Re: [Cfrg] Chopping out curves

"Dan Harkins" <dharkins@lounge.org> Thu, 16 January 2014 22:08 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6895C1AD672 for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 14:08:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRxbgDUzeWlM for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 14:08:01 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 130141AD66B for <cfrg@irtf.org>; Thu, 16 Jan 2014 14:08:01 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id DCE4510224008; Thu, 16 Jan 2014 14:07:48 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 16 Jan 2014 14:07:49 -0800 (PST)
Message-ID: <c406386b6fc67d11332141423f2f0f40.squirrel@www.trepanning.net>
In-Reply-To: <CAGZ8ZG1qF4ba3ogjHQnMwgXV+0Fj7eR44QdvuSw3GYBvNVFZBA@mail.gmail.com>
References: <CACsn0cmJX2begH0q8vOUZhP2t3CFo_2Ad71Neke4EKejoYCPRg@mail.gmail.com> <CAGZ8ZG1qF4ba3ogjHQnMwgXV+0Fj7eR44QdvuSw3GYBvNVFZBA@mail.gmail.com>
Date: Thu, 16 Jan 2014 14:07:49 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Trevor Perrin" <trevp@trevp.net>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Chopping out curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2014 22:08:02 -0000

On Thu, January 16, 2014 1:50 pm, Trevor Perrin wrote:
> On Thu, Jan 16, 2014 at 1:40 PM, Watson Ladd <watsonbladd@gmail.com>
> wrote:
>> Dear all,
>> Trevor Perrin suggests that we only put in Curve25519/T25519 and
>> E383/M382 so implementors can focus on 4 curves ala Suite B. Are there
>> any protocols in which larger curves would be useful? Anything we
>> might be missing with this decision?
>
> I didn't quite suggest that.
>
> I do feel there should be fewer curves.  Perhaps only curve25519 and
> (either Curve3617 or Ed448-Goldilocks).
>
> It takes a great deal of effort to do high-speed, const-time
> implementations of a different curve, so we should not diffuse that
> effort across too many choices.
>
> Note that Suite B only has 2 curves (P-256 and P-384).

  I think this is a good idea. Too much choice can lead to confusion
and lack of interoperability. When the brainpool curves were added
we pared it down from 14 (including twisted variants) to 4.

  Suite B has 2 curves because it defines two security levels. We can
define more security levels if needed but we should probably only
have 1 Chicago curve at each level.

  Dan.