Re: [Cfrg] Safecurves draft

Watson Ladd <watsonbladd@gmail.com> Wed, 08 January 2014 23:50 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 624E01AD959 for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 15:50:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfB46dmRcbZ8 for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 15:50:15 -0800 (PST)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id EC0D31AD9A9 for <cfrg@irtf.org>; Wed, 8 Jan 2014 15:50:14 -0800 (PST)
Received: by mail-we0-f171.google.com with SMTP id q58so2135593wes.16 for <cfrg@irtf.org>; Wed, 08 Jan 2014 15:50:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=t3kwyl6k0hboNXLe2NUhnWpokIBwT6GJe/z3KWOxg7A=; b=0+xmzkQAr1G4BVXJjNEajyILlduAQElwlPH8C13bNcWmlDUtEFAK0G5d2dkJpwtuqt RpmnE5ksO/bK5gOL43VAZvEUsg9naAUQHSj0I4SpSsxm0faQJsyO4q1vcTLfFhIOvb/g 3UJrMxRMq9WG199GNXwU9kxINH1V6EWZK5xkCcwYhOj0PbVQUUvq5fLlKpW6pWZrCyxh 0f3Ux8k4ee3ybAI/ZHdoVQtm0D/GUgpR9gF24R/PENS287yjYcswNfvGj90osuI/qgSL IuNxC6ZdI3WoIZZzSjzod+PEShTmHMtpgZMiIUMMfpY0iOliti5FJ6Fx5R9JY+NOV/KV zo4g==
MIME-Version: 1.0
X-Received: by 10.194.187.101 with SMTP id fr5mr13408507wjc.76.1389225005176; Wed, 08 Jan 2014 15:50:05 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Wed, 8 Jan 2014 15:50:05 -0800 (PST)
In-Reply-To: <52CDDAE2.50708@akr.io>
References: <CACsn0cmPj-=bfwCLJXvHSbOS_U5AfZH2vTWfrVsXwOXF4Y9hcg@mail.gmail.com> <52CD9B98.2010208@elzevir.fr> <CACsn0c=OqqF4QhW8RH-BD_wtFoBtQKfYWqsGQ0mYDxohk=VbXQ@mail.gmail.com> <52CDDAE2.50708@akr.io>
Date: Wed, 08 Jan 2014 15:50:05 -0800
Message-ID: <CACsn0ckRQiAQEy-9TZt18EmkePicm8kvr6tkjMEa2+=MAbkWuQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Safecurves draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 23:50:17 -0000

I asked Tanja about the two curves. The answer is that (A-2)/4 should
be small, but this is an efficiency problem with one of them, not
a security issue. My elligator belief was based on a misreading of a table.
I'll take out the bad one in the next version.
I'll add E521 and copy the formatting in the 01 draft, which I'll post
as soon as a few days go by the fix
Thanks for spotting the typos.

I don't want to rename curves because that induces consistency issues.
Removing dashes is a good idea.

The EFD formulas will go in appendix to address the URL problem, and
to address some people's desire for explicit formulas.
For validation I give you a point on the curve and a claimed order:
the Hasse-Weil bound plus a quick multiply does the rest. Validation
isn't normative, so I think we can refer people to safecurves.

On Wed, Jan 8, 2014 at 3:10 PM, Alyssa Rowan <akr@akr.io> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Glad to see this one get under way.
>
> I'm strongly in favour of the meat of the proposal.
>
> I have a couple of comments (mostly typographical and/or clarity).
>
> Maybe we should give an estimate of security (bitwise). [SAFECURVES]
> calculates that and otherwise it isn't crystal-clear from the names
> which curves would be about suitable for which security level.
>
> Any particular reason why Curve1174 wasn't included, as it's in the
> same strength category as Curve25519? (See below, for roughly how it
> would look if I think we did go for it?)
>
>>> Also, is it on purpose that you didn't include E-521 in your
>>> draft?
>> I simply copied the safecurves.cr.yp.to list starting at
>> Curve25519. There is no E-521 on that list.
>
> E-521 is in the revised reference in [2013 Aranha-Barreto-Pereira-
> Ricardini] <http://eprint.iacr.org/2013/647.pdf>. It looks like djb
> and Tanja Lange haven't finished putting it through all their own
> checks yet; at present it's on some pages (fields, rho, transfers,
> discriminants) but not others (base points, rigidity).
>
> It looks like they're mid-way through checking it. It'll very probably
> pass (identical design criteria; all its peers in the same paper did).
> Put it in the draft, take it out if for some reason it doesn't?
>
>>> why are there two Montgomery curves over GF(2^383-187)?
>> It's because one has an Elligator map and the other does not.
>
> You mean, an Elligator-1 map? (They all have Elligator-2 maps.)
>
> [2013 Aranha-Barreto-Pereira-Ricardini] version 20131031:234129
> replaces Curve383187 with an M-383 prototype with the following comment:
>     "Replaced the curve over the 383-bit field by a more
>      implementation-friendly curve."
>
> A's a little higher in that exact revision, but it appears they found
> a lower suitable one in November. The final M-383 is the one
> SafeCurves reviewed, although the older Curve383187 also passed.
>
>> Some applications require it, but not all.
>
> Not sure if there's a lot of point in having two Monty curves of the
> exact same field?
>
> [Typographical notes]
>
> The parameters for E-382 seem to be are miscopied in -00. Should be
> 2^382-105, and x²+y²=1-67254x²y² (not 2^382-15 and x²+y²=1-6725254x²y²).
>
> I suggest considering taking the dashes out of the canonical names
> People are going to refer to these in config files and command lines
> and heaven knows where else, so avoiding punctuation may be convenient
> (which I guess may be why none of the other curve names I can see used
> in IETF standards have any).
>
> For consistency, perhaps Curve1174, Curve25519, and Curve3617
> could be called in the standard after the formula and prime size (as in
> [2013 ABPR]), which would make them M255, E251, and E414 respectively?
> I've done that below; how does it look?
>
> I have honestly little idea about formatting of these things (other
> than that the canonical version is ASCII, like this email), but the
> way the basepoint and order are formatted is a little bit confusing as
> it is in draft-00.
>
> With the above in mind, how about something broadly like this?
>
> ==========================================================================
>
> 2. The Curves
>
>    Each curve is given by an equation and a basepoint, together with an
>    order. All curves are elliptic. Validation information is given at
>    [SAFECURVES]. The names given in this document indicate the family:
>    safecurveExxx for Edwards curves over a prime field GF(p), and
>    safecurveMxxx for Montgomery curves over a prime field GF(p).
>
>    * safecurveE251 (also known as Curve1174) [[ Do we want this one? ]]
>      p: 2^251-9
>      formula: x^2+y^2 = 1-1174x^2y^2
>      basepoint:
>         x: 1582619097725911541954547006453739763381091388846394833492
>            296309729998839514
>            (0x037FBB0C EA308C47 9343AEE7 C029A190
>               C021D96A 492ECD65 16123F27 BCE29EDA)
>         y: 3037538013604154504764115728651437646519513534305223422754
>            827055689195992590
>            (0x06B72F82 D47FB7CC 66568411 69840E0C
>               4FE2DEE2 AF3F976B A4CCB1BF 9B46360E)
>      [[ Rigidity note: This is the Edwards mapping of the Montgomery
>         point x=4, y=192257776421116702304087124422055147834030127084
>         09058383774613284963344096.
>         <http://cr.yp.to/elligator/elligator-20130527.pdf> ]]
>      Security versus rho: 2^124.3; twist: 2^124.3; combined: 2^123.3
>      order: 2^249 - 11332719920821432534773113288178349711
>
>    * safecurveM255 (also known as Curve25519)
>      p: 2^255-19
>      formula: y^2 = x^3+486662x^2+x
>      basepoint:
>         x: 9 (0x9)
>         y: 1478161944758954479102059356840998688726460613461647528896
>            4881837755586237401
>            (0x20AE19A1 B8A086B4 E01EDD2C 7748D14C
>               923D4D7E 6D7C61B2 29E9C5A2 7ECED3D9)
>      Security versus rho: 2^125.8; twist: 2^126.3; combined: 2^124.3
>      order: 2^252 + 27742317777372353535851937790883648493
>
>    * safecurveE382
>      p: 2^382-105
>      formula: x^2+y^2 = 1-67254x^2y^2
>      basepoint:
>         x: 3914921414754292646847594472454013487047137431784830634731
>            377862923477302047857640522480241298429278603678181725699
>            (0x196F8DD0 EAB20391 E5F05BE9 6E8D20AE
>               68F84003 2B0B6435 2923BAB8 53648411
>               93517DBC E8105398 EBC0CC94 70F79603)
>         y: 17 (0x11)
>      [[ Note: <http://eprint.iacr.org/2013/647.pdf> has different
>         basepoint y=13. Check: is that just a different mapping i.e.
>         Monty vs Eddie, or has the basepoint changed? If so, why? ]]
>      Security versus rho: 2^189.8; twist: 2^189.8; combined: 2^188.8
>      order: 2^380 - 1030303207694556153926491950732314247062623204330
>                     168346855
>
>    * safecurveM383
>      p: 2^383-187
>      formula: y^2 = x^3+2065150x^2+x
>      basepoint:
>         x: 12 (0xC)
>         y: 4737623401891753997660546300375902576839617167257703725630
>            389791524463565757299203154901655432096558642117242906494
>            (0x1EC7ED04 AAF834AF 310E304B 2DA0F328
>               E7C165F0 E8988ABD 39928612 90F617AA
>               1F1B2E7D 0B6E332E 969991B6 2555E77E)
>      Security versus rho: 2^189.8; twist: 2^190.3; combined: 2^188.3
>      order: 2^380 + 1662362759313735161052197949355421533080392344557
>                     61613271
>
>    * safecurveE414 (also known as Curve3617)
>      p: 2^414-17
>      formula: x^2+y^2 = 1+3617x^2y^2
>      basepoint:
>         x: 1731988647712118917771920249882261544355695730760434081525
>            6226171904769976866975908866528699294134494857887698432266
>            169206165
>            (0x1A334905 14144330 0218C063 1C326E5F
>               CD46369F 44C03EC7 F57FF354 98A4AB4D
>               6D6BA111 301A73FA A8537C64 C4FD3812
>               F3CBC595)
>         y: 34 (0x22)
>      Security versus rho: 2^205.3; twist: 2^205.3; combined: 2^203.8
>      order: 2^411 - 3336414086375514252081017769409838517898472720041
>                     1208589594759
>
>    * safecurveM511
>      p: 2^511-187
>      formula: y^2 = x^3+530438x^2+x
>      basepoint:
>         x: 5 (0x5)
>         y: 2500410645565072423368981149139213252211568685173608590070
>            9792642482752286038997069505181278171765918786677842475821
>            24505430745177116625808811349787373477
>            (0x2FBDC0AD 8530803D 28FDBAD3 54BB488D
>               32399AC1 CF8F6E01 EE3F9638 9B90C809
>               422B9429 E8A43DBF 49308AC4 455940AB
>               E9F1DBCA 542093A8 95E30A64 AF056FA5)
>      Security versus rho: 2^253.8; twist: 2^254.3; combined: 2^252.3
>      order: 2^508 + 1072475475963574762404453151406812184207075662743
>                     4833028965540808827675062043
>
>    * safecurveE521 [[ currently awaiting Safecurves approval ]]
>      p: 2^521-1
>      formula: x^2+y^2 = 1+376014x^2y^2
>      basepoint:
>         x: 2500410645565072423368981149139213252211568685173608590070
>            9792642482752286038997069505181278171765918786677842475821
>            24505430745177116625808811349787373477
>            (0x2FBDC0AD 8530803D 28FDBAD3 54BB488D
>               32399AC1 CF8F6E01 EE3F9638 9B90C809
>               422B9429 E8A43DBF 49308AC4 455940AB
>               E9F1DBCA 542093A8 95E30A64 AF056FA5)
>         y: 6 (0x6)
>      Security versus rho: 2^259.3; twist: 2^259.3; combined: 2^258.3
>      order: 2^519 - 3375547632585017057891076304187826360719049612140
>                     51226618635150085779108655765
>
> ==========================================================================
>
> Thoughts?
>
> (_Please_ cross-check the data thoroughly; I may well have made a
> typographical or calculation error of my own, and of course, extra
> checking is a good thing! Apologies in advance if I have; thanks for
> any extra pairs of eyes.)
>
> - --
> /akr
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJSzdriAAoJEOyEjtkWi2t6WIwP/0U70JKAV3WOnbZcMB58rtSM
> Ru7loFhn9TvU3jw/p+H2tvmeUs08hKYDUUWavp7/x1B9TX3t+j3rADsWkoN/pQQd
> obr8AMdOF6QiupCjSbeZoq+wLMIiZKX3IV0pSzaO8FpTdBrIzjXTHgPy1We8H7eC
> Wkc2VC6f6eX/qyjKm6Fh3CdySJZ2dPy0X96HBqcwOMd5/hmR7VQ4DNxMEOHEfCVA
> Z2WwwYl2xNxOQ1Dn9kb4FU6CVRCc4/7DENZ+2FrCWUp1zG/3d8mUGzpGVunOv9ed
> rKKHnR9fhYjhfNSmGuTfLHTXc5mVqmEjZzmX0u1UR1CEktEKN/Nu2DMbPHToNVAA
> D7znHER4JZ8eMf3zLTslp8Uw0QkOhJiYZpDm24qb5urBLmlu55s6tYerCFEH4hDn
> R5DUPVURTgCbnpSGolKwJ2lBz8zQxzKCi9QoWV/VDNasg0L/ADIJeJUfpqdByWAz
> jFaFSVAgmf8df7X9WflV8ZCPkuoMszNZ9iGJn7AQTqUbjsMDfvqmOLfvFHD4Srzt
> tJtmDEL62O8Wml2zHN5hG/6ltfj9EZC+hl/EBSSCG1+nMqVodic5v4+E/lLU23/x
> db+l3PCsREZIURuT7o0YxukolV+93zbNlfOtd93HgB018rSeS+PBJ3yljN25h1Aa
> 5GNONjspxg93Z219jaNX
> =FUIv
> -----END PGP SIGNATURE-----
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin