[curves] A-shirt Edwards curve parameters
David Gil
dgil at yahoo-inc.com
Fri Dec 26 11:01:54 PST 2014
Part II of some off-and-on work to quantify just how rigid
rigid curves are.
Part I, which needs revision, was here:
https://moderncrypto.org/mail-archive/curves/2014/000315.html
## Minimal-cost curve parameters
Minimal curve parameters. Let `c(x)` be a cost function, and
choose the value of a free parameter `x` such that there
does not exist another `x' != x` with `c(x') <= c(x)`.
Safe curves. Set `c(x) == \inf` if `#E/h` and `#Et/ht` are
not prime, or if some set of safety criteria are not
satisfied.
Choosing curve parameters. Suppose that we want an Edwards
curve; so we have a cofactor != 1.
Cofactor choices:
- q == 1 mod 4
- h = 2^n, ht = 2^m, n <= 3, m <= 3
- h = 8, ht = 4
- q == 3 mod 4
- h = 4, ht = 4
Curve parameter, *x*:
- Proposed:
- BLE form, a=-1: d
- BLE form, a=+1: d
- Montgomery form: A
- Possible:
- Weierstrass, a=-3: b
- For mathematicians, mainly:
- Legendre form: lambda
- j-invariant
Cost functions, *c(x)*:
- Proposed:
- min(x)
- min(abs(x))
- Possible:
- min( (hamming(x), x) )
Am I missing any plausible proposals?
(This gives 6 proposed methods of choosing Edwards curves
for 3 mod 4 primes, and (perhaps) 12 for choosing Edwards
curves for 1 mod 4 primes. Perhaps the cofactor requirement
is more appropriately handled in a discussion of the rigidity
of "safety" definitions...)
## More exotic things that seem possible
"Signature-friendly" curves: Require, in addition, that #E/h be
pleasant to reduce modulo. (By choosing a sufficiently dense family
of reduction-friendly primes, not by CM.)
## "Verifiably random" curve parameters
How much less rigid is the choice of "verifiably random" curve
parameters?
How to sample:
- by rejection of candidates of bitlength ceil(log2(q))
- by modular reduction of candidates of bitlength 2*ceil(log2(q))
(And then by rejection of unsafe proposals.)
PRF keys:
- 0
- {big,little}-endian representation of ceil(log2(q))
- (is anything else plausible if you make a choice before knowing
the maximum key-length of the PRF -- i.e., in the equivalent of
Rawlsian ignorance?)
PRFs:
- AES{128,256}-CTR
- {ChaCha,Salsa}20
- SHAKE{128,256}
(This gives 36 choices for verifiably random curves. This, of course,
would need to be multiplied by 6 or 12.)
More information about the Curves
mailing list