Re: [Cfrg] big-endian short-Weierstrass please
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 29 January 2015 18:18 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E541A0368 for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 10:18:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4IydBGdOxtI for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 10:18:46 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F37F01A0019 for <cfrg@irtf.org>; Thu, 29 Jan 2015 10:18:45 -0800 (PST)
Received: by mail-lb0-f176.google.com with SMTP id z12so31088278lbi.7 for <cfrg@irtf.org>; Thu, 29 Jan 2015 10:18:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=e8fEwQJpSS/qnnPG3P2iM4eVxso1rwSFlSdVkekQKX0=; b=M9yCN6bqkS4ujha3JsYcuOT7pj5U0AeQLQcQe4wVIAHNRYXQF2BgcmnTzsiHC1Eysc UyuLW1D7QH1ebZa1aNyuBZQKwJrRk8PO4qIofvymhC1jl4c77m3HutK2fEoapGSMwxWJ +xPLOfioEKHBDBD1z5ZqyTgNoIaIqoUHC/aOLOUg+0FC9SJaVCW49nhWXsxfvLG8W7Mv +aREFYjfimrwcv8UNoVDfiHxwp7gG3RX0BKAtTcrRWgHMJ26HmH2JfTY4b2IWUwV6LeY vKzQTfA5dRwgjfWaTPDL3XRKFiN40sy2qlSiTYoMqMzfvDBqAmnIj3RohbWWyYUUAyDh oF3Q==
MIME-Version: 1.0
X-Received: by 10.112.35.165 with SMTP id i5mr2382075lbj.49.1422555524487; Thu, 29 Jan 2015 10:18:44 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.147.193 with HTTP; Thu, 29 Jan 2015 10:18:44 -0800 (PST)
In-Reply-To: <CACsn0ckb4xW7gTP4m9BHkQe-Y00Y306wOcuEoSQ25XLeXX14UQ@mail.gmail.com>
References: <810C31990B57ED40B2062BA10D43FBF5D42BDA@XMB116CNC.rim.net> <87386ug2r7.fsf@alice.fifthhorseman.net> <810C31990B57ED40B2062BA10D43FBF5D4413B@XMB116CNC.rim.net> <87r3ueedx7.fsf@alice.fifthhorseman.net> <20150128231006.GJ3110@localhost> <D0EED79E.204B1%uri@ll.mit.edu> <878ugleei5.fsf@alice.fifthhorseman.net> <CAMm+LwhD8ZmuO7_OsGYX_VARYT=gDJSkZVavxXkTOvfFLJ-Usg@mail.gmail.com> <CACsn0ckb4xW7gTP4m9BHkQe-Y00Y306wOcuEoSQ25XLeXX14UQ@mail.gmail.com>
Date: Thu, 29 Jan 2015 13:18:44 -0500
X-Google-Sender-Auth: t9fPJRQpEXUj8WA7RvjX1J45qfQ
Message-ID: <CAMm+LwixbMKC+JYRJv2chgBG=dkgqxTNyDY4WZYbKQNzk6isaw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c36c8cb5e127050dce8454"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/xdUztI1c6yUkdME01Ip1Dnx-b7Q>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 18:18:47 -0000
On Thu, Jan 29, 2015 at 12:50 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > > > More importantly, I can't use your curves unless you can prove to me > that they are secure. And the fact we are having trouble doing that in this > group proves that it is not possible to achieve that in a protocol. > > We are not having trouble with that in this group. Nobody disputes that > any of the proposed curves are secure, or the details of generation. > > Instead, we're arguing about endiannes. I've tried to gather which primes > everyone wants in one list, crickets. Tony Arceli posts about signatures, > 5 messages. Big v. Little, 40. > > Of course a malicious party can leak whatever you send them. > What I meant is that we had great difficulty in choosing curve parameters that were not suspect so we developed objective criteria that effectively removed the 'malicious curve' issue. At this point I am pretty certain that I will not want to use my existing crypto boxes for the new curves. I certainly don't want my keys for the algorithms we chose for their constant time implementation friendliness being implemented on legacy hardware. I am not keeping score here, but my understanding is that we have a rough consensus for P255 for the performance curve as it is as near as damnit 256 bits, very fast and has a lot of deployment support. Arguing over a single bit seems illogical for a performance curve that is going to be used in TLS for ephemeral encryption, particularly if we can fix the TLS key agreement algorithm so that ephemeral agreed keys are always at least as random as both the master key and the ephemeral inputs. The ridiculously high assurance prime is a different matter. Perhaps what CFRG should do is to choose both P512 curve and P448. Curves are a different matter... I doubt that it really matters very much and the differences in speed are likely to turn out to depend on whose hardware is used. Easiest to explain is probably the best criteria.
- [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please David Gil
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Alyssa Rowan
- Re: [Cfrg] big-endian short-Weierstrass please Tony Arcieri
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Alyssa Rowan
- Re: [Cfrg] big-endian short-Weierstrass please Stephen Farrell
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Hanno Böck
- Re: [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Watson Ladd
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Watson Ladd
- Re: [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Yoav Nir
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Paul Hoffman
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Andrey Jivsov
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker