IETF Logo Mail Archive

Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices

"Lochter, Manfred" <manfred.lochter@bsi.bund.de> Thu, 20 November 2014 08:02 UTC

Return-Path: <manfred.lochter@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD4C11A00BE for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 00:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.143
X-Spam-Level:
X-Spam-Status: No, score=-7.143 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-8eBzuurRD0 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 00:02:17 -0800 (PST)
Received: from m3-bn.bund.de (m3-bn.bund.de [77.87.228.75]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599C11A00A8 for <cfrg@irtf.org>; Thu, 20 Nov 2014 00:02:16 -0800 (PST)
Received: from m3.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m3-bn.bund.de (8.14.5/8.14.5) with ESMTP id sAK82Ec7011907 for <cfrg@irtf.org>; Thu, 20 Nov 2014 09:02:14 +0100 (CET)
Received: (from localhost) by m3.mfw.bn.ivbb.bund.de (MSCAN) id 5/m3.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Thu Nov 20 09:02:14 2014
X-P350-Id: 236cfff239e062dc
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Organization: BSI Bonn
To: cfrg@irtf.org
Date: Thu, 20 Nov 2014 09:01:53 +0100
User-Agent: KMail/1.9.10 (enterprise35 20140205.23bb19c)
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <CACsn0ckxtztdnBYEF3jtXFizAjkX5mbeciVz=+7dRYjjvNhf0A@mail.gmail.com>
In-Reply-To: <CACsn0ckxtztdnBYEF3jtXFizAjkX5mbeciVz=+7dRYjjvNhf0A@mail.gmail.com>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201411200901.53517.manfred.lochter@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.3.26.16; VDF: 7.11.187.176; host: sgasmtp2.bsi.de); id=17826-sC9atf
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/9aucYc1EIfTXJlisUbs3QD2UM8k
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 08:02:21 -0000






> Of course, you don't need to take my word for it: Cloudflare was very
> clear that widespread ECDSA support was essential to making TLS free.
> Mobile devices are having issues with verification times for NIST
> P384. V2V proposals involves a staggering number of verifications a
> second, but oddly enough don't use batching or efficient signatures,
> thus forcing larger, more expensive hardware.
>

Is there really a requirement for mobile devices to use a 384 bit curve? Why 
is 256 not sufficient? In which scenarios do you see the neccessity to use 
P-384? Which specific mobile devices are having issues with verification 
times? Are they having these problems only in connection with the proposed 
protocols you mention?
>
> I have never seen an adequate explanation of why p random is needed
> for security. What I have seen is an explanation of particular
> blinding measures that only work with p random. But there are blinding
> measures that don't depend on random p, that are more efficient.
> Furthermore, if hardware already deals with the NIST curves, it has to
> deal with nonrandom p already.

Which specific more efficient blinding measures are you addressing? Could you 
provide sources?
What does efficient mean for these countermeasures? A better protection 
against SCA or higher speed? Or lower cost?
How is the patent situation for theses countermeasures?

Manfred

>
> Sincerely,
> Watson Ladd
>
> > [1]
> > https://www.igvita.com/2012/07/19/latency-the-new-web-performance-bottlen
> >eck/
> >
> > [2] https://eprint.iacr.org/2014/130.pdf
> >
> > [3] http://www.statisticbrain.com/google-searches/
> >
> > [4] Zero-Value Point Attacks :
> > https://www-old.cdc.informatik.tu-darmstadt.de/reports/TR/TI-03-01.zvp.pd
> >f
> >
> >
> >
> > Franck RONDEPIERRE
> >
> > Oberthur Technologies
> >
> > Technology & Innovation , R&D Cryptography Engineer
> >
> > 420 rue d'Estienne d'Orves | 92700 Colombes | France
> >
> > Phone: +33 (0)1 78 14 73 64   | Fax : +33 (0)1 78 14 70 20
> >
> > E-mail : f.rondepierre@oberthur.com | Web : www.oberthur.com
> >
> > P Please consider your Environmental Responsibility: Before printing this
> > e-mail or any other document, ask yourself if you need a hard copy
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > http://www.irtf.org/mailman/listinfo/cfrg

-- 
Lochter, Manfred
--------------------------------------------
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Referat K21
Godesberger Allee 185 -189
53175 Bonn

Postfach 20 03 63
53133 Bonn

Telefon: +49 (0)228 99 9582 5643
Telefax: +49 (0)228 99 10 9582 5643
E-Mail: manfred.lochter@bsi.bund.de
Internet:
www.bsi.bund.de
www.bsi-fuer-buerger.de

v2.23.0 | Report a Bug | By Email