Re: [Cfrg] ECC reboot (Was: When's the decision?)

"Lochter, Manfred" <manfred.lochter@bsi.bund.de> Tue, 21 October 2014 09:28 UTC

Return-Path: <manfred.lochter@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 964D21A03D0 for <cfrg@ietfa.amsl.com>; Tue, 21 Oct 2014 02:28:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.559
X-Spam-Level:
X-Spam-Status: No, score=-6.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSNmDI-u0gkE for <cfrg@ietfa.amsl.com>; Tue, 21 Oct 2014 02:28:50 -0700 (PDT)
Received: from m2-bln.bund.de (m2-bln.bund.de [77.87.224.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEE6B1A03F9 for <cfrg@irtf.org>; Tue, 21 Oct 2014 02:28:05 -0700 (PDT)
Received: from m2.mfw.bln.ivbb.bund.de (localhost.mfw.bln.ivbb.bund.de [127.0.0.1]) by m2-bln.bund.de (8.14.3/8.14.3) with ESMTP id s9L9S3uL015534 for <cfrg@irtf.org>; Tue, 21 Oct 2014 11:28:03 +0200 (CEST)
Received: (from localhost) by m2.mfw.bln.ivbb.bund.de (MSCAN) id 5/m2.mfw.bln.ivbb.bund.de/smtp-gw/mscan; Tue Oct 21 11:28:03 2014
X-P350-Id: 223139023aa97c54
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Organization: BSI Bonn
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 21 Oct 2014 11:27:52 +0200
User-Agent: KMail/1.9.10 (enterprise35 20140205.23bb19c)
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <201410211027.13608.manfred.lochter@bsi.bund.de> <20141021090529.GA12154@LK-Perkele-VII>
In-Reply-To: <20141021090529.GA12154@LK-Perkele-VII>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201410211127.53008.manfred.lochter@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.3.24.38; VDF: 7.11.180.32; host: sgasmtp2.bsi.de); id=16878-dlfAKh
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/0TVvQo4c42OYXmaREkXGRzhiFL8
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 09:28:52 -0000





__________ ursprüngliche Nachricht __________

Von:		Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Datum:	Dienstag, 21. Oktober 2014, 11:05:29
An:		"Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Kopie:	cfrg@irtf.org
Betr.:	Re: [Cfrg] ECC reboot (Was: When's the decision?)

> On Tue, Oct 21, 2014 at 10:27:13AM +0200, Lochter, Manfred wrote:
> > Actually, we do not even propose that the cfrg choose the Brainpool
> > curves, we just propose to generate two sets of curves, one using special
> > primes and one using special primes. Here we assume the generation
> > process to be a trusted pocess. We also note that a flexible approach
> > that allows an easy replacement of curves is very desirable.
>
> You mean pseudorandom primes and special primes, right?

Yes. Thank you!
>
> And what would advantage of generating a new pseudorandom set be, compared
> to just using Brainpool if pseudorandom primes are needed?

I strongly believe that pseudorandom primes are needed. There is no immediate 
advantage in generating new curves. The proposal to generate new curves has 
two main driving factors.
a) We want to be open to an approach where an widely agreed generation method 
is used.
b) The original Brainpool curves have falsely been discredited  in the 
BADA55-paper.
>
> I don't see any advantage (at least based on properties you have claimed to
> be desirable and properties you have claimed for Brainpool to have). Nor do
> I see such curves would be used much in practice.

Is this opinion based on our papers or on the discussion within cfrg?
>
> > As the cfrg  also discusses parameter lengths I would like to add that it
> > is completely adequate to use 384 bit curves even for highest security
> > demands. So, 384 bit curves must be included in any proposed set of
> > curves.
>
> Not if you can get more security at less or equal cost. There are some
> above- 384bit primes with very good performance (there doesn't seem to be
> that good primes near 384bit).

Here 384 refers to random primes. The main point is that there has been the 
proposal to drop 384 (or similar) at all, and to just propose 256 and 512 bit 
curves.
>
>
> -Ilari

Manfred
-- 
Lochter, Manfred
--------------------------------------------
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Referat K21
Godesberger Allee 185 -189
53175 Bonn

Postfach 20 03 63
53133 Bonn

Telefon: +49 (0)228 99 9582 5643
Telefax: +49 (0)228 99 10 9582 5643
E-Mail: manfred.lochter@bsi.bund.de
Internet:
www.bsi.bund.de
www.bsi-fuer-buerger.de