Bill Allombert on Sat, 09 Jan 2021 12:36:56 +0100


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: How to use a named elliptic curve? 

On Wed, Jan 06, 2021 at 03:38:33PM +0100, Ján Jančár wrote:
> Hey all,
> 
> On 02/01/2021 12:00, Jeffrey Walton wrote:
> > On Sat, Jan 2, 2021 at 5:08 AM Karim Belabas
> > <Karim.Belabas@math.u-bordeaux.fr> wrote:
> >>
> >> * Jeffrey Walton [2021-01-02 05:58]:
> >>> Hi Everyone,
> >>>
> >>> I'm working through the elliptic curve tutorial at
> >>> https://pari.math.u-bordeaux.fr/Events/PARI2017c/talks/ecc_en.pdf. I
> >>> want to use a named curve, like secp256k1 or secp256r1. It does not
> >>> appear to be covered in the tutorial.
> >>> ...
> >>> How do I create a named curve?
> >>
> >> The named curves mechanism only supports Cremona labels at this point
> >> (for curves over Q sorted by conductor provided by the Cremona database,
> >> which we repackage as 'elldata'); with the second syntax as in
> >>
> >>   E = ellinit("36a1");
> >>
> >> None of the crypto curves names (SEC2, FIPS 186-4, RFC3279, etc.) are
> >> currently supported by this mechanism. It's an interesting option,
> >> though, that would not be hard to support: Crenoma labels start by a
> >> digit, all crypto curves names I am aware of start by a letter...
> >>
> >> What names would we need to support ?
> >>   - [PKR]-* from FIPS
> >>   - sec* from SEC2
> >>   - prime* from RFC
> > 
> > curve25519 and curve448 are fairly popular. SEC-2/NIST and Bernstein's
> > curve would probably keep most people happy.
> > 
> > The RFC 3279 curves may be useful, too. I seem to recall some of them
> > are considered weak/wounded. I think some of them were from the 1998
> > version of ANSI 9.62. They include c2pnb163v1 and wtls1. But they
> > would probably make good academic material.
> 
> I co-created and maintain a repository of standard elliptic curves
> used in cryptography at: https://neuromancer.sk/std/ and https://github.com/J08nY/std-curves.
> The curves are available in JSON and the website provides SAGE code
> that instantiates the curve, see for example: https://neuromancer.sk/std/secg/secp256r1.
> I could add functionality that creates and displays PARI-GP code that instantiates
> the curves as well.
> 
> I would otherwise be against directly including somewhat standard elliptic curves
> in the PARI codebase, even though its not really my call, simply because of the large
> amount of them and the hardness of saying what is really "standard" or "interesting".
> 
> Perhaps there can be a PARI script distributed that understands the kind of JSON format
> we use in the std-curves repository or downloads them directly from github?

It would likely be much simpler to convert std-curves to PARI format
once, and put that for downloads instead.

Cheers,
Bill.