Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
"Lochter, Manfred" <manfred.lochter@bsi.bund.de> Thu, 20 November 2014 08:02 UTC
Return-Path: <manfred.lochter@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD4C11A00BE for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 00:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.143
X-Spam-Level:
X-Spam-Status: No, score=-7.143 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-8eBzuurRD0 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 00:02:17 -0800 (PST)
Received: from m3-bn.bund.de (m3-bn.bund.de [77.87.228.75]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599C11A00A8 for <cfrg@irtf.org>; Thu, 20 Nov 2014 00:02:16 -0800 (PST)
Received: from m3.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m3-bn.bund.de (8.14.5/8.14.5) with ESMTP id sAK82Ec7011907 for <cfrg@irtf.org>; Thu, 20 Nov 2014 09:02:14 +0100 (CET)
Received: (from localhost) by m3.mfw.bn.ivbb.bund.de (MSCAN) id 5/m3.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Thu Nov 20 09:02:14 2014
X-P350-Id: 236cfff239e062dc
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Organization: BSI Bonn
To: cfrg@irtf.org
Date: Thu, 20 Nov 2014 09:01:53 +0100
User-Agent: KMail/1.9.10 (enterprise35 20140205.23bb19c)
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <CACsn0ckxtztdnBYEF3jtXFizAjkX5mbeciVz=+7dRYjjvNhf0A@mail.gmail.com>
In-Reply-To: <CACsn0ckxtztdnBYEF3jtXFizAjkX5mbeciVz=+7dRYjjvNhf0A@mail.gmail.com>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201411200901.53517.manfred.lochter@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.3.26.16; VDF: 7.11.187.176; host: sgasmtp2.bsi.de); id=17826-sC9atf
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/9aucYc1EIfTXJlisUbs3QD2UM8k
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 08:02:21 -0000
> Of course, you don't need to take my word for it: Cloudflare was very > clear that widespread ECDSA support was essential to making TLS free. > Mobile devices are having issues with verification times for NIST > P384. V2V proposals involves a staggering number of verifications a > second, but oddly enough don't use batching or efficient signatures, > thus forcing larger, more expensive hardware. > Is there really a requirement for mobile devices to use a 384 bit curve? Why is 256 not sufficient? In which scenarios do you see the neccessity to use P-384? Which specific mobile devices are having issues with verification times? Are they having these problems only in connection with the proposed protocols you mention? > > I have never seen an adequate explanation of why p random is needed > for security. What I have seen is an explanation of particular > blinding measures that only work with p random. But there are blinding > measures that don't depend on random p, that are more efficient. > Furthermore, if hardware already deals with the NIST curves, it has to > deal with nonrandom p already. Which specific more efficient blinding measures are you addressing? Could you provide sources? What does efficient mean for these countermeasures? A better protection against SCA or higher speed? Or lower cost? How is the patent situation for theses countermeasures? Manfred > > Sincerely, > Watson Ladd > > > [1] > > https://www.igvita.com/2012/07/19/latency-the-new-web-performance-bottlen > >eck/ > > > > [2] https://eprint.iacr.org/2014/130.pdf > > > > [3] http://www.statisticbrain.com/google-searches/ > > > > [4] Zero-Value Point Attacks : > > https://www-old.cdc.informatik.tu-darmstadt.de/reports/TR/TI-03-01.zvp.pd > >f > > > > > > > > Franck RONDEPIERRE > > > > Oberthur Technologies > > > > Technology & Innovation , R&D Cryptography Engineer > > > > 420 rue d'Estienne d'Orves | 92700 Colombes | France > > > > Phone: +33 (0)1 78 14 73 64 | Fax : +33 (0)1 78 14 70 20 > > > > E-mail : f.rondepierre@oberthur.com | Web : www.oberthur.com > > > > P Please consider your Environmental Responsibility: Before printing this > > e-mail or any other document, ask yourself if you need a hard copy > > > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > http://www.irtf.org/mailman/listinfo/cfrg -- Lochter, Manfred -------------------------------------------- Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat K21 Godesberger Allee 185 -189 53175 Bonn Postfach 20 03 63 53133 Bonn Telefon: +49 (0)228 99 9582 5643 Telefax: +49 (0)228 99 10 9582 5643 E-Mail: manfred.lochter@bsi.bund.de Internet: www.bsi.bund.de www.bsi-fuer-buerger.de
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley