Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Mon, Jan 05, 2015 at 11:49:47AM -0800, Adam Langley wrote:
> On Mon, Jan 5, 2015 at 11:15 AM, Alexey Melnikov
> <alexey.melnikov@isode.com> wrote:
> > whether you want a particular change be made to the
> > document before adoption.
> 
> The structure of the current draft anticipates an additional curve and
> also signature work so I'd like to point out a couple of changes to
> save others having to do so:
> 
> 1) If no other curves end up being recommended, then the current
> generation process is overly complicated and could well be replaced
> with a description that mirrors how curve25519 was actually chosen:
> i.e. that the minimal sensible A value in Montgomery form be chosen.
> It really depends on how important a generic procedure is seen to be.

I think curve generation procedure should be there.
 
> 2) The procedure for generating base points is currently unused and,
> if change (1) is done, it could be tweaked to reflect how the
> curve25519 base point was generated.

Also, the past precent on base point generation on Edwards curves seems
to be the least y, least x with big prime order.

But the procedure here looks acceptable as well.

> 3) If we don't end up saying anything about signatures, all mention of
> Edwards curves could conceivably be dropped.

Also, depending on exact signature scheme, having full isogeny/isomorphism
chains to Weierstrass (these are easy enough to either find or derive, but
still) and back (the dual isogeny for Edwards and Montgomery is more
difficult to find) would be useful.

Specifically, the place where that dual isogneny would be useful is
if using ECDSA (yes, I know) with Weierstrass public keys. That would
avoid implementing Weierstrass (which is somewhat annoying, even if
doing public-only computations and having the field routines).


-Ilari