Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
Tony Arcieri <bascule@gmail.com> Wed, 28 January 2015 17:22 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24BD31A884E for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 09:22:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Bfic2N_LEwZ for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 09:22:37 -0800 (PST)
Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 514351A8842 for <cfrg@irtf.org>; Wed, 28 Jan 2015 09:22:37 -0800 (PST)
Received: by mail-ob0-f175.google.com with SMTP id wp4so20429198obc.6 for <cfrg@irtf.org>; Wed, 28 Jan 2015 09:22:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=cUPHbI3WGminLEGTUEO9bQ+Aj875GSKWw4YrlSRUH+I=; b=v6NRL35Z2D57nvLq2xjO1kPEYnFrrrFt4/HybkT2xXVRLbOBYn9pYYRFsv9DM8GoIQ yD6c8LMTs2NDS13No990izeuyfGtN6hUWoWb5UPnE33eYjnW5oLyZGT60YlPGcIHfOSU asjhkl5zLZN0CGoo9PQ7t97FCkO8st/THGmONHSbto2H1kRZoiwJAm7yuT3l70WjCMpa Mo+YnIJxMGgrjCifHcnLhxrv/I/H3zDvto7keLjeKBzd0uOscmOdoGz6vq2wCDrEro0o N8wNOgO4KHBqHF25aCF8y+nv82xjYDCnouB6MmMZLfzRivAOcUVS58Zi6huRaY9kzNo0 7n+A==
X-Received: by 10.182.130.231 with SMTP id oh7mr2831015obb.47.1422465756433; Wed, 28 Jan 2015 09:22:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.202.224.5 with HTTP; Wed, 28 Jan 2015 09:22:16 -0800 (PST)
In-Reply-To: <CAMr0u6=pgV8P19zoEbztCas20XX68V40wN-3qwrbqAxQeMpJQg@mail.gmail.com>
References: <CAMr0u6=prmjMv7e+S5UAGVw+uCQWPk-f86Koa04GVx8CZs4J4Q@mail.gmail.com> <C877C13D-0178-4BDD-BC58-4E7C417600D1@akr.io> <CAMr0u6=pgV8P19zoEbztCas20XX68V40wN-3qwrbqAxQeMpJQg@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 28 Jan 2015 09:22:16 -0800
Message-ID: <CAHOTMVK63wE1PNypoJ_Ems734UMD_vEOq-muYLzNvVPMWwv==g@mail.gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Content-Type: multipart/alternative; boundary="089e011778e71e15b3050db99e01"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/k782O-tGGwGFDosmq3sbJX8St7o>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 17:22:39 -0000
On Wed, Jan 28, 2015 at 6:14 AM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > As we believe (and as it has been mentioned earlier during discussion at > CFRG), the initital seed value doesn't have to be chosen explicitly in case > of trust in basic hash function properties – to gain some "backdoor-type" > properties of the curve with d = hash(W), one has either to combine such > algebraic properties of a curve with properties of a hash function (for a > trivial example, to have an ability to obtain a hash preimage) or to choose > a very probable "backdoor-type" property of a curve (such that it is > possible to obtain by random choice of a curve). > Hi Stanislav, Dan Bernstein and Tanja Lange have already demonstrated that such "verifiably random" generation procedures can be used to surreptitiously tweak specific curve parameters: http://safecurves.cr.yp.to/bada55.html I for one would not feel particularly inclined to trust a curve generated with this method, and would personally prefer the sort of rigid curve generation approach that this committee and others have been working on to any curve with large unexplained mystery constants. -- Tony Arcieri
- [Cfrg] 512-bit twisted Edwards curve and curve ge… Станислав Смышляев
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Paterson, Kenny
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Alyssa Rowan
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Tony Arcieri
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Paul Hoffman
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Watson Ladd
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Tony Arcieri
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Paul Hoffman
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Alyssa Rowan
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Tony Arcieri
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… CodesInChaos