IETF Logo Mail Archive

Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

Andrey Jivsov <crypto@brainhub.org> Sat, 28 June 2014 07:03 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11E021A02EC for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 00:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaqWX6Pixqt5 for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 00:03:53 -0700 (PDT)
Received: from qmta12.emeryville.ca.mail.comcast.net (qmta12.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:44:76:96:27:227]) by ietfa.amsl.com (Postfix) with ESMTP id 902571A0269 for <tls@ietf.org>; Sat, 28 Jun 2014 00:03:53 -0700 (PDT)
Received: from omta01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by qmta12.emeryville.ca.mail.comcast.net with comcast id Kj1k1o0020EPcho01j3t4U; Sat, 28 Jun 2014 07:03:53 +0000
Received: from [192.168.1.145] ([71.202.164.227]) by omta01.emeryville.ca.mail.comcast.net with comcast id Kj3s1o00B4uhcbK8Mj3stp; Sat, 28 Jun 2014 07:03:53 +0000
Message-ID: <53AE68D8.70605@brainhub.org>
Date: Sat, 28 Jun 2014 00:03:52 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tls@ietf.org
References: <65D2FD736B6B2B48B2EAD2BD189DC9CC16B433@LLE2K10-MBX01.mitll.ad.local>
In-Reply-To: <65D2FD736B6B2B48B2EAD2BD189DC9CC16B433@LLE2K10-MBX01.mitll.ad.local>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1403939033; bh=lb4svwOb36mhC3X3lsO0Ny0tGi/yTSwJG5lNde1/Gkw=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=OnAOCQ/jE/rqS+iXhp/bdWdoW94/2RkI9rCMr4tm/OpLubT/rbIx6Z74hsf9MGLtq yEh4JrrxIQyTjI3fN140WEht8lYNOFp3R1Gv3uwwEJ3JSXocqxFy1BSN/g1DoROVtw LHzMSjX8hrSg7rqgL6w16APumm50xtYiC4AXutbYW3P9wk8ckfL/zcUoS2ZmMPnQ96 YuqfpjjYNSaUuSaR4za93gH4WY4u3dEVuMUDnB9FPTINKxwOq520X/awOMG2txQAF+ NffiBhbMxkrnIhPJ8N0SvjiAeQ1RBc5bVdgCC419UO1Oh4WwnjlHG9EmLp7aWp34CQ eacT5Icw0mLAg==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yYrYRRubI6oKSCb6dvItgJnDM6A
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jun 2014 07:03:55 -0000

Here is an idealistic, but not unfeasible proposal that could lead to 
easier/broader adoption.

One way to attempt to unify the diverse world of ECC curves is to focus 
on the underlying field, as opposed the curve itself. Consider Fp 
operations with p=2^255-19 or p=2^256-189. In other words, for 
n={256,384,512}, chose the closest C: p=2^n-C is a prime and make this p 
"MUST". People who demand random primes will have to play along and 
accept less "randomness" in their curves.

This makes it more likely that the standard bodies, including national 
standards, agree to commit to a unified Fp, even when they are unable to 
embrace a single curve. This is a more realistic goal than to expect 
that one curve will satisfy everybody.

The performance in the Fp dominates the higher-level operation in ECC 
field. In software, Fp operations will be special-cased for p and 
various CPU architectures. It seems to me that such a fixed Fp will work 
as an incentive to add hardware support (for Fp). This allows the ECC 
code to have an interoperable, potentially hardware-assited layer, that 
is shared between all the curves (for the same n).


While we are on this, why was the Curve25519 not made to be Curve256189? 
(I don't think that 19 v.s. 189 would matter on x86) I suppose that the 
rest of the paper carries over unchanged (other than that the choice of 
the floating point registers is dated by now for modern x86 CPUs.)

Thank you.

v2.23.0 | Report a Bug | By Email