[Cfrg] Consensus and a way forward

Benjamin Black <b@b3k.us> Thu, 27 November 2014 04:25 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC2491A87BA for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 20:25:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.078
X-Spam-Level:
X-Spam-Status: No, score=-0.078 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQMZ4YNfbxPx for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 20:25:51 -0800 (PST)
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D2241A87C7 for <cfrg@irtf.org>; Wed, 26 Nov 2014 20:25:51 -0800 (PST)
Received: by mail-wg0-f43.google.com with SMTP id l18so5367731wgh.30 for <cfrg@irtf.org>; Wed, 26 Nov 2014 20:25:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=uHM9YmA2+WzBj9j5x9uLejdCbRJ81ONurL4/ZT1YR8I=; b=ay1Hu6la07RxbDv/QLtwlojYfm9CsnAAjaoxRiJB/SS0zYjNmxHOry9iopgYXIIh6q 5ZN832Nh1mBziZMTGbEVKuyCoQFUOnYTeqlcr1Q9BFm3WwKMrbfwQXALP20gMXwdgPid /WusDr5Xt0zbMlexi2pThrqGnsNoY3XF75EfxA1MemlCY1GTAXeClnk/Dw7RLWAfc0sH +pkZxea+NrahaOvfKkrANI87bat4GpJ4rtRAiPKYN0PCddNPIixvgA3TQ7uMeO3VV82Z NcYZ3d7vY71FSoeWwVd+JE/DwPI3oZ6cPzmgeYdNYrCnd0SxSVZk5yhT+wWopMp3CLpY aqNA==
X-Gm-Message-State: ALoCoQk1cwtHNhQVwGzQwtjnZvCmRtZpcLx1EIXNdGKzE4vY/u1fR6hJBaVD/ok9P92S7aiAaQFy
X-Received: by 10.180.100.230 with SMTP id fb6mr26711761wib.73.1417062350169; Wed, 26 Nov 2014 20:25:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.217.191.195 with HTTP; Wed, 26 Nov 2014 20:25:29 -0800 (PST)
From: Benjamin Black <b@b3k.us>
Date: Wed, 26 Nov 2014 20:25:29 -0800
Message-ID: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="f46d041824ee01be6c0508cf8aea"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Zf3uWu1EmLh6v3d5T0MN8vImTU4
Subject: [Cfrg] Consensus and a way forward
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 04:25:54 -0000

All,

Over the past couple of weeks we have been working with Adam Langley to see
if we could find a compromise with which we could all live. I'm pleased to
say we have been successful in accommodating our respective performance and
trustworthy generation concerns, and I hope the resulting proposal will be
attractive to others, as well. The generation procedure is document in a
draft I've just posted that can be found at
http://www.ietf.org/id/draft-black-rpgecc-00.txt .

The simplest summary is that we have combined the prime preferred by Adam
and others at the 128-bit security level with the rigid parameter
generation we view as essential for producing the most trustworthy curves.
We have used the generation procedure to produce a new twisted Edwards
curve based on 2^255 - 19 and a new Edwards curve based on 2^384 - 317.
These new curves are given as test vectors in the draft, and are also given
below.

These 2 curves are sufficient for meeting the request from TLS. However, if
there is strong interest in a 3rd curve for the 256-bit security level, the
generation procedure​​ gives the same curve with p =2^521 - 1 as several
teams produced.


b

--

2^255 - 19

   p = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
         FFFFFFFFFFED
   d = 0x15E93
   r = 0x2000000000000000000000000000000016241E6093B2CE59B6B9
         8FD8849FAF35
x(P) = 0x3B7C1D83A0EF56F1355A0B5471E42537C26115EDE4C948391714
         C0F582AA22E2
y(P) = 0x775BE0DEC362A16E78EFFE0FF4E35DA7E17B31DC1611475CB4BE
         1DA9A3E5A819
   h = 0x4


2^384 - 317

     p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
           FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC3
     d = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
           FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD19F
     r = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2471A1
           CB46BE1CF61E4555AAB35C87920B9DCC4E6A3897D
  x(P) = 0x61B111FB45A9266CC0B6A2129AE55DB5B30BF446E5BE4C005763FFA
           8F33163406FF292B16545941350D540E46C206BDE
  y(P) = 0x82983E67B9A6EEB08738B1A423B10DD716AD8274F1425F56830F98F
           7F645964B0072B0F946EC48DC9D8D03E1F0729392
     h = 0x4