Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves

Andrey Jivsov <> Mon, 21 July 2014 06:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 368B81A0381 for <>; Sun, 20 Jul 2014 23:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.831
X-Spam-Status: No, score=-1.831 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HQFyssqKJnjJ for <>; Sun, 20 Jul 2014 23:15:15 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 541921B2B6E for <>; Sun, 20 Jul 2014 23:15:15 -0700 (PDT)
Received: by with SMTP id at20so6192661iec.8 for <>; Sun, 20 Jul 2014 23:15:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:sender:message-id:date:from:user-agent :mime-version:to:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=hqwFCqH1mdFk9PHSMVwD3TmU7H2l1dalfFwldb5/9Qg=; b=f0Wz4DyWRa+48M3+yF0NL6k9NFxiVd6jgSJBzfhAWG0Z4rvYwVHPWkTCiuRDzE7wf+ DEFMSR+3n4ArtwyXc898NNF7wUCCIsUcKaPg8n2EZ4E0+hkVSvUbUxd/tZCTo5i9CN3q PPz7zjK7YCduuHFhHH47VEHOn3HZUEvw0egpTwi6oySzK/6fq79OZVm8xIJmD+x913pg JtlLoWFXhohf073/mnjLq6OoDCWB/YtYNSbQGvGHffMvhAKYbgCgAkcDw+V9/goCDAfd Mk1/pgmUVAIc6TG0M9AmeXxPNmotApOyZdCIMahMF/MPP9NVOKuXqSrFOZryNN5RkKL/ +wAw==
X-Gm-Message-State: ALoCoQnctqv5rGDopxw3KB3zHBKvkqsNsSWHUov9szTmkUN9+ZzA8RXAfirg74RYFlzEGpNyeTAw
X-Received: by with SMTP id pn8mr1376049igb.11.1405923314461; Sun, 20 Jul 2014 23:15:14 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id dx6sm35738089igb.15.2014. for <> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 20 Jul 2014 23:15:13 -0700 (PDT)
Sender: Andrey <>
Message-ID: <>
Date: Mon, 21 Jul 2014 02:15:11 -0400
From: Andrey Jivsov <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "" <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Jul 2014 06:15:18 -0000

On 7/20/2014 11:13 PM, Watson Ladd wrote:
> On Sun, Jul 20, 2014 at 7:32 PM, Andrey Jivsov <> wrote:
>>>   s: Denotes the bit length, here s in {256,384,512}.
>>>   p: Denotes the prime number defining the base field.
>>>   c: A positive integer used in the representation of the prime
>>>           p = 2^s - c.
>> In light of the recent discussion, would an attempt to reach a consensus on
>> the value of p first has a higher chance for success at this point?
> What is wrong with the program the chair outlined for a competition, and how
> does your proposal fix them

I meant this as an additional nice to have property. I could state a 
specific requirement, e.g. "2^s-C with s max",  but my main point is to 
show a benefit to have a commitment to a fixed p for each s.

>> Assuming we want a new p, some arguments for a fixed F(p) are:
>> * the specs like Curve25519 are "stacks of layers", which prescribe a Curve,
>> co-factor multiplication, F(p) operations, and an integer format (fixing p
>> seems as one of the the least controversial tasks among these "layers")
>> * the performance advantage are mostly attributed to the F(p) operations
>> (factor of n improvement in F(p) results in ~ n^2 curve performance)
>> * F(p) operations are platform-specific  (if there is assembler code used in
>> the "stack", it will likely be restricted to the F(p))
>> * F(p) clarity will let hardware vendors focus on optimizations (and not
>> worry about the entire stack)
>> * same F(p) doesn't prohibit multiple curves over it; ( fixing F(p) first
>> and the curve or curves later will allow implementations to proceed sooner
>> and enables a compromise )
>> * fixed F(p) allows greater flexibility to upgrade the curves (future curves
>> will likely have hardware support available, sensitive code resused).
>> * fixed F(p) reduces the code size, increases interoperability (currently
>> NUMS and Curve25519 are at odds here)
> How long do you think this is going to take? It should be taking much
> shorter than
> the time it takes to design hardware. Furthermore, all of the choices
> come with software
> implementations liberally licensed.

If there is an unquestionable winner, similar to an AES finalist, then 
there is no worry about universal adoption.

The issue with ECC has always been fragmented ecosystem. At this point 
we are looking at SuiteB / CFRG's choice split. A consensus on F(p) has 
benefits to get more support behind the CFRG choice.

The availability of software libraries is not helping the products that 
need hardware acceleration.

> I don't quite understand your replacement point: many tricks such as
> hyper-and-elliptic,
> endomorphisms (misleadingly called Koblitz curves), etc. require
> primes with some special
> properties or use extension fields. Even going to the Kummer surface
> in genus 2 involves dropping
> field size, so the F(p) will need to be sized differently.

The importance of these other possibilities should be considered, of 
course. I had current contenders in mind. Fewer choices helps with adoption.

> Any future proposal if we need it can use an F(p) defined now, possibly.
Right, a fixed p with typical constrains on p covers many important 
choices of curves. We can hope that a large class of future curves 
should be able to use the same F(p) layer.

There is also hope that national standards may feel motivated to use the 
"standard p" on performance/hardware reasons with "their" curves, as 
opposed to completely defining the entirely new stack.

>> This narrow focus leads to these questions regarding the F(p):
>> * is a pseudo-Mersenne p an appropriate p for the new curves (the only cons
>> to this so far is that such a p fixes the Curve's order to be close to 2^s;
>> besides the trivial one that this makes the Pollard-rho faster)
>> * Curve25519 uses 255 instead of 256; however, CFRG can choose s=255 for 128
>> bit security as well (citing "historic" reasons).
> The extra word for the top bit is a pain. The loss of half a bit in
> "security" is really de minimis.
Could you please be more specific about how this brings in a new word?

( Even with the off-the-shelf CPUs, we currently have x86, x86_64, 
AVX2-256, and upcoming AVX-512. Please define your target instruction set)

>> Should CFRG seek consensus on the above two questions first?
> No, because that is not how this is being done, and there is a strong
> (but rebuttable) presumption that
> the chair knows what they are doing in organizing WG activities.
> Sincerely,
> Watson Ladd
>> _______________________________________________
>> Cfrg mailing list