Re: [Cfrg] big-endian short-Weierstrass please

Phillip Hallam-Baker <> Thu, 29 January 2015 17:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0FBA11A874B for <>; Thu, 29 Jan 2015 09:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TJoKIomrK6d7 for <>; Thu, 29 Jan 2015 09:36:23 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c04::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CAA7A1A8768 for <>; Thu, 29 Jan 2015 09:36:16 -0800 (PST)
Received: by with SMTP id l4so30663021lbv.13 for <>; Thu, 29 Jan 2015 09:36:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=CwEmx0CiR+EEyf0vjvX1pQqIPxnkssizjzg1iml2dRc=; b=Kv0y+p+0iW6iIdc4Ho6cN2neOQ/6IhvhPhAqxUr5Ypa7uY+9jEJSd21oOrvsF5ZMVU fcPh2b4oFygXgiWjnz7jx+IBHnjof2X5ac6n5w4ba+a5KqIbjlorOkW+9mV54hV5Hpl7 jox82Ogejlrk0fopVhPPFFFoQLBxehkMnMVTbhpZvOTB+g01su7VfT5Fj1z+2HH7l7gq MgBip/krJFObdr8bTrWH0X0duzv/JTPFLWjjsOpu0ajPziN1Q/mATlKp5Y69sQ2OydOQ sNlnuqsNL1I8jbMwCpz6NKEpD2cW4CHNXchPWnmj6FTDXpVm5/bCGFW957HWVhSEqieR oazw==
MIME-Version: 1.0
X-Received: by with SMTP id xm1mr2252538lbb.5.1422552975194; Thu, 29 Jan 2015 09:36:15 -0800 (PST)
Received: by with HTTP; Thu, 29 Jan 2015 09:36:15 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <20150128231006.GJ3110@localhost> <> <>
Date: Thu, 29 Jan 2015 12:36:15 -0500
X-Google-Sender-Auth: 1jvQR7-jxqo1GFuUfTzKENiTv9k
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Daniel Kahn Gillmor <>
Content-Type: multipart/alternative; boundary="001a11c33818c2bf3c050dcdec51"
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jan 2015 17:36:25 -0000

On Thu, Jan 29, 2015 at 11:30 AM, Daniel Kahn Gillmor <
> wrote:

> On Wed 2015-01-28 18:38:49 -0500, Blumenthal, Uri - 0558 - MITLL wrote:
> > The problem is - reasonably-vetted by who? NIST? DJB? Yourself? All of
> the
> > above?
> If this lengthy process we're involved in doesn't turn out to be
> reasonable vetting by a multistakeholder group, i'll be sorely
> disappointed.
> > Attractiveness of the ability to select a custom curve is similar to that
> > of PGP Web of Trust: you can make a choice for yourself, rather than
> being
> > forced into what other experts (or “experts” :) decide for you.
> This is different from the PGP Web of Trust.  If i'm communicating with
> a new peer using TLS, and they want to use MagicCurveX that i've never
> seen before, my TLS client is not going to be able to evaluate it
> properly, certainly not before the TLS handshake expires.


Deploying and implementing cryptosystems requires an enormous amount of
expertise and they can fail in many different ways of which a flaw in the
cryptographic algorithm security is very very rare.

We are not using the web of trust model to develop code so why on earth try
to apply it to choice of algorithm?

The reason for applying web of trust is when there is no good alternative.
I have written papers recently where I show how we might make the web of
trust tractable and practical but that is because validating credentials
for six billion people is a very different problem.

> Anyone can of course decide what curves are worth using, and can apply
> their own analysis with their peers to come to that decision.  But if
> you're communicating with the arbitrary outside world, there needs to be
> some broader consensus about which curves to commonly use.

More importantly, I can't use your curves unless you can prove to me that
they are secure. And the fact we are having trouble doing that in this
group proves that it is not possible to achieve that in a protocol.