IETF Logo Mail Archive

Re: Comments on ECC draft

bmoeller@hrzpub.tu-darmstadt.de (Bodo Moeller) Mon, 10 September 2001 20:08 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA29583 for <openpgp-archive@odin.ietf.org>; Mon, 10 Sep 2001 16:08:39 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8AJrWH05539 for ietf-openpgp-bks; Mon, 10 Sep 2001 12:53:32 -0700 (PDT)
Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8AJrUD05534 for <ietf-openpgp@imc.org>; Mon, 10 Sep 2001 12:53:31 -0700 (PDT)
Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id 6F1712C93; Mon, 10 Sep 2001 21:53:31 +0200 (MET DST)
Received: id <m15gX4b-000Qe5C@epsilon>; Mon, 10 Sep 2001 21:50:25 +0200 (CEST)
Message-Id: <m15gX4b-000Qe5C@epsilon>
Date: Mon, 10 Sep 2001 21:50:25 +0200
From: bmoeller@hrzpub.tu-darmstadt.de
To: hal@finney.org
Reply-To: moeller@cdc.informatik.tu-darmstadt.de
Cc: Dominikus.Scherkl@biodata.com, ietf-openpgp@imc.org, andrey_jivsov@NAI.com, hal_finney@NAI.com
Subject: Re: Comments on ECC draft
In-Reply-To: <200109060128.SAA02959@finney.org>
References: <200109060128.SAA02959@finney.org>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

hal@finney.org>:

[...]
> We suggest the initial draft use only prime fields, descriptor 3,
> and trinomial/pentanomial binary fields, descriptors 11 and 12. These
> three are enough to cover all the NIST curves.  They seem to provide
> the advantages which we seek from ECC without multiplying the options
> excessively.
> 
> If the group does want to pursue additional field types, we would like
> to see some rationale for the use of prime extension field types 4-9. Our
> concern with the special primes 1-2 is that this area seems to be covered
> by patents.

[Field decriptors 1 and 2 are for pseudo-Mersenne prime fields.]

What patents?  These should be patents applied for by the NSA (the
optimizations for pseudo-Mersenne primes are due to Jerry Solinas).
I'm not sure how they'd handle licensing -- the patents for Jerry's
algorithms for Koblitz curves have already been issued earlier this
year, and presumably licensing would be similar to that, whatever this
means.  (Hopefully no restrictions, as for DSA, which is also
patented.)

(Note that the FIPS recommended curves over prime fields all are based
on pseudo-Mersenne primes.  Of course applications that want to use
optimized modular arithmetic for these primes can do so, whether or
not special field descriptors are used.)


>              And descriptors 14-16 are for normal bases, where we see
> two problems.  First, they cannot be efficiently implemented in software;
> and second, we do not think it is possible to convert from a normal basis
> into a polynomial basis representation without additional information
> regarding the specific normal basis chosen.  Hence using normal bases
> as an interchange format is not a good choice.  So we would like to see
> more discussion of that aspect if the group wishes to pursue it.

Also, this is an area where patents really appear to be a severe issue.


> (One organizational point: section 4.4 actually describes custom curves,
> and we would prefer to see the draft focus on predefined curves.  We have
> ideas on how to reorganize the draft to define specific coordinate
> fields and curves based on them, which we are getting into shape to
> present shortly.)

The draft obviously intends to provide a lot of flexibility, while in
the sake of efficiency and interoperability it would be better to
sacrifice flexibility and limit the class of allowed curves.

v2.23.0 | Report a Bug | By Email