[Cfrg] On curves
Watson Ladd <watsonbladd@gmail.com> Thu, 03 July 2014 02:37 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8261A8BB7 for <cfrg@ietfa.amsl.com>; Wed, 2 Jul 2014 19:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsC0LIkz0NV0 for <cfrg@ietfa.amsl.com>; Wed, 2 Jul 2014 19:37:35 -0700 (PDT)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A77C11A8BB4 for <cfrg@irtf.org>; Wed, 2 Jul 2014 19:37:35 -0700 (PDT)
Received: by mail-qg0-f43.google.com with SMTP id z60so5726175qgd.30 for <cfrg@irtf.org>; Wed, 02 Jul 2014 19:37:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Wis3IyHC6wXj/SFfa6OWLObtWW4IZN7lMXjDSLPG7o4=; b=m6nZdjOegs7yRD1neXd8dopJ386YwpOh80//Ugl3RisYdy3LvIzbJol3yDsorUcs5u Qp4DQx/rKFAKRZz48s/4mJhMrsNf+H1Z2ioYW9NFom9bMPFJWE1TfsrPsZk4zc2xv6M8 lHTHx0dxYQga5vF5Zsfz07BotNarCmIOkjumns6A0KkN9N2TvgAOJGe+dO5W6Bky4WwS tWXt2+++FtBGObHTC6RLZqFYff2FxhTdnXISaIi8MOToUe1ELjhDpMzyr0ru3+NET9vO H82sEystKIRh5h7sLFzdB7Uu3wbbBCNxj8Fn7DOAaIfBA5NjSuTjsC3Wrgl2scPrkd9y 4R8A==
MIME-Version: 1.0
X-Received: by 10.140.108.200 with SMTP id j66mr102912qgf.57.1404355054829; Wed, 02 Jul 2014 19:37:34 -0700 (PDT)
Received: by 10.140.27.173 with HTTP; Wed, 2 Jul 2014 19:37:34 -0700 (PDT)
Date: Wed, 02 Jul 2014 19:37:34 -0700
Message-ID: <CACsn0cnKn2mx15SWN=2HmcXnsDeQhc49p5Z6kh5ucgj_jAPQzg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/lxDYPvzMPwkGqQDaPaMJsZzRIM0
Subject: [Cfrg] On curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 02:37:37 -0000
Dear all, After thinking about it for a bit, I've come up with the following summary of my current position. For compressed Edwards points, having p=3 (mod 4) is slightly easier to explain how to deal with then p =5 (mod 8). We want to have the same prime There is no point to adding additional Weierstrass curves: additional performance alone isn't that compelling unless implementors want to implement a bunch of curves. Doing a good implementation is a bunch of work, and in particular while a saturated word arithmetic is easy, it's not worth doing unsaturated arithmetic unnecessarily. Likewise the difference between 2^256 and 2^255 is minor in security, but has a performance hit. so I would try to avoid going over word boundaries. As a result I suggest a Montgomery curve and isogenous twisted Edwards curve with primes of the form p=2^(64*b-1)-c, c minimal so p is 3 (mod 4). I believe these have been computed by Longa et all. However, at the 128 bit level, I see no technical arguments against Curve25519. It's really a WG decision as how to do it. This leaves the question of point representation: I would use Edwards form with point compression: the Montgomery form has advantages in variable-base multiplication, but it appears that summing the time of one variable-base multiplication with one fixed-base multiplication comes out lower for Edwards form. Again, for everything but signatures the difference is probably minor. Sincerely, Watson Ladd
- [Cfrg] On curves Watson Ladd
- Re: [Cfrg] On curves Michael Hamburg
- Re: [Cfrg] On curves Watson Ladd
- Re: [Cfrg] On curves Tony Arcieri
- Re: [Cfrg] On curves Alyssa Rowan