[Cfrg] Progress on curve recommendations for TLS WG

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 27 July 2014 20:04 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3B5F41A01D2 for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 13:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5iPVpOEfpztX for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 13:04:50 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lp0017.outbound.protection.outlook.com []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C94141A01A8 for <cfrg@irtf.org>; Sun, 27 Jul 2014 13:04:49 -0700 (PDT)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ( by DBXPR03MB381.eurprd03.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.995.14; Sun, 27 Jul 2014 20:04:46 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([]) by DBXPR03MB383.eurprd03.prod.outlook.com ([]) with mapi id 15.00.0995.014; Sun, 27 Jul 2014 20:04:46 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Progress on curve recommendations for TLS WG
Thread-Index: AQHPqdYCFDDUD0tW0keHIpwhcB27wg==
Date: Sun, 27 Jul 2014 20:04:45 +0000
Message-ID: <CFFB1371.2916E%kenny.paterson@rhul.ac.uk>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 0285201563
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(189002)(199002)(74502001)(4396001)(74662001)(74482001)(36756003)(77982001)(76482001)(79102001)(31966008)(83506001)(21056001)(46102001)(101416001)(110136001)(2351001)(229853001)(2656002)(105586002)(107046002)(87936001)(86362001)(107886001)(95666004)(85306003)(99396002)(92726001)(92566001)(83072002)(85852003)(54356999)(81542001)(50986999)(83322001)(80022001)(106356001)(66066001)(81342001)(64706001)(20776003)(106116001); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB381; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D9C5DCA9BDBECC4588AF4F445C298D26@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/-mB8twBjvaIY8bIFmLT25Zfzn9g
Subject: [Cfrg] Progress on curve recommendations for TLS WG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jul 2014 20:04:52 -0000

Dear CFRG,

We made good progress last week in Toronto and on the mailing list in
discussing requirements for curve selection, as well as getting into some
of the specifics of the different curve options.

The chairs have had requests to increase the time given to our discussion
of requirements in the light of the Toronto meeting, and we are happy to
accommodate that. We therefore plan to extend the previously announced
schedule so that this initial phase will run for another 2 weeks (until
Friday 8th August). We will then run the second phase (focussing on
concrete curve proposals) for 4 weeks, as previously planned.

Whilst it may be tempting to jump in and start discussing concrete
performance aspects of the different, specific curve proposals, or drift
off onto other topics entirely, the chairs would like to ask everyone to
try to focus on requirements for a bit longer. Here are a few questions to
help keep things on track and seed further discussion:

- What is the cost of keeping backwards compatibility with existing
defined point formats in RFC 4492, if any, for different curve shapes
(Edwards, twisted Edwards, Montgomery, Weierstrass-only form)?

- If ephemeral really means ephemeral, what are the implications for the
mix of fixed-base/variable-base computations in ECDHE and what, if any,
are the implications for the choice of curve type?

- Correspondingly, what are the implications for our choices if we accept
that ephemeral reuse is the expected behaviour?

- Do the current proposals (Curve25519 and friends, and the NUMS curves)
provide an adequate degree of rigidity that is likely to satisfy the
widest set of commentators? Or should we be thinking about generating
fresh curves using a public process having verifiably random inputs? What
would the likely impact be on performance?

- Would selecting curves that are not in Weierstrass form materially slow
down deployment?

Thanks for your considered inputs so far.


Kenny (for the chairs)