Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Alyssa Rowan <akr@akr.io> Mon, 16 March 2015 06:49 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 595F91A1A5B for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 23:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nU5QhuULw-xr for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 23:49:32 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89DB61A1A03 for <cfrg@irtf.org>; Sun, 15 Mar 2015 23:49:32 -0700 (PDT)
Message-ID: <55067CFB.2060400@akr.io>
Date: Mon, 16 Mar 2015 06:49:31 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: cfrg@irtf.org
References: <20150316002255.28855.qmail@cr.yp.to> <5506699C.3070006@brainhub.org>
In-Reply-To: <5506699C.3070006@brainhub.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/nZWj7eCGPN0_jmoxO33ERbmUmDM>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 06:49:34 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2015-03-16 05:26, Andrey Jivsov wrote:

> …without a known exploit (because the bug was at the very low 
> level).

Just because we got luckier this time, doesn't mean we will every time.

> I like the _fast_ choice above. Most people will use libraries

Bugs happen in libraries like OpenSSL or SChannel too. (And no, not
everyone does, look at the prevalance of RC4.)

> The main rationale is that this allows more implementation
> choices. The past research on ECC optimizations was counting on the
> ability to add points. If the recipient must decompress, this works
> as 10% toll on present and future improvements.

If it isn't at least as fast as that, why sacrifice the simplicity?

> If a particular application must optimize code and data size, it 
> should use the Montgomery ladder. There are many applications for 
> which code size of the public key crypto is at the bottom of the 
> priority list.

Simple code (and hardware) is easier to audit. That's why simplicity
was at the top of our original requirements list. It should stay there.

I'm clear I want to stick with the existing Montgomery-X wire format for
ECDH.

Changing that in any way harms simplicity, introduces interoperability
problems with the many existing implementations of X25519, and doesn't
bring any significant benefit to performance.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVBnzuAAoJEOyEjtkWi2t6cpsQAIvia+YFxMiQt7eJ+2lqN1JW
Jk+7ogdOEhqEWPuT56xmb2F3RM35ZWGtUo0ADQBV6Tffd0AZ4p6rmhz7TLQ2MeO7
D5s9mAE3M3+SW8gWjbXSlgBdU1HkVyIqqz9VARhrUyUzkfONrfhAfpU03IuKeOwf
0/U7MaMa0GPEmhIOlAykAzNS8SLGS66LaIwjWllbFOvbgQCeyQnNrplfpem8OwnJ
nr4InGvr/s1J3MiCzyhJL/3EuEXasfVDP4X/DIm8T9PEN++dSEH8Yd6YzU3VF5Ho
/kblKFsVH1QfqP2KxOUvO9G0aPawTWME7pfYWa+7O5fFEHsNH7nebza3yW2ynWfN
btJW50kpC7AKhFpE5n/jaCAIhvIRYo4eg9e10gustRADqQgBV3KNRTmrzwsILo/R
zEz/KFGQaIbxnsz9nIT6Zn3q0QpRHCBQ/uAtK5EnghqZnUwEUUakg7xR99PxQFbj
PfHEWCp6BStj5TE8IweD3cR8Iun22fIDQHoqhradevc0JGNXaJOw2vs/d5vPK2hf
/uBxGKaPle4H54QquW4fLvub5TL1ey1draAHzC89jSS6HWlA6V9TGxZNThJsf3qf
wjqba9i0Pd8E2YU3/waeDCkS6WyHLeSsQ9Z+UcQZX8V6Y4FqbOoywwpBC7YM28BX
yVLmdH6WSwd0Y30J6aR/
=XRdH
-----END PGP SIGNATURE-----