXPQ==
MIME-Version: 1.0
X-Received: by 10.224.25.10 with SMTP id x10mr3113612qab.104.1404358500495; Wed, 02 Jul 2014 20:35:00 -0700 (PDT)
Received: by 10.140.27.173 with HTTP; Wed, 2 Jul 2014 20:35:00 -0700 (PDT)
In-Reply-To: <9FC87305-B678-4FBF-8976-9E0CE4A79FF2@shiftleft.org>
References: <CACsn0cnKn2mx15SWN=2HmcXnsDeQhc49p5Z6kh5ucgj_jAPQzg@mail.gmail.com> <9FC87305-B678-4FBF-8976-9E0CE4A79FF2@shiftleft.org>
Date: Wed, 02 Jul 2014 20:35:00 -0700
Message-ID: <CACsn0cn_4cjaM4NQBMzoksxqsgHsny2SeMA6povZ1quMg+Du_A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Michael Hamburg <mike@shiftleft.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/fjSYmHshr5CoSdykWJmkB1TKwu4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 03:35:03 -0000
On Wed, Jul 2, 2014 at 8:00 PM, Michael Hamburg <mike@shiftleft.org> wrote: > Thanks for your perspective, Watson! > > But, how should we proceed? We have, now, at least four pieces of code which aim for eventual production-grade Edwards curve crypto. None of them entirely follows your suggestions: > > * Ed25519, which uses Edwards coordinates, p=5 mod 8, and an extra bit sign encoding; > > * Snowshoe, with endomorphisms over GF((2^127-1)^2), and I think no compression; > > * The Microsoft curves, which have code released for p = 2^(64b)-minimal, p=3 mod 4, and no point compression; > > * Ed448-Goldilocks, which uses a Solinas prime and a 1/sqrt(x) point representation. > > Are you requesting that the Microsoft folks release implementations of some of their other curves? Yes, and I think we should change some choices. Adding point compression with a separate sign bit is not that tricky, but I can't remember when the patent expires. (I'm also not volunteering: my timeframe for completion doesn't line up). Alternatively we decide which of these is the closest to some reasonable ideal/doesn't offend too many people. Sincerely, Watson Ladd > > Cheers, > — Mike > > On Jul 2, 2014, at 10:37 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > >> Dear all, >> After thinking about it for a bit, I've come up with the following >> summary of my current position. >> >> For compressed Edwards points, having p=3 (mod 4) is slightly easier >> to explain how to deal with then p =5 (mod 8). We want to have the >> same prime >> >> There is no point to adding additional Weierstrass curves: additional >> performance alone isn't that compelling unless implementors want to >> implement a bunch of curves. Doing a good implementation is a bunch of >> work, and in particular while a saturated word arithmetic is easy, >> it's not worth doing unsaturated arithmetic unnecessarily. >> >> Likewise the difference between 2^256 and 2^255 is minor in security, >> but has a performance hit. so I would try to avoid going over word >> boundaries. >> >> As a result I suggest a Montgomery curve and isogenous twisted Edwards >> curve with primes of the form p=2^(64*b-1)-c, c minimal so p is 3 (mod >> 4). I believe these have been computed by Longa et all. >> >> However, at the 128 bit level, I see no technical arguments against >> Curve25519. It's really a WG decision as how to do it. >> >> This leaves the question of point representation: I would use Edwards >> form with point compression: the Montgomery form has advantages in >> variable-base multiplication, but it appears that summing the time of >> one variable-base multiplication with one fixed-base multiplication >> comes out lower for Edwards form. Again, for everything but signatures >> the difference is probably minor. >> >> Sincerely, >> Watson Ladd >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] On curves Watson Ladd
- Re: [Cfrg] On curves Michael Hamburg
- Re: [Cfrg] On curves Watson Ladd
- Re: [Cfrg] On curves Tony Arcieri
- Re: [Cfrg] On curves Alyssa Rowan