Re: [Cfrg] Requirements for curve candidate evaluation update

Mike Hamburg <mike@shiftleft.org> Wed, 13 August 2014 02:12 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AD21A6F9F for <cfrg@ietfa.amsl.com>; Tue, 12 Aug 2014 19:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.454
X-Spam-Level: ***
X-Spam-Status: No, score=3.454 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHsifg1w8JZ5 for <cfrg@ietfa.amsl.com>; Tue, 12 Aug 2014 19:12:07 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FB7D1A6F63 for <cfrg@ietf.org>; Tue, 12 Aug 2014 19:12:07 -0700 (PDT)
Received: from [192.168.1.149] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id F3C673AA27; Tue, 12 Aug 2014 19:10:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1407895857; bh=0/NxJLs9O0dbvs1BO/l1rY/maSSTmYoSRWJ2i80oXKU=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=b8/0OUqjGtyrAXvOTbNJYG7ui1q4Hn56s4fh/jJYbm16SaBTWGl9GaCzVUixL9qW7 PQLKLW1lojh6IBvy5FVoTDjGjh0mvY2hU3faDftGtVXx57X3N76mUGQkG4rzi2R4x8 8WmIlCkX/djuFVnGuy7DEw7Es6D5vg0HZdQKkzqw=
Message-ID: <53EAC96F.5000804@shiftleft.org>
Date: Tue, 12 Aug 2014 19:11:59 -0700
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, Benjamin Black <b@b3k.us>
References: <CA+Vbu7wuAcmtAKJYEgAaSBTf6sj8pRfYpJhz2qV_ER=33mrk8Q@mail.gmail.com> <CACsn0cmzixM0zUkb9mHuo8eAYXdCpEr_cdvzuj4AbMG4of8PKg@mail.gmail.com>
In-Reply-To: <CACsn0cmzixM0zUkb9mHuo8eAYXdCpEr_cdvzuj4AbMG4of8PKg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/h44Ky2jwLyqTWAySYtMTwfWE8UU
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Requirements for curve candidate evaluation update
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2014 02:12:08 -0000

On 8/12/2014 6:14 PM, Watson Ladd wrote:
> Except the Microsoft curves send points on a twisted Edwards curve
> with a=-1, and q=3 (4), so aren't complete without using an isogeny
> and a slower formula. This is a much more serious problem, as it makes
> implementation quite a bit more complicated. If we assume implementors
> don't know crypto, then complete formulas are very necessary.
>
Presumably this is not an exhaustive list of desiderata.

If these requirements become final, then surely the complete curves mod 
the Microsoft primes with a=1 and no restriction on the sign of d 
(choose the one with q<p) should be in the running.

Cheers,
-- Mike