Re: [Cfrg] Curve manipulation, revisited

Adam Langley <agl@imperialviolet.org> Sat, 27 December 2014 09:38 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BEA21AD4B4 for <cfrg@ietfa.amsl.com>; Sat, 27 Dec 2014 01:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjEbUOGFjA6z for <cfrg@ietfa.amsl.com>; Sat, 27 Dec 2014 01:38:11 -0800 (PST)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0ABE1AD4B3 for <cfrg@irtf.org>; Sat, 27 Dec 2014 01:38:10 -0800 (PST)
Received: by mail-la0-f46.google.com with SMTP id q1so9544083lam.19 for <cfrg@irtf.org>; Sat, 27 Dec 2014 01:38:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=VesJ6NWbrNLM4TNVSReV5B4y5P3Hr1/G9KbSIJm9ymM=; b=Vin2G2XNGxvK6W8fxtMOnwNf+AdbodZBUIo+FvPapcKAesHdmID8tG+hHl6ugMePhC h2UGsHmyc/rEOC7FuOEv7thQqRBvFfMsYy1NG3fa3DmYyJLht+gVWLWfssfbMG16suxG CPQz8J9pUUgt4ytMY79Bab83dVo9zGjCOR8Q7D6/yzBv+gk3bPa4FxhdTH1iXhbXBQ4z 66qdsRbKsgdPrcmJu8xOj4GR7/iX7/S16RaEb+1cjl6U06sdBnEE7gJiUnc3gq40neSM xRgmSwC+ng7ATTEz5fSVn0GlhgVvAiq7GfUUnTzCJHKTUWEXivOrn2Lcuaj81b/eqmGK ryAA==
MIME-Version: 1.0
X-Received: by 10.112.125.202 with SMTP id ms10mr9530156lbb.33.1419673088880; Sat, 27 Dec 2014 01:38:08 -0800 (PST)
Sender: alangley@gmail.com
Received: by 10.112.114.225 with HTTP; Sat, 27 Dec 2014 01:38:08 -0800 (PST)
In-Reply-To: <1223557431.954984.1419630657780.JavaMail.yahoo@jws100194.mail.ne1.yahoo.com>
References: <1223557431.954984.1419630657780.JavaMail.yahoo@jws100194.mail.ne1.yahoo.com>
Date: Sat, 27 Dec 2014 01:38:08 -0800
X-Google-Sender-Auth: NkbGwihlL7rByYM2z4VJw1h8ONg
Message-ID: <CAMfhd9UKM1gKrsq7voKyZwUGv+ix3pX+p_Y7soeyjqtCj15EPA@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: David Gil <dgil@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/lKMurDUMzlUgfytkLXteYIDfISY
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Dec 2014 09:38:12 -0000

On Fri, Dec 26, 2014 at 1:50 PM, David Gil <dgil@yahoo-inc.com> wrote:
> I assume that you mean finite fields, not curves?
>
> (This would seem to be just as good of an argument for generating
> Edwards curves over the Salinas primes, which are rather widely
> implemented...)

Sharing the underlying field certainly helps reduce implementation
effort, but there's still lots more work than that, including all of
the duplication of test cases that inherently comes from each
additional curve.

(Not to mention that I consider the Salinas primes to be a bug-magnet
to such an extent that replacing the field in that case would probably
still be a net-positive for correctness.)

> Alas, no, I don't have that advantage: WebCrypto [has more-or-less
> decided][w3c_curves] that they will only implement CFRG-recommended
> curves. I need WebCrypto support -- for non-extractable keys.
> But I also need to have something that is relatively clean to
> implement in JS, for support of legacy-ish browsers.

I would currently expect Chrome to be in the "legacy" set if you want
WebCrypto support for a larger CFRG curve.


Cheers

AGL