[Cfrg] Requirements for curve candidate evaluation update

Benjamin Black <b@b3k.us> Tue, 12 August 2014 21:59 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8CFF21A01E4 for <cfrg@ietfa.amsl.com>; Tue, 12 Aug 2014 14:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id KaTmSKkYVvLB for <cfrg@ietfa.amsl.com>; Tue, 12 Aug 2014 14:59:12 -0700 (PDT)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 024181A00D8 for <cfrg@ietf.org>; Tue, 12 Aug 2014 14:59:11 -0700 (PDT)
Received: by mail-wi0-f176.google.com with SMTP id bs8so6536417wib.9 for <cfrg@ietf.org>; Tue, 12 Aug 2014 14:59:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=qVbAn8OGujf/k1a7LoQnZbC/Lpe0HNAT8J/uRrwBWwc=; b=X13sCjSVpsevTRWZZ6353+FQIq/Z7M6QVBKfmpd3lQQXPwGCl1WOBA/P0/57rQ6Kpz 3mjkb8fYAnF1Nkstspv+4Nbpd0yLMJ7R+AkmgG+B9XR1S5WaGoZUMlcAN768545VVHul FwmhJYlSM7GAZHrBn1HNmza8ljsN1L+KcEdkmuskPUfwYiMfryd6NwfNKAxFzPD+MtXl MbMJiISaEjimrDNrGJc47FMsEz+AOz+/GajGdfWo1p9KSkh4Rb6MHxZdR1K/EOADLAPE H5dIln8p4ZKrR7XIHUxTslZsoDevUgeqRyAsiehRtWMnQz5jCCzva+Qui7dambqkwNM6 amEQ==
X-Gm-Message-State: ALoCoQmpWzJKAn8ExUd3zBDa547O/xySbNl+CaxQvXAmuwkgJlfo7j1sxfpl3YVD5Ph+vyEAxtnw
X-Received: by with SMTP id rw20mr339011wjb.69.1407880750580; Tue, 12 Aug 2014 14:59:10 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 12 Aug 2014 14:58:50 -0700 (PDT)
From: Benjamin Black <b@b3k.us>
Date: Tue, 12 Aug 2014 14:58:50 -0700
Message-ID: <CA+Vbu7wuAcmtAKJYEgAaSBTf6sj8pRfYpJhz2qV_ER=33mrk8Q@mail.gmail.com>
To: Brian LaMacchia <bal@microsoft.com>
Content-Type: multipart/alternative; boundary=089e013a27c40666a7050075c828
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6XSrIALCXk8yLzHCBllhjLxgNxM
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: [Cfrg] Requirements for curve candidate evaluation update
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Aug 2014 21:59:13 -0000

 The CFRG, while part of IRTF, cannot separate itself from the practical
demands of IETF. The CFRG brings a different set of skills to bear, but the
outcome of its work must be pragmatic. The original list of requirements in
the request forwarded by Kenny reflected the required pragmatism in asking
only for new curves based on the 15 years of research and deployment
experience with the NIST curves. Every other aspect of the problem was and
is constrained by the existing RFCs, existing installed base, and existing
customer expectations.

Returning to the engineering requirements for new curves, the curves must
take into consideration the well-established fact that many implementations
will not be authored by professional cryptographers and almost no users of
systems relying on them will be professional cryptographers. If we require,
rather than allow, multiple curve models be implemented to support
different algorithms or for different security levels, we are increasing
complexity and hence opportunities for security and interoperability
errors. If we require new security levels, we are again working against the
existing protocols, implementation and deployment experience, customer
expectations, even user interfaces. None of these can simply be dismissed
because they are inconvenient. They are the facts on the ground.

1. Curves must be generated using a rigid process, and the more rigid the

2.  The curves we recommend should only require implementation of a single
curve model, which implies:

  a) ECDHE and ECDSA must be supported with a single curve model.

  b) The same curve model must be used for all security levels.

3. For the purposes of evaluating candidates, ephemeral in ECDHE means used
exactly once per key exchange.

4. The security levels are 128, 192, and 256 bits and each curve will only
be evaluated at one of those levels.

5. No changes to coordinate wire formats.

The outcome of these is that we need 3 rigidly generated  curves in either
short Weierstrass or twisted Edwards form. Anything beyond that should be
addressed at a later point, and should not block progress on this specific
request for new curves.