Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
Andrey Jivsov <crypto@brainhub.org> Mon, 21 July 2014 02:32 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D9D91B2AC8 for <cfrg@ietfa.amsl.com>; Sun, 20 Jul 2014 19:32:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.831
X-Spam-Level:
X-Spam-Status: No, score=-1.831 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-lk0lyHIXmP for <cfrg@ietfa.amsl.com>; Sun, 20 Jul 2014 19:32:27 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 157141B2ACE for <cfrg@irtf.org>; Sun, 20 Jul 2014 19:32:26 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id lx4so6369808iec.31 for <cfrg@irtf.org>; Sun, 20 Jul 2014 19:32:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:message-id:date:from:user-agent :mime-version:to:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=idmLUjBxSlly5khfdSHXE8yp7QvYkkR2Izq3PMAK85c=; b=Uewpy0KJYktdkYB6CEdInfuc6H0OWr/w+t4fxtQQZ/Jc8e98eoNSd3UNCGwVKz/ccm OcjIuWG0JYLdlRjboK9fQ/xLYBc+mHp7Cp1LDYe0zJeoYKbh0w7AHf6ETImdZNj3bN/c T6h+1MM6CJCObAtERezACJBMd4z0Vdxhr4r0+H1gLE4nnTif3lmLinSRAZe8q68Oz3bp uVvTZmCiYMIfw6kXOs/wJjJqwZ8QN7tUUPDTYRm/N4R8jkf91HugZazB+3AbEJ6EZnMd ir+hItpplAukkq0241xOqEhtdsgvkj6ljj3S3EAmg3DINa/fip44HjS6hVKdOXPG2aQP mong==
X-Gm-Message-State: ALoCoQlFs9nGL7YF7TmtWjGE5lqM84Zwxf2OfuadC6p6TTOFmjjC2hxRsbsR8evE6nHZ5OJSWb4I
X-Received: by 10.50.79.232 with SMTP id m8mr4611034igx.39.1405909946343; Sun, 20 Jul 2014 19:32:26 -0700 (PDT)
Received: from [10.255.234.94] ([207.236.147.203]) by mx.google.com with ESMTPSA id lo3sm34103907igb.22.2014.07.20.19.32.25 for <cfrg@irtf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 20 Jul 2014 19:32:25 -0700 (PDT)
Sender: Andrey <andrey@brainhub.org>
Message-ID: <53CC7BB8.8050604@brainhub.org>
Date: Sun, 20 Jul 2014 22:32:24 -0400
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <c37f9974d2be4614b9a03392572dd29c@BL2PR03MB242.namprd03.prod.outlook.com>
In-Reply-To: <c37f9974d2be4614b9a03392572dd29c@BL2PR03MB242.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/w5JToNNLcA3WtjOGdnoazUReYek
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 02:32:28 -0000
> s: Denotes the bit length, here s in {256,384,512}. > p: Denotes the prime number defining the base field. > c: A positive integer used in the representation of the prime > p = 2^s - c. In light of the recent discussion, would an attempt to reach a consensus on the value of p first has a higher chance for success at this point? Assuming we want a new p, some arguments for a fixed F(p) are: * the specs like Curve25519 are "stacks of layers", which prescribe a Curve, co-factor multiplication, F(p) operations, and an integer format (fixing p seems as one of the the least controversial tasks among these "layers") * the performance advantage are mostly attributed to the F(p) operations (factor of n improvement in F(p) results in ~ n^2 curve performance) * F(p) operations are platform-specific (if there is assembler code used in the "stack", it will likely be restricted to the F(p)) * F(p) clarity will let hardware vendors focus on optimizations (and not worry about the entire stack) * same F(p) doesn't prohibit multiple curves over it; ( fixing F(p) first and the curve or curves later will allow implementations to proceed sooner and enables a compromise ) * fixed F(p) allows greater flexibility to upgrade the curves (future curves will likely have hardware support available, sensitive code resused). * fixed F(p) reduces the code size, increases interoperability (currently NUMS and Curve25519 are at odds here) This narrow focus leads to these questions regarding the F(p): * is a pseudo-Mersenne p an appropriate p for the new curves (the only cons to this so far is that such a p fixes the Curve's order to be close to 2^s; besides the trivial one that this makes the Pollard-rho faster) * Curve25519 uses 255 instead of 256; however, CFRG can choose s=255 for 128 bit security as well (citing "historic" reasons). Should CFRG seek consensus on the above two questions first?
- [Cfrg] Formal request from TLS WG to CFRG for new… Paterson, Kenny
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Ben Laurie
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Johannes Merkle
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Joseph Salowey (jsalowey)
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Andy Lutomirski
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Simon Josefsson
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Dan Harkins
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Igoe, Kevin M.
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Paterson, Kenny
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Joseph Salowey (jsalowey)
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Paterson, Kenny
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Manuel Pégourié-Gonnard
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Nigel Smart
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Salz, Rich
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Tanja Lange
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Nigel Smart
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Patrick Longa Pierola
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Brian LaMacchia
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Andrey Jivsov
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Andrey Jivsov
- Re: [Cfrg] Formal request from TLS WG to CFRG for… David McGrew
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] [TLS] Formal request from TLS WG to CF… Salz, Rich
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Joachim Strömbergson
- Re: [Cfrg] [TLS] Formal request from TLS WG to CF… Benjamin Black
- Re: [Cfrg] [TLS] Formal request from TLS WG to CF… Peter Gutmann