[Cfrg] Requirements for curve candidate evaluation update
Benjamin Black <b@b3k.us> Tue, 12 August 2014 21:59 UTC
Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CFF21A01E4 for <cfrg@ietfa.amsl.com>; Tue, 12 Aug 2014 14:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KaTmSKkYVvLB for <cfrg@ietfa.amsl.com>; Tue, 12 Aug 2014 14:59:12 -0700 (PDT)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 024181A00D8 for <cfrg@ietf.org>; Tue, 12 Aug 2014 14:59:11 -0700 (PDT)
Received: by mail-wi0-f176.google.com with SMTP id bs8so6536417wib.9 for <cfrg@ietf.org>; Tue, 12 Aug 2014 14:59:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=qVbAn8OGujf/k1a7LoQnZbC/Lpe0HNAT8J/uRrwBWwc=; b=X13sCjSVpsevTRWZZ6353+FQIq/Z7M6QVBKfmpd3lQQXPwGCl1WOBA/P0/57rQ6Kpz 3mjkb8fYAnF1Nkstspv+4Nbpd0yLMJ7R+AkmgG+B9XR1S5WaGoZUMlcAN768545VVHul FwmhJYlSM7GAZHrBn1HNmza8ljsN1L+KcEdkmuskPUfwYiMfryd6NwfNKAxFzPD+MtXl MbMJiISaEjimrDNrGJc47FMsEz+AOz+/GajGdfWo1p9KSkh4Rb6MHxZdR1K/EOADLAPE H5dIln8p4ZKrR7XIHUxTslZsoDevUgeqRyAsiehRtWMnQz5jCCzva+Qui7dambqkwNM6 amEQ==
X-Gm-Message-State: ALoCoQmpWzJKAn8ExUd3zBDa547O/xySbNl+CaxQvXAmuwkgJlfo7j1sxfpl3YVD5Ph+vyEAxtnw
X-Received: by 10.194.142.148 with SMTP id rw20mr339011wjb.69.1407880750580; Tue, 12 Aug 2014 14:59:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.44.138 with HTTP; Tue, 12 Aug 2014 14:58:50 -0700 (PDT)
From: Benjamin Black <b@b3k.us>
Date: Tue, 12 Aug 2014 14:58:50 -0700
Message-ID: <CA+Vbu7wuAcmtAKJYEgAaSBTf6sj8pRfYpJhz2qV_ER=33mrk8Q@mail.gmail.com>
To: Brian LaMacchia <bal@microsoft.com>
Content-Type: multipart/alternative; boundary="089e013a27c40666a7050075c828"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6XSrIALCXk8yLzHCBllhjLxgNxM
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: [Cfrg] Requirements for curve candidate evaluation update
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Aug 2014 21:59:13 -0000
The CFRG, while part of IRTF, cannot separate itself from the practical demands of IETF. The CFRG brings a different set of skills to bear, but the outcome of its work must be pragmatic. The original list of requirements in the request forwarded by Kenny reflected the required pragmatism in asking only for new curves based on the 15 years of research and deployment experience with the NIST curves. Every other aspect of the problem was and is constrained by the existing RFCs, existing installed base, and existing customer expectations. Returning to the engineering requirements for new curves, the curves must take into consideration the well-established fact that many implementations will not be authored by professional cryptographers and almost no users of systems relying on them will be professional cryptographers. If we require, rather than allow, multiple curve models be implemented to support different algorithms or for different security levels, we are increasing complexity and hence opportunities for security and interoperability errors. If we require new security levels, we are again working against the existing protocols, implementation and deployment experience, customer expectations, even user interfaces. None of these can simply be dismissed because they are inconvenient. They are the facts on the ground. 1. Curves must be generated using a rigid process, and the more rigid the better. 2. The curves we recommend should only require implementation of a single curve model, which implies: a) ECDHE and ECDSA must be supported with a single curve model. b) The same curve model must be used for all security levels. 3. For the purposes of evaluating candidates, ephemeral in ECDHE means used exactly once per key exchange. 4. The security levels are 128, 192, and 256 bits and each curve will only be evaluated at one of those levels. 5. No changes to coordinate wire formats. The outcome of these is that we need 3 rigidly generated curves in either short Weierstrass or twisted Edwards form. Anything beyond that should be addressed at a later point, and should not block progress on this specific request for new curves. b
- [Cfrg] Requirements for curve candidate evaluatio… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Watson Ladd
- Re: [Cfrg] Requirements for curve candidate evalu… William Whyte
- Re: [Cfrg] Requirements for curve candidate evalu… Mike Hamburg
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… David Jacobson
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Alyssa Rowan
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Alyssa Rowan
- Re: [Cfrg] Requirements for curve candidate evalu… Watson Ladd
- Re: [Cfrg] Requirements for curve candidate evalu… D. J. Bernstein
- Re: [Cfrg] Requirements for curve candidate evalu… Tanja Lange
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker