Re: [Cfrg] A draft merging rpgecc and thecurve25519function.

Stephen Farrell <> Fri, 02 January 2015 19:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C305F1A037A for <>; Fri, 2 Jan 2015 11:31:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jsQsgKjWUa9P for <>; Fri, 2 Jan 2015 11:31:28 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 92F781A0390 for <>; Fri, 2 Jan 2015 11:31:27 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id E1703BF09; Fri, 2 Jan 2015 19:31:25 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aXiQIcT808i7; Fri, 2 Jan 2015 19:31:23 +0000 (GMT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 5E067BEC9; Fri, 2 Jan 2015 19:31:23 +0000 (GMT)
Message-ID: <>
Date: Fri, 02 Jan 2015 19:31:20 +0000
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Adam Langley <>, "" <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] A draft merging rpgecc and thecurve25519function.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Jan 2015 19:31:30 -0000

(Speaking as a random RG participant, not as an IESG member...)

I just had a quick read of that, and while I'm not qualified
to judge all the details this seems like a fine text to me
and also seems to me to meet what I understand are the main
reasonable constraints that folks have expressed.

I'm sure the RG could figure out how to split that text into
multiple documents easily enough when considering how to deal
with other security levels so I don't think Brian's concern
is a showstopper (his concern is one that needs to be dealt
with I agree).

If the chairs were able to determine if the RG had reached
rough consensus on the meaty content of [1], but that there
is still work to be done, then I think we'd have made
significant progress.



On 01/01/15 22:00, Adam Langley wrote:
> Since everyone is agreed to within an isogeny of curve25519 at ~128
> bits, and since there's no performance reason to pick one isogeny over
> another (see my mail from yesterday), I've created an outline for what
> currently appears (to me) to be the only way that we might reach
> agreement.
> It takes the generation procedure from draft-black-rpgecc-01,
> generates the resulting curve with p=2^255-19 and then ends up with
> curve25519 by pointing out that there's no difference in security
> between isogenies and motivates it by compatibility with existing
> practice.
> Then it includes draft-turner-thecurve25519function in order to nail
> down the wire-format and describe how to perform ECDH.
> The resulting agglomeration is at
> (requires
> XSLT support in the browser) and
> (Although, until there's clarity on whether the outline is viable, the
> details in the draft are unimportant.)
> I have not listed the authors of the two source documents as authors
> yet because that might suggest that they support the result. Instead
> I've made the sources clear in section 1.
> It does not suggest a signature scheme, despite several people
> suggesting that it would be required in recent days, because I don't
> think that we're at that point yet.
> Cheers