Dear colleagues:
I did another review of draft-ietf-lwig-curve-representations-12 (of
which I am the author) and have the following (smallish) remarks, all of
which are easy to accommodate:
Comment 1:
Appendix O gives representation examples of five of the six Curve448
family members, where the family members Curve448, Ed448, and Wei448
were introduced in Appendix M and where further cousins Edwards448,
Wei448.1, and Wei448.-3, where introduced in Appendix N, where the
"missing" example concerns Wei448.1. It would be useful to include a
representation example for Wei448.1, to have a complete picture. {This
would also make the structure entirely similar to that of the Curve25519
family members earlier in the document.}
Comment 2:
Appendix K.4.2 describes a mechanism for mappings to higher-order points
of short-Weierstrass curves and Montgomery curves. Table 1 provides
so-called curve offsets that are used in that construction for various
curves. Here, it would be useful to include curve offsets for some of
the Curve448 family members, viz. Wei448, Wei448.1, and Wei448.-3, again
to have a complete picture.
Comment 3:
Appendix N.2 describes the 2-isogenous mapping from Wei448 to Wei448.-3
and vice-versa, where in the first case, the description singles out two
points (the point at infinity and a point of order two) that map to the
point at infinity (so as to make the mapping work correctly as stated,
without zero divisions for the other points); the description in the
dual isogeny case would benefit from the same structure (thereby also
avoiding zero divisions), which it currently technically does not do
(since it only mentions the point at infinity and not the other singled
out point [f order two]). While keeping this little omission in is not a
problem for mathematicians, it may confuse non-curve people, and is easy
to fix, with a one line addition to this appendix, so I suggest we
simply do this.
Comment 4:
Note 2 of Appendix K.5 describes how to locally change randomized
representations where one avoids low-order points should these otherwise
occur. It would be useful to give the redefined image a name, e.g., P2,
so that it is easy to instantiate this construction, including full
avoidance of these low-order points. As an example, in Appendix K.6,
these mappings are fully and unambiguously described by picking the
triple (delta, P0, P1), where the corresponding map without any
low-order points now would be fully described by the quadruple (delta,
P0, P1, P2). Any instantiation then could simply cross-reference the
construction and the applicable quadruple for the curve in question.
Best regards, Rene
On 2020-08-25 9:29 a.m., The IESG wrote:
> The IESG has received a request from the Light-Weight Implementation Guidance
> WG (lwig) to consider the following document: - 'Alternative Elliptic Curve
> Representations'
> <draft-ietf-lwig-curve-representations-12.txt> as Informational RFC
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@xxxxxxxx mailing lists by 2020-09-08. Exceptionally, comments may
> be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
> This document specifies how to represent Montgomery curves and
> (twisted) Edwards curves as curves in short-Weierstrass form and
> illustrates how this can be used to carry out elliptic curve
> computations using existing implementations of, e.g., ECDSA and ECDH
> using NIST prime curves. We also provide extensive background
> material that may be useful for implementers of elliptic curve
> cryptography.
>
>
>
>
>
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/
>
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
>
>
>
--
email: rstruik.ext@xxxxxxxxx | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
