Re: [Cfrg] Safecurves draft

Jon Callas <> Thu, 09 January 2014 18:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 13F131AE50E for <>; Thu, 9 Jan 2014 10:43:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CtmqZQtNezLZ for <>; Thu, 9 Jan 2014 10:43:25 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 65ACB1AE50A for <>; Thu, 9 Jan 2014 10:43:25 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D83B4AAEA2E for <>; Thu, 9 Jan 2014 10:43:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F06tSIIn390J for <>; Thu, 9 Jan 2014 10:43:14 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPSA id C14A74AAEA24 for <>; Thu, 9 Jan 2014 10:43:14 -0800 (PST)
Received: from [] ([]) by (PGP Universal service); Thu, 09 Jan 2014 10:43:14 -0800
X-PGP-Universal: processed; by on Thu, 09 Jan 2014 10:43:14 -0800
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Jon Callas <>
In-Reply-To: <>
Date: Thu, 09 Jan 2014 10:43:14 -0800
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: "" <>
X-Mailer: Apple Mail (2.1827)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Cfrg] Safecurves draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Jan 2014 18:43:27 -0000

Hash: SHA1

I concur that we shouldn't call it "safecurves" or anything like that. I think that definitely this needs to heed Paul Hoffman's advice on names coming back to bite us.

All crypto parameter sets have a lifespan where they're new and shiny, older and trusted, then kinda dodgy but accepted, and then outmoded or insecure. Each phase might be there for years or perhaps minutes. I've seen things go the entire lifecycle in an hour. We don't want the premature aging of one to tarnish the whole thing. Think about what you'd say when the Buzzfeed reporter calls you up for comment or background on their article "Ten Shocking Reasons Why SafeCurves are The Spawn of Satan" after a Eurocrypt paper has a new banana attack that shows a curve has ten fewer bits of security with 2^300 memory.

I also think there should be a quick set of names where we specify what's a Montgomery and what's Edwards. This is already needed and the reason why there's 25519 and Ed25519 in current parlance. If we *don't* do it here, then someone else will. It's too useful not to have it. 

You can have a table with common names and extended names and have the extended names have something simple like a suffix of M or E. It's easy to fit 25519 and Ed25519 into this as well.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii