Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
Robert Ransom <rransom.8774@gmail.com> Sun, 12 January 2014 15:46 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E52C1ADF48 for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 07:46:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUbUt9ZK6Eyr for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 07:46:47 -0800 (PST)
Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id DFC2B1ADF24 for <tls@ietf.org>; Sun, 12 Jan 2014 07:46:46 -0800 (PST)
Received: by mail-qc0-f179.google.com with SMTP id e16so3384280qcx.10 for <tls@ietf.org>; Sun, 12 Jan 2014 07:46:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=V1knKzPfjgjOdgjm6eQDjfRlzZf2n0B+dr7tfNHpvaY=; b=HBIpCNAEizDF82LeMDrc9haX9KaCmPmCG4M9aAhVZO5f51EzBlREAUJQlrzO88xjku eqx1Yv6MQCpHg5wKo3SyBScv6iXGSr8h8fugKpm7XyIMdbdNmToYwJZAJzTEc2Wlv+GW 6+pL3XC3fIsnaw8uzoc4d8uC/9GUXziTElpfWErhKsCLKnxfTKtsQtGu4MWepD3T/BhZ bPLuPDQ2uSdoc5/OsuCXNe1QbenF06bJtfah9ljr4ltwV9FTZMcAIe16K/lcWdTyXp1A 5MACmsLAIdzSYojJETEpQ/ODvhsJFw31QNmbBhDgafTEvSTu/WKVLVB6mkMzV2miYEoA B7eA==
MIME-Version: 1.0
X-Received: by 10.224.53.71 with SMTP id l7mr30277693qag.33.1389541596154; Sun, 12 Jan 2014 07:46:36 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Sun, 12 Jan 2014 07:46:36 -0800 (PST)
In-Reply-To: <CACsn0c=G=tdKaNgF1o4Fhd26-BMkmDN_XBS=eaX34MvUPHLmCQ@mail.gmail.com>
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D18475.10709@akr.io> <52D2ACA7.3080407@polarssl.org> <CABqy+sqk2O_u2Kn6gVRs+MUn5J5M8SyL9jsRrwV9hCXhjKUNhQ@mail.gmail.com> <CACsn0c=G=tdKaNgF1o4Fhd26-BMkmDN_XBS=eaX34MvUPHLmCQ@mail.gmail.com>
Date: Sun, 12 Jan 2014 07:46:36 -0800
Message-ID: <CABqy+srTB9JnPRofbPSR+YSsOtQziSGJbhW_3VFoZ-SWbkCiUA@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jan 2014 15:46:48 -0000
On 1/12/14, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sun, Jan 12, 2014 at 7:01 AM, Robert Ransom <rransom.8774@gmail.com> > wrote: >> On 1/12/14, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: >>> On 11/01/2014 18:50, Alyssa Rowan wrote: >>>> 2. Monty & Eddie >>>> >>>> You list both Montgomery and Edwards curves in that list. I suggest >>>> just listing the Montgomery curves (Curve25519, M383 and M511) for >>>> this use, as these are the forms that are the very natural choices for >>>> ECDHE, with the handy x-coordinate-only feature. >>>> >>> I tend to agree. But as was noted by others (including Robert Ransom on >>> the >>> CFRG >>> list), every Edwards curve can also be used to do Montgomery. So I'm >>> curious >>> to >>> hear more about whether people are also interested by the Edwards curve >>> for >>> ECDHE or if the Montgomery curves are enough. >> >> * ECDH should use only Montgomery form, *never* Edwards form. (There >> are key-agreement protocols which require Edwards form. ECDH is not >> one of them.) >> >> * Every curve with minimal Edwards-form parameter can be efficiently >> used in Montgomery form with the simplest possible implementation. >> The converse is not true. > > Why is using twisted Edwards form, or the Montgomery ladder, so bad from > an implementation perspective? Twisted Edwards form makes the converse > true. I now mention it in the draft, as well as the AFRICACRYPT paper which > introduces it. Dr. Bernstein's Ed25519 paper specifies the a=-1 twist because that twist has strictly faster formulas than any other value of a, even if that twist requires a large value of d. > Not every implementation needs to be the fastest, just fast enough. That does not justify choosing curves in a way that unnecessarily harms the performance of simple implementations and raises the complexity of fully optimized implementations. >> * Most of the ‘SafeCurves’ curves (including all of the ones specified >> in Montgomery form, except Curve25519) would be needlessly unpleasant >> to implement. The only curves that I could support using for ECDH at >> this time are Curve25519, Curve3617, and (possibly) E-521. > > You will have to expand on this. All of these curves have primes of > similar shapes, > and while some might require more annoying limb placements than > others, without having > actual implementations to compare, we don't know how big the impact > actually will be. > > M-383 is actually better than Curve3617 from your perspective: it > reduces the size of > the actual coefficient in Montgomery form and in twisted Edwards form > will be the same size. Curve3617's Montgomery-form parameter is 1/3617 (or something close to it). (In the Montgomery formulas, a reciprocal-of-small-integer parameter is as efficient as a small-integer parameter.) M-383's Montgomery-form parameter will be a small integer with about 6 decimal digits. > The prime is also the same. Curve3617's coordinate field is 414-bit; M-383's coordinate field is 383-bit. I don't think they're the same. Robert Ransom
- [TLS] Additional Elliptic Curves (Curve25519 etc)… Simon Josefsson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alyssa Rowan
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alyssa Rowan
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Kurt Roeckx
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Stephen Farrell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Eric Rescorla
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Eric Rescorla
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Peter Gutmann
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Peter Gutmann
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alex Elsayed
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Kurt Roeckx
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Sean Turner
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Sean Turner
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Jim Schaad
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Yoav Nir
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd