Re: [Cfrg] New names for draft-ladd-safecurves

Paul Lambert <paul@marvell.com> Tue, 21 January 2014 18:30 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 300231A0176 for <cfrg@ietfa.amsl.com>; Tue, 21 Jan 2014 10:30:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xs3sBVH6jRL for <cfrg@ietfa.amsl.com>; Tue, 21 Jan 2014 10:30:56 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 880C51A0135 for <cfrg@irtf.org>; Tue, 21 Jan 2014 10:30:56 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s0LIUgxd014386; Tue, 21 Jan 2014 10:30:43 -0800
Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0b-0016f401.pphosted.com with ESMTP id 1hfp05umkb-28 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 21 Jan 2014 10:30:43 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Tue, 21 Jan 2014 10:30:40 -0800
From: Paul Lambert <paul@marvell.com>
To: Watson Ladd <watsonbladd@gmail.com>, Bodo Moeller <bmoeller@acm.org>
Date: Tue, 21 Jan 2014 10:30:41 -0800
Thread-Topic: [Cfrg] New names for draft-ladd-safecurves
Thread-Index: Ac8W1uL8paFR769jS9iFTzJiEjpqag==
Message-ID: <CF03FB51.2CEE5%paul@marvell.com>
References: <CACsn0ck02mnETBUfuyJjLV9K8Yuiki8_-RG0tVszL8BDhkK27w@mail.gmail.com> <6489F7D3-BF54-416F-94BE-64FD1CFCCB1E@callas.org> <CADMpkc+fxfXL8A21bGKgobKFvHxhQaiCEzROQmX4uH_73bgk1Q@mail.gmail.com> <CACsn0c=yrO5WiqshQ0z-eF+u1boyUYK5OQdr_XORXKTzJ7=KKA@mail.gmail.com>
In-Reply-To: <CACsn0c=yrO5WiqshQ0z-eF+u1boyUYK5OQdr_XORXKTzJ7=KKA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-21_07:2014-01-21, 2014-01-21, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401210125
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Jon Callas <jon@callas.org>
Subject: Re: [Cfrg] New names for draft-ladd-safecurves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2014 18:30:58 -0000

On 1/21/14, 8:33 AM, "Watson Ladd" <watsonbladd@gmail.com> wrote:

>On Tue, Jan 21, 2014 at 7:28 AM, Bodo Moeller <bmoeller@acm.org> wrote:
>> Jon Callas <jon@callas.org>rg>:
>>
>>> I spent time talking to Dan and Tanja this weekend at ShmooCon about
>>>this
>>> sort of thing and I think that our agreement was that names like "Curve
>>> 255-19" (which covers both Curve25519 and Ed25519) or "Curve 414-17"
>>>(for
>>> the curve formerly known as Curve3617) made sense.

Two names would be better to differentiate between a Edwards or Montgomery
based point representation for the same curve.

WE also are working on the assumption that there are just one curve choice
for a particular field size. We should provide a extensible naming scheme
that would allow the later introduction additional options (e.g. Ed255
would be #1 of that size and flavor).

Paul 


>
>My one concern which I've stated before is that we would then need a
>single wire format for Curve25519 and Ed25519.
>Robert Ransom's idea (sorry for the hijack) is the following: Suppose
>Bv^2=u^3+Au^2+u is isogenous to ax^2+y^2=1+dx^2y^2, with the isogenies
>u=(1+y)/(1-y), v=(1+y)/(1-y)x=ux. Then we represent points as u and
>the sign of x.
>
>A=2(a+d)/(a-d)
>B=4/(a-d).
>
>An implementation using the Montgomery ladder to multiply proceeds as
>usual, using the fact that A is the reciprocal of a small integer
>to rewrite the equations. It then reconstructs v (there is a fast
>formula), and uses that to compute the sign of x. One using the
>Edwards curves proceeds as usual, then inverts the isogeny to get u,
>and uses x to get the sign bit.
>The argument for this is we can specify all our curves in twisted
>Edwards form with d small, a=+/-1, and life is nice for everyone.
>Unfortunately Curve25519 doesn't fit this nice pattern, and people
>want to use that exact curve. This form also involves a bit of extra
>field math for everyone, even if they are all going to do ECDH or
>Edwards addition afterwards, and so will want that form anyway. There
>is also a problem of exceptional cases if a and d are nonsquares
>modulo p for example.
>
>Have I rendered correctly the arguments for and against?
>>
>>
>> Yes, it does. This would fix the single major flaw of Curve25519 --
>> concatenating base-10 numbers to spell out a tuple just doesn't make
>>sense
>> (except as a trap, so that if anyone reads it out as "twenty-five
>>thousand
>> ..." you'll know they don't know what they're saying).  I also don't
>>really
>> like having whitespace in those names, so I'd prefer "Curve-255-19" over
>> "Curve 255-19".
>>
>> ("Curve" isn't very descriptive, but I've yet to see a more descriptive
>>name
>> for this curve that is actually helpful.)
>
>NIST isn't useful either as a prefix, but we live with it.
>Anyway, my view is whatever people want to call these they can call
>them, bobo and kiki aside.
>>
>> Bodo
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>
>
>
>-- 
>"Those who would give up Essential Liberty to purchase a little
>Temporary Safety deserve neither  Liberty nor Safety."
>-- Benjamin Franklin
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg