Re: [Cfrg] Revising RFC 6090
Watson Ladd <watsonbladd@gmail.com> Sat, 05 July 2014 01:52 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54B181A0140 for <cfrg@ietfa.amsl.com>; Fri, 4 Jul 2014 18:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0imDnVGKBRRi for <cfrg@ietfa.amsl.com>; Fri, 4 Jul 2014 18:52:40 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36D901A00FF for <cfrg@irtf.org>; Fri, 4 Jul 2014 18:52:40 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id q58so2246509wes.2 for <cfrg@irtf.org>; Fri, 04 Jul 2014 18:52:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=q1WFiJIOYm5IiIB0MJxmAFQkSr72vEhETKh9o2YsOJc=; b=pTLxzKFK7kEZhsk/8Nys6K4kE5Sk4+x8GkQBmjujbakK1eyZ5goW8TBJ33kimTJFf1 EF1B/2tNI0fHN1gw+l10RvjnvZYN9Zi/zD844hun2iqQuFWVd/AxsDoA3CycuT27K/W8 0I1QdEEztoMHWyA6o7mQFaQyr2jHvuvR3KKmjjaz6Eg8bDEJqGM8sSFgd7iBDpFqk3gh I7iFkTsdx3aFpqC2Qlxrp5La7HfwPgqwNNH2SUAEmcwAof/XqAIVPr7KmlXkEYX8O2mj SYc4JZu0sKNCcC4p3aE+CP/JF9nf3ZEmNmzcVfj/kHEluzjUNts//MHzG9l/tTdZEhZ9 Bf2A==
MIME-Version: 1.0
X-Received: by 10.180.86.225 with SMTP id s1mr6338611wiz.36.1404525158832; Fri, 04 Jul 2014 18:52:38 -0700 (PDT)
Received: by 10.194.21.69 with HTTP; Fri, 4 Jul 2014 18:52:38 -0700 (PDT)
In-Reply-To: <CECE0A7E-35CA-444E-85DF-5504E404A1B5@vpnc.org>
References: <CECE0A7E-35CA-444E-85DF-5504E404A1B5@vpnc.org>
Date: Fri, 04 Jul 2014 18:52:38 -0700
Message-ID: <CACsn0cmC0G6ES=tSwrbXknKXV=D2nogYyQzukp1eQg8ArC_67w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/yLvwFqEJMyI-ATDG9xYAXascz_8
Cc: "cfrg@irtf.org CFRG" <cfrg@irtf.org>
Subject: Re: [Cfrg] Revising RFC 6090
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jul 2014 01:52:42 -0000
Dear Paul, Thanks for taking on this necessary task. I have several ideas for how to modernize, but not all of them are going to work because of the time constraint: edwards curves are 2007, for instance, and while I haven't heard any FUD yet, it doesn't fit with our original goals. The first idea is due to Tanja Lange and is to use Jacobian coordinates. If you want to be fancy she invented faster formulas which are in the EFD, but you might have to live with the 1986 formulas. However, the presentation in the RFC is not ideal: you should run them through common-subexpression elimination, which the EFD did for you. For validation of the formulas that appear I would suggest an automated Sage script, ala EFD. The parameters choice section is laughable. Either make it complete or remove it entirely. The Montgomery ladder is old enough to be included. I don't know about sliding windows. Signed-digit encoding was invented in 1950 under the name Booth encoding: it gets a savings, but isn't constant time. DJB has an extensive bibliography and paper in http://cr.yp.to/papers/pippenger.pdf discussing various approaches. The Shamir trick should be mentioned: it speeds verification of signatures significantly. Sincerely, Watson Ladd On Fri, Jul 4, 2014 at 12:21 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > Greetings again. RFC 6090, "Fundamental Elliptic Curve Cryptography Algorithms", was published a few years ago, with the purpose of laying down which parts of elliptic curve cryptography had been described long enough ago to avoid any patent issues. A fair number of technical errata have been reported on RFC 6090. Also, the point compression patent is expiring later this month, and therefore point compression might be added to a new version of the RFC. > > This seems like a good time to revisit RFC 6090 to incorporate the errata and to start to consider what else can be added to the document. I have started a new draft, listed below. The errata have been marked in the document; those marks will come out in future drafts. > > To start off, it would be grand if people would read through the draft carefully for technical accuracy. I say this because the drafts leading to RFC 6090 had been reviewed here in CFRG, and yet some significant mistakes made it through the process. > > At the same time, it would be useful to hear what people think additions to the document should be. RFC 6090 focused on the Suite B curves, but if additional curves and concepts can be added (while maintaining the design goal of things described fully early enough to avoid patent encumbrance), that could be interesting as well. > > --Paul Hoffman > > > A new version of I-D, draft-hoffman-rfc6090bis-00.txt > has been successfully submitted by Paul Hoffman and posted to the > IETF repository. > > Name: draft-hoffman-rfc6090bis > Revision: 00 > Title: Fundamental Elliptic Curve Cryptography Algorithms > Document date: 2014-07-04 > Group: Individual Submission > Pages: 34 > URL: http://www.ietf.org/internet-drafts/draft-hoffman-rfc6090bis-00.txt > Status: https://datatracker.ietf.org/doc/draft-hoffman-rfc6090bis/ > Htmlized: http://tools.ietf.org/html/draft-hoffman-rfc6090bis-00 > > > Abstract: > This note describes the fundamental algorithms of Elliptic Curve > Cryptography (ECC) as they were defined in some seminal references > from 1994 and earlier. These descriptions may be useful for > implementing the fundamental algorithms without using any of the > specialized methods that were developed in following years. Only > elliptic curves defined over fields of characteristic greater than > three are in scope; these curves are those used in Suite B. > > This version of the note incorporates errata that were reported on > RFC 6090 [RFC6090]. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Revising RFC 6090 Paul Hoffman
- Re: [Cfrg] Revising RFC 6090 Watson Ladd