Re: [Cfrg] Curve manipulation, revisited

Adam Langley <> Sat, 27 December 2014 09:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1BEA21AD4B4 for <>; Sat, 27 Dec 2014 01:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JjEbUOGFjA6z for <>; Sat, 27 Dec 2014 01:38:11 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A0ABE1AD4B3 for <>; Sat, 27 Dec 2014 01:38:10 -0800 (PST)
Received: by with SMTP id q1so9544083lam.19 for <>; Sat, 27 Dec 2014 01:38:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=VesJ6NWbrNLM4TNVSReV5B4y5P3Hr1/G9KbSIJm9ymM=; b=Vin2G2XNGxvK6W8fxtMOnwNf+AdbodZBUIo+FvPapcKAesHdmID8tG+hHl6ugMePhC h2UGsHmyc/rEOC7FuOEv7thQqRBvFfMsYy1NG3fa3DmYyJLht+gVWLWfssfbMG16suxG CPQz8J9pUUgt4ytMY79Bab83dVo9zGjCOR8Q7D6/yzBv+gk3bPa4FxhdTH1iXhbXBQ4z 66qdsRbKsgdPrcmJu8xOj4GR7/iX7/S16RaEb+1cjl6U06sdBnEE7gJiUnc3gq40neSM xRgmSwC+ng7ATTEz5fSVn0GlhgVvAiq7GfUUnTzCJHKTUWEXivOrn2Lcuaj81b/eqmGK ryAA==
MIME-Version: 1.0
X-Received: by with SMTP id ms10mr9530156lbb.33.1419673088880; Sat, 27 Dec 2014 01:38:08 -0800 (PST)
Received: by with HTTP; Sat, 27 Dec 2014 01:38:08 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Sat, 27 Dec 2014 01:38:08 -0800
X-Google-Sender-Auth: NkbGwihlL7rByYM2z4VJw1h8ONg
Message-ID: <>
From: Adam Langley <>
To: David Gil <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 27 Dec 2014 09:38:12 -0000

On Fri, Dec 26, 2014 at 1:50 PM, David Gil <> wrote:
> I assume that you mean finite fields, not curves?
> (This would seem to be just as good of an argument for generating
> Edwards curves over the Salinas primes, which are rather widely
> implemented...)

Sharing the underlying field certainly helps reduce implementation
effort, but there's still lots more work than that, including all of
the duplication of test cases that inherently comes from each
additional curve.

(Not to mention that I consider the Salinas primes to be a bug-magnet
to such an extent that replacing the field in that case would probably
still be a net-positive for correctness.)

> Alas, no, I don't have that advantage: WebCrypto [has more-or-less
> decided][w3c_curves] that they will only implement CFRG-recommended
> curves. I need WebCrypto support -- for non-extractable keys.
> But I also need to have something that is relatively clean to
> implement in JS, for support of legacy-ish browsers.

I would currently expect Chrome to be in the "legacy" set if you want
WebCrypto support for a larger CFRG curve.