[Lwip] Fwd: Re: (initial triage - final disposition with rev-02) Re: Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel

Mohit Sethi M <mohit.m.sethi@ericsson.com> Wed, 12 December 2018 08:42 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D021310FF for <lwip@ietfa.amsl.com>; Wed, 12 Dec 2018 00:42:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.759
X-Spam-Level:
X-Spam-Status: No, score=-5.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=Dl+MZz9f; dkim=pass (1024-bit key) header.d=ericsson.com header.b=KqB9eJie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99NqWapGz-w4 for <lwip@ietfa.amsl.com>; Wed, 12 Dec 2018 00:42:33 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9166912EB11 for <lwip@ietf.org>; Wed, 12 Dec 2018 00:42:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1544604150; x=1547196150; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=vsEmwCbw/4i6FN9q2IB1ncId3SAB1jfqXEfqboD9+gA=; b=Dl+MZz9fIgpPlpG8+E13Ft9FxGcn9jwDWrLCqIKRaRDtONbTL582gtuUGfl6jy4O JF9ICy9SxVm5gpnW2UQYkYLTa6nLGg1QZfpJYx8cG2rS1Q8WrZTqbbfEDISBL26y A620G7vB4Tp3EOy/lpmC0BlDs02KXcpgl8yTeYQIfGo=;
X-AuditID: c1b4fb25-601ff7000000191f-4f-5c10c9f6c3b1
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id C9.DA.06431.6F9C01C5; Wed, 12 Dec 2018 09:42:30 +0100 (CET)
Received: from ESESBMR503.ericsson.se (153.88.183.135) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 12 Dec 2018 09:42:30 +0100
Received: from ESESSMB503.ericsson.se (153.88.183.164) by ESESBMR503.ericsson.se (153.88.183.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 12 Dec 2018 09:42:30 +0100
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Wed, 12 Dec 2018 09:42:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vsEmwCbw/4i6FN9q2IB1ncId3SAB1jfqXEfqboD9+gA=; b=KqB9eJieQiQujVKpF37rq9jvz7I2LXmZ4rvt0ATXZYi7AVCdC4MhvXtuShj0DewYqDIAKsfkVmtBkM0LU4YwFxbX45jy6eN59+n8002jJlbV1yBg/yDPImne8odtYm3ZupU2ElZ9OZIxxJHFlaCo+qHk6J/Ar1QOihZ9hTqcbKM=
Received: from AM0PR07MB4100.eurprd07.prod.outlook.com (52.134.83.140) by AM0PR07MB4162.eurprd07.prod.outlook.com (52.133.59.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.13; Wed, 12 Dec 2018 08:42:29 +0000
Received: from AM0PR07MB4100.eurprd07.prod.outlook.com ([fe80::256e:fd33:76c5:bc91]) by AM0PR07MB4100.eurprd07.prod.outlook.com ([fe80::256e:fd33:76c5:bc91%6]) with mapi id 15.20.1446.006; Wed, 12 Dec 2018 08:42:29 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Rene Struik <rstruik.ext@gmail.com>, "nikolaev@cryptopro.ru" <nikolaev@cryptopro.ru>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, "lwip@ietf.org" <lwip@ietf.org>
Thread-Topic: Re: (initial triage - final disposition with rev-02) Re: Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
Thread-Index: AQHUkRVhPVqkMrZqRkCXg7NzgY7hjqV5fOeAgAAe2ICAAQi3AIAAJpQA
Date: Wed, 12 Dec 2018 08:42:28 +0000
Message-ID: <fd7d0cab-90dd-b5b6-471f-61ac05461725@ericsson.com>
References: <CAMr0u6nKw0aKJSm6100XayC+k4bPV1tNPnO2Ji9Jzo4C=PkA9w@mail.gmail.com>
In-Reply-To: <CAMr0u6nKw0aKJSm6100XayC+k4bPV1tNPnO2Ji9Jzo4C=PkA9w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
x-forwarded-message-id: <CAMr0u6nKw0aKJSm6100XayC+k4bPV1tNPnO2Ji9Jzo4C=PkA9w@mail.gmail.com>
x-originating-ip: [89.166.49.243]
x-clientproxiedby: AM6P193CA0094.EURP193.PROD.OUTLOOK.COM (2603:10a6:209:88::35) To AM0PR07MB4100.eurprd07.prod.outlook.com (2603:10a6:208:48::12)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR07MB4162; 6:1atFBTU9s6PPSibN71MojrLjB6a3rJWD1FkqSwbLxD0mgnsv0Lhx4d98BErPxWfi1amD1dF5xhM50gmVw6kFw6Jj7kisslz/Ika/40eaRxGIUowQqhm4kUQYsvb7CcSgvqJEhv3wOEKs8mHjiKUHbcXfUZLTCEWTbf5p1WuJo9UHU/nCvF+wEyU0oUBPJaj8+pfB2gjAGQXsJ47uUPMLo4jhPGldNpu7lMqEA7aFoINfSajdwVDixQ5clUcYlectwzx2mQu/eWYSoO0Dfrqr/gdQW4M3Jza3w2sNjVp+hAMC5yYBvT6PDcxAFqw8noTD1xjnegobCIfgYPZgHlVtowLQhZp1LaQQzk74Yb0BXueuTd4A3GBb4+TroMQNfUwsDTkfvCPWLAYMjCxhOacCFMjv+jgfGu7+A9eAbbkM0keqUceAB+AJ0zIEJcc5KIGakC/26q4Z7jxvJMxU7FxCNw==; 5:fomd+CzR3FXvYvaprcE6NYK13U2ToA4woDL3v5lmkUPh2VYf+/vzUaYOgzzJCKacUSzkTadkC17OCfNVGk1hH4MdPj9FWmrJ3e4Xu+956EQpFyntlUvRo+RwsOr8iaGQbHWW5K/okhsKdjMkzps9BR6y2yfkyoLHF8/cF3gQL9k=; 7:q8a7EaMm1+iRF+YtD5StTJd/vqjT04a4QrO3umYK3te3+V78At/XeOgTlUmDCGu/XJpu7ei5vPfd/s6H50VsBxZz1Lsb94hf+2DmwIPW+rfyK/tfaJrOd0cJtcQY/VWCbDaMvE9T/4MGLQSq7uWhWA==
x-ms-office365-filtering-correlation-id: 2e274482-d9ac-4b1a-8d88-08d6600dbf48
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:AM0PR07MB4162;
x-ms-traffictypediagnostic: AM0PR07MB4162:
x-microsoft-antispam-prvs: <AM0PR07MB4162F659E4D527BBED330290D0A70@AM0PR07MB4162.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231455)(999002)(944501520)(4982022)(52105112)(93006095)(93001095)(10201501046)(3002001)(148016)(149066)(150057)(6041310)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:AM0PR07MB4162; BCL:0; PCL:0; RULEID:; SRVR:AM0PR07MB4162;
x-forefront-prvs: 0884AAA693
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(136003)(366004)(376002)(346002)(53754006)(189003)(199004)(36756003)(21615005)(11346002)(31686004)(2501003)(2616005)(26005)(65956001)(186003)(66066001)(65806001)(476003)(5070765005)(81156014)(81166006)(6486002)(478600001)(39060400002)(256004)(14444005)(8936002)(2473003)(966005)(6306002)(54896002)(236005)(53376002)(53936002)(6512007)(446003)(6436002)(6116002)(229853002)(3846002)(25786009)(606006)(2906002)(8676002)(14454004)(316002)(58126008)(110136005)(68736007)(325944009)(486006)(52116002)(76176011)(65826007)(4744004)(86362001)(64126003)(71190400001)(71200400001)(5660300001)(99286004)(97736004)(6506007)(4001150100001)(386003)(7736002)(53546011)(31696002)(105586002)(102836004)(106356001)(511114005)(563604002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4162; H:AM0PR07MB4100.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 2V/cmUFqPvxH9nYt6qe0aQgju54eMgnVzeBvt7x8uUgOvpVxm/a560DoQf5OljhFOyA3CiyzX/KRFbV5S0hX3EbBXpnTTq1CHe3uVIRPmX0UtrisWOR1CmYIIDysgbxTv69QQv2f8QF/h7CE6TnOXgiMcSzHcXQx8U/rhP9lkiyWaWjMUnJk5IcoGspkzK/BDVvW4Pib25xhvftM55RAD7EI1Q/w5kBEBlCdcBDZVpEowGebmJ41mXYMr5tFuMjkfeKY3VQ8ymVixf6w/fwJYL/kM6cnis97d0e2fckY/mCmEOo7BAuaWKqkOEO7AqjY
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_fd7d0cab90ddb5b6471f61ac05461725ericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2e274482-d9ac-4b1a-8d88-08d6600dbf48
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Dec 2018 08:42:28.9875 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4162
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHec85286k2eu8PZhGriQdpqZ9WCSZH5J9SexLWE1y6UlX3tic pH0RnUiKaCim80rNkBTUNFMpw0vipbVQdFqYeTe1UiHzktq2s8Jvv//z/P/v+7wXmhT2cVxo RUIyo0yQx4m4NlRp+Cv1mc0BLPOrHfSWVHbaS4afLnIkdeOLlEQ/0UxcoqSZ2X+QtF07yZPq dNtEGHnDJjCaiVOkMErfi5E2sSXtRippZpy4n7e6xEtHUwYiB9E04HPQ2Z+Sg2xoIe5FsDM6 xGXFJoKvL6fI/6KyTWNK8E1CR0BR42lzg8IFJHQ0DPFYVyEBmxmtVjGDoK7aQJojXOwHhUW1 loYDrkcwqx+jzMIeP0bwbLvL2jGJhqzvXHPEAYfAUG++JU5hD/g1qbWwAAfB1s4YYicJg7JZ DcfMfHwV1tcHLXWEneD3YL1lWhI7w6e5KgsDxqB7zY4E2BG+ze5bso44HDIH9ii2LoPRqnke y+6g/zFtzRYj2Mh2ZdePgLWDfGvdG/TGOcSyGwxX5SLzYQCPcUGjabearkBN4651g4+miz1w Y1kMTRNDRAHy1x6aleUo2Gl9a2EBtoOB0jlKa3ovEntBQ4cva3GHotxpHsuekFVewWMtUjD+ ZA5bqhH9HDmqGNXt+Bj/AB9GqYhSqRITfBKY5BfI9Lu6WnY92tDIanA3wjQSHREsvMEyIUee okqN70ZAkyIHgau/qSSIlqemMcrEW0p1HKPqRsdoSuQsCBXbyoQ4Rp7M3GOYJEb5r0vQfJd0 pM4m9i6oZcHL24atIMPx5kehPZ4ZXktklBO/WNm+fL5lKaI6fe2UT/mIPvCLuEytuFxCXX+X Zqc58f5masHK+t2j++nXQhqXNuZLhmOWeQG2U/Z1SUyNzjGvbEURZFg46R3SFNnTOfPwyWdB X5WnsMkoSXlQYez/oL1TkR04PiqiVLHys2JSqZL/BcjbPEFZAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/twkKX9e_whvZ_m7b1IPXFKcP-Iw>
Subject: [Lwip] Fwd: Re: (initial triage - final disposition with rev-02) Re: Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 08:42:38 -0000

Forwarding this to the correct working group email address.

In future, I hope that all of you can include the correct working group email addressing when responding.

The reason why LWIG working group has lwip@ietf.org as its list address is not something that I can answer. This was much before my term as a co-chair started.

--Mohit

PS: I also hope that we won't start a discussion about correct list address etc. or changing lwip@ietf.org<mailto:lwip@ietf.org> to lwig@ietf.org<mailto:lwig@ietf.org>. It is what it is and our energies are better spent on technical work.


-------- Forwarded Message --------
Subject:        Re: (initial triage - final disposition with rev-02) Re: Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
Date:   Wed, 12 Dec 2018 08:24:30 +0200
From:   Stanislav V. Smyshlyaev <smyshsv@gmail.com><mailto:smyshsv@gmail.com>
To:     Rene Struik <rstruik.ext@gmail.com><mailto:rstruik.ext@gmail.com>
CC:     Mohit Sethi M <mohit.m.sethi@ericsson.com><mailto:mohit.m.sethi@ericsson.com>, lwig@ietf.org<mailto:lwig@ietf.org> <lwig@ietf.org><mailto:lwig@ietf.org>, Николаев Василий Дмитриевич <nikolaev@cryptopro.ru><mailto:nikolaev@cryptopro.ru>


Dear Rene,

Thank you very much for your comments and clarifications!

Regarding the remaining questions (I'm cc'ing my colleague Vasily Nikolaev, who checked this issue with conversion formulae):
The formulae for conversion between twisted Edwards and Montgomery curves (as described in Section D.1) when used directly, doesn't seem to be able to lead us to twisted Edwards curve with d equal to +-1. In Section E.2 a slightly different formula with coefficient “c” is used which helps us to achieve this - and it's good. Maybe it will be better to add some explanations for this in text (or to stress explicitly that in E.2 we use another formula and it is OK, so readers are not confused).

The same could be applied for formulae for conversion between Weierstrass and Montgomery curves in sections D.2 and E.2 respectively. In D.2 we have coefficient B in denominator, while this coefficient is absent in formulae in E.2.

I believe that these issues are worth to be clarified in the text.

Best regards,
Stanislav Smyshlyaev, Ph.D.
CISO, CryptoPro LLC


вт, 11 дек. 2018 г. в 17:36, Rene Struik <rstruik.ext@gmail.com<mailto:rstruik.ext@gmail.com>>:
Hi Stanislav:

Thanks for your review.

Some brief initial feedback now; final disposition will be with rev02. (One my "to dos prior to 2018-end" is to add test vectors to a draft-02 version that I have had on my machine since Nov 15th. That version also includes some minor editorial massaging.)

BTW - all calculations (including isogenies) were done in Sage and write-up is based on an extensive LaTeX document with curve constructions for personal use. I will double-check everything prior to releasing rev-02.

On 12/11/2018 7:46 AM, Mohit Sethi M wrote:

Hi all,

We have received the following detailed review of draft-ietf-lwig-curve-representations from Stanislav Smyshlyaev on behalf of the Crypto Review Panel.

Thank you Stanislav for the excellent review. It would be great if the authors can address his feedback and submit a new version.

Please feel free to chime in if you have any additional feedback on this document at this stage.

Zhen and Mohit


-------- Forwarded Message --------
Subject:        Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
Date:   Tue, 11 Dec 2018 07:50:11 +0200
From:   Stanislav V. Smyshlyaev <smyshsv@gmail.com><mailto:smyshsv@gmail.com>
To:     Mohit Sethi M <mohit.m.sethi@ericsson.com><mailto:mohit.m.sethi@ericsson.com>, Suresh@kaloom.com<mailto:Suresh@kaloom.com> <Suresh@kaloom.com><mailto:Suresh@kaloom.com>, zhencao.ietf@gmail.com<mailto:zhencao.ietf@gmail.com> <zhencao.ietf@gmail.com><mailto:zhencao.ietf@gmail.com>, Alexey Melnikov <aamelnikov@fastmail.fm><mailto:aamelnikov@fastmail.fm>


Good afternoon,

Please find below the review of the document made on behalf of Crypto Review Panel.

I'll be happy to discuss all questions raised in the review directly via e-mail: smyshsv@gmail.com<mailto:smyshsv@gmail.com>


Document: draft-ietf-lwig-curve-representations-00
Reviewer: Stanislav Smyshlyaev
Review Date: 2018-11-26
Summary: Revision needed

The document “Alternative Elliptic Curve Representations” contains procedures and formulae of representing Montgomery curves and (twisted) Edwards curves in short Weierstrass form.
The reviewer believes that the document is very helpful and can be used by developers implementing ECC operations in real-world applications.
The reviewer has verified all decimal numbers (and hexadecimal numbers, where they are provided in the draft) and does not have any concerns besides the following ones.

Since some of the concerns seem to be important enough for the overall document, the reviewer recommends to send an updated version of the draft to Crypto Review Panel for a new review.

The review was made for draft-ietf-lwig-curve-representations-00. During the review process an updated version draft-ietf-lwig-curve-representations-01 was published – some comments about the -01 version can be found in the end of the current review.

Comments:
1) Section C.2: The mapping from Weierstrass curves to Montgomery curves is not defined in the current version. The mapping from Weierstrass to Montgomery cannot usually be described as shortly as others, but maybe it could still be useful here. For example, the root of x^3+ax+b in Fp could be provided explicitly.

RS>> True: although I am not sure how useful this is, this could be done. One of the issues is that a Weierstrass curves with a point of order two does not automatically lead to a Montgomery curve. Having to spell out those conditions may make life really hard for non-specialists and obscure the main message. My main point was to try and exemplify how the different curve models are sometimes the "same animal, in disguise", which could be helpful, e.g., when implementing Ed25519 and Curve225519 on a small device or when one wishes to reuse an existing HW implementation of short Weierstrass curves. <<RS

2) It would be better to stress in Appendix C.1 that formulae provided there do not allow to get parameter a of the twisted Edwards curve equal to 1 or -1. In Appendix D.2 additional constant c is used that helps to obtain the curve with a equal to -1 (this fact by the way implies that the phrase “Here, we used the mapping of Appendix C.1” is inaccurate).
RS>> I did indeed use the isomorphism from E{a,d} to E_{1,d/a}, for a a square in GF(q), as well.<<RS
2a) Section D.2: The formulae (u,v) -> (c*u/v, (u-1)/(u+1)) lead to an error. It is not clear why it is needed to multiply by the constant c.
RS>> Hmm. I copied this from LaTeX source based on checked Sage calculations. I will double check all of this once more (also elsewhere). <<RS
2b) Section D.3: The Montgomery curve Curve25519 doesn’t correspond to Twisted Edwards curve Edwards25519 because of (A+2)/B = (486662+2)/1 != -1.
RS>> It does correspond to this, since I added the "c" multiplication in the x-coordinate, since c^2=-(A+2)/B. See your point under your point 2) above. <<RS
2c) If one uses the formula from C.1 for Montgomery to Edwards mapping (a:=(A+2)/B and d:=(A-2)/B), she obtains that d for Edwards25519 is equal to 486660 but not the value of d which is provided in D.3.
RS>> It does correspond to this, for the same reason as above under your point 2b) above. <<RS
3) Section E.1: The isomorphic mapping between W_{a,b} and W_{a',b'} should be defined as a’:=a*s^4 and b’:=b*s^6, instead of a:=a'*s^4 and b:=b'*s^6. Otherwise the mapping is defined incorrectly and the test vectors from F.3 are incorrect.
RS>> This is often confusing (initially also to me). However, I do think this is correct, but will of course double check my Sage code.<<RS
4) It seems that the formula for lambda in case Q:=2P for Montgomery curve is wrong. According to http://hyperelliptic.org/EFD/g1p/auto-montgom.html and to https://eprint.iacr.org/2017/212.pdf (page 4) it should be: lambda = (3*x1^2 + 2*A*x1 + 1)/(2*B*y1). So you need to add “B” as a factor in the denominator.
RS>> This small editorial glitch was corrected in version 01. <<RS
5) in Appendix D.2 it would be better to stress explicitly that we work with projective coordinates, otherwise the formulae do not have to be correct.

RS>>I did separate out the points of order one and two to make the rational mappings always work. Did I miss something here? <<RS

Editorial comments:
a) It seems that the text will be easier to read if the formulae for group law are provided in the following form (for example, for Weierstrass):
   x = lambda^2 – x1 – x2
   y = lambda * ... (at a new line, but with “and”)
   lambda = ... (again at a new line)
b) In reviewer’s opinion, the text will be easier to read if different symbols for coordinates of different forms of a curve are used. For example, (x,y) for Weierstrass, (X,Y) for Montgomery and (u,v) for Edwards. And it would be better to use the same symbols in different parts of the document (now (u,v) is used for Montgomery in A.2 and (x,y) for Montgomery in B.2).
RS>> Agreed. I will do this for version 02. <<RS
c) The term “short Weierstrass form” is widely used in publications as is. The draft, however, has two variants of it – “short” Weierstrass form and short-Weierstrass form. It seems that one (commonly used) variant would be better to use.
d) The reviewer recommends to use only “GF(p)” everywhere in document instead of “GF(q)” together with “GF(p)”. For example, now in C.1 – GF(q) and GF(p) in D.1.
RS>> I would like to keep this as is, just in case at some point in the future, someone wishes to specify a curve over GF(q), where q=p^2, for example (whether this is FourQ or a curve used for isogeny-based key agreement. <<RS

Additional clarifications might be useful:
Also the reviewer believes that it will be useful to write additional clarifications in D.2 on “can be implemented via integer-only arithmetic as a shift of (p+A)/3 for the isomorphic mapping and a shift of -(p+A)/3 for its inverse” regarding the need of using the mod operation for transformation.
RS>> If I parse this comment correctly: indeed one may need to add or subtract the modulus p (but does not need to implement GF(p) arithmetic otherwise for this conversion). <<RS

###### draft-ietf-lwig-curve-representations-01:

The concerns 1, 2, 2a, 2b, 2c, 4 and 5 for 00 version are still valid for version -01. The concern 3 has been addressed.
Additional question for draft-ietf-lwig-curve-representations-01: appendices C.1 and C.2 contain information about properties that help to recover y-coordinates of a multiple point if one uses Montgomery ladder. This information may not be needed in the draft, since the ladder itself is not described there.

RS>> I do think the recovery of the y-coordinate is useful, e.g., if one wishes to implement Ed25519 using an extension of the Montgomery ladder for Curve25519 (Example 4.2 in rev-01 document). This could be especially useful for constrained devices (and, in my opinion, should have been part of RFC 7748). <<RS


Best regards,
Stanislav Smyshlyaev


--
email: rstruik.ext@gmail.com<mailto:rstruik.ext@gmail.com> | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363