IETF Logo Mail Archive

Re: [Cfrg] Complete additon for cofactor 1 short Weierstrass curve?

Watson Ladd <watsonbladd@gmail.com> Mon, 02 November 2015 16:20 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECC21B4944 for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2015 08:20:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19EY7cwxjCCK for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2015 08:20:46 -0800 (PST)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B14061B493E for <cfrg@irtf.org>; Mon, 2 Nov 2015 08:20:45 -0800 (PST)
Received: by wicll6 with SMTP id ll6so53374056wic.1 for <cfrg@irtf.org>; Mon, 02 Nov 2015 08:20:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BC1DfWraALfUCoB5cr3f/+Pcbny0G0ChlzGGVMrkIRQ=; b=Gv/+TEq4Txe2P4r3z/Ze4+AXGPkRq5Tw9iIIRooxAYhWmndnsd2eYinY8Aip8yc9AX zWE7ChCHMidecCUcNg6ApubWPqJUYIpBu1RmIJHNv/XtDqMfJ3SLNtQqtc0qMogh3KbT Yu9wTUXmaT5QwHJw4+Zh9r5krryFOs5zEBdvq1g5UnNFn0d6tFY4PGza3PQ3Py0LH07f /pFnHNCGRl9nycd9fOviyZe+e1DKq48kFs4dB2x5tV5SbDvUsTx2bGNKEoxSGyWY9Nb+ +1Azhk0Q/tlYMgRczvw+vISyRXf3TmogQXrEZO/ovXrU7HAO3a1qTJNiDSIJ+Sm2H8+9 RJvw==
MIME-Version: 1.0
X-Received: by 10.194.142.45 with SMTP id rt13mr26794688wjb.45.1446481244273; Mon, 02 Nov 2015 08:20:44 -0800 (PST)
Received: by 10.28.101.212 with HTTP; Mon, 2 Nov 2015 08:20:44 -0800 (PST)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5E76B45@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5D21FA2@XMB116CNC.rim.net> <5483749E.1000504@dei.uc.pt> <810C31990B57ED40B2062BA10D43FBF5D23FBB@XMB116CNC.rim.net> <548613FE.8060107@dei.uc.pt> <810C31990B57ED40B2062BA10D43FBF5E76B45@XMB116CNC.rim.net>
Date: Mon, 02 Nov 2015 11:20:44 -0500
Message-ID: <CACsn0c=Q=idWRNLMJhntpdYx60h-0BSCvc=7z2v3tGAyt0L4Qw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/p79fMS58mta858nSkEqD_vw93Ns>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Complete additon for cofactor 1 short Weierstrass curve?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 16:20:47 -0000

It's completely irrelevant in practice. Multiplying points by 4 or 8
before hashing and after subtracting for equality checks produces a
prime order group without the efficiency loss inherent to these
formulas. Furthermore, applications we have today only rely on ECDH
and signatures, both of which are specified with arbitrary cofactor in
NIST standards, for instance.

On Mon, Nov 2, 2015 at 10:49 AM, Dan Brown <dbrown@certicom.com> wrote:
> http://ia.cr/2015/1060
>
> seems to finally have more efficient answers to the old questions above and
> below.
>
>> -----Original Message-----
>> From: Samuel Neves [mailto:sneves@dei.uc.pt]
>> Sent: Monday, December 08, 2014 4:11 PM
>> To: Dan Brown; 'cfrg@irtf.org'
>> Subject: Re: [Cfrg] Complete additon for cofactor 1 short Weierstrass
> curve?
>>
>> On 08-12-2014 18:46, Dan Brown wrote:
>> > Regarding that proviso, I wonder how much the second Bosma-Lenstra
>> > formula (the one I called (G:H:I), which is the one that corresponds
>> > to the line
>> > (0:1:0) in the Bosma-Lenstra paper) would be slower than the standard
>> > incomplete formula.  That is, has anybody tried to optimize it?
>> > (Naively, with a small a_4, I get a cost of 51M, but I expect much
>> > better is
>> > possible.)  Also, there seems to be many k-complete formula per curve,
>> > and perhaps some are faster than others, is this studied?
>>
>> Both Arene-Kohel-Ritzenhaler (https://arxiv.org/abs/1102.2349, Remark 4.4)
>> and Bos-Costello-Longa-Naehrig (https://eprint.iacr.org/2014/130, pg 37)
>> present simplified formulas, both beating 51M. I don't know of other
> attempts
>> to optimize complete Weierstrass formulas.
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email