Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Additional Curves in TLS

Andrey Jivsov <crypto@brainhub.org> Tue, 28 January 2014 08:26 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84C6F1A005E for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 00:26:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOouMve2WN4m for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 00:26:05 -0800 (PST)
Received: from qmta07.emeryville.ca.mail.comcast.net (qmta07.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:64]) by ietfa.amsl.com (Postfix) with ESMTP id 9C0A51A003E for <cfrg@irtf.org>; Tue, 28 Jan 2014 00:26:05 -0800 (PST)
Received: from omta04.emeryville.ca.mail.comcast.net ([76.96.30.35]) by qmta07.emeryville.ca.mail.comcast.net with comcast id KLS31n0010lTkoCA7LS3g0; Tue, 28 Jan 2014 08:26:03 +0000
Received: from [192.168.1.8] ([71.202.164.227]) by omta04.emeryville.ca.mail.comcast.net with comcast id KLS11n00H4uhcbK8QLS28c; Tue, 28 Jan 2014 08:26:02 +0000
Message-ID: <52E76999.5030809@brainhub.org>
Date: Tue, 28 Jan 2014 00:26:01 -0800
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Robert Ransom <rransom.8774@gmail.com>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <CABqy+sozYSOTh7pbUS2GXf=4kYV3zgztXZBa10Bx=s-N8zHHyA@mail.gmail.com> <CABqy+soSojSMfx=yU9eFhmAeuJaJ_r=4h=RDR6JtOchYZ9zsQA@mail.gmail.com> <52E1BAE0.8060809@brainhub.org> <CABqy+sqpJr8Vki7-hP4nvwz0VP6+-1RnZ8taz6MZsxkWXfm8FA@mail.gmail.com>
In-Reply-To: <CABqy+sqpJr8Vki7-hP4nvwz0VP6+-1RnZ8taz6MZsxkWXfm8FA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1390897563; bh=fue3FK6GKAKrACR57wo2fxE7WqSlm8MjSkFRBwNYhr0=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=WpSXkD4nKwK2ruiSegGSUqlvwREJl17FQuix61tGbyVGecZEX1GAH3VgW8Tpjjnns 82cw+9wrv5oU4PnK1qK5BuiE8orgwclWdtFB+WicFIjZfgBohR6RCKLfaC5lVtsFji VmXn+bU0uCIpk81Aa3Wd4+Kzu5JD2Jg9PIu5DTxpiYcJlWkyfhPC4Vl5GJoWmhHj8c zEoRMsL94Hg9OF3K3LjZT9BODkkGQi+9SXc++nKa7uaRHX/t4p5a8fbgE3CdAueJVS QzMe5faTehcrDrNsYMuQgMp9yebU9S2dfx9aziGcEpaQk8qY124+yo+jFk1QV2wyay 0Z/YeK3Kt0s/w==
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 08:26:07 -0000

On 01/23/2014 06:58 PM, Robert Ransom wrote:
> On 1/23/14, Andrey Jivsov <crypto@brainhub.org> wrote:
>
>> Wouldn't http://tools.ietf.org/html/draft-jivsov-ecc-compact be another
>> method?
>
>> ( BTW, the proposal in the draft is in public domain since it was
>> published on December 10, 2012. )
>
> Are you claiming that the point format that I suggested is patented?

I was making a statement about my contribution, in case this issue comes up.

The IP for the use of 1 bit to compress a point is a common knowledge, 
but I've heard that some of them are expiring.

However, I am concerned about the cofactor issue. These curves have the 
cofactor greater than 1. Unlike "unsafe" NIST curves, this needs to be 
handled. The draft suggest methods that, as I understand them, may run 
into IP issues. Besides, there may be protocols that want to do classic 
DH. One solution to these issues is to enumerate the points in the small 
subgroup, explicitly in the document, or by providing the method to 
identify them.