Re: [Cfrg] On "non-NIST"

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 28 February 2015 17:39 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E437B1A7007 for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 09:39:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0MvD3SG8B_A for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 09:39:10 -0800 (PST)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97F661A1BF5 for <cfrg@irtf.org>; Sat, 28 Feb 2015 09:39:09 -0800 (PST)
Received: by lbiv13 with SMTP id v13so4052805lbi.11 for <cfrg@irtf.org>; Sat, 28 Feb 2015 09:39:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=cSjOKS678Tov6X1/oCIzTAP12TOlHPPxpa1Vo+nO25o=; b=oNJD4Boj7WQimlSFwXr4WlBrNeWhRuKfU1+R0YYPcx3x8F8r5ea0qpQnm3tD6r8GL5 +BxXM9NaI4Tc3P2sZ6FvdQBCtE/+UH9GQC/NCnzK35rclkliYdsKp0t/Y2DsJtsmoEuf OTmJ6fmkd0UaD+NCQ/Bqg9a2lsGqtcCBeOpJYUESxTUX4FgzMUXzP3qWPyH+6Hmr8D7e WqLSfydZZx9vbewrEBK6BxJKi65sZpIf+uJCxV/aOsHdv9JV7pNUnR0F2VW43whOKvab OrfoEYMV3imuV49YjH/bsi+gSEZZCaxKCrQGOQFDAR0PPpatYsaeTGAUyvji15DgkUNu gijA==
MIME-Version: 1.0
X-Received: by 10.152.191.135 with SMTP id gy7mr17268045lac.91.1425145147989; Sat, 28 Feb 2015 09:39:07 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.113.3.165 with HTTP; Sat, 28 Feb 2015 09:39:07 -0800 (PST)
In-Reply-To: <CACsn0ckHyRiLBiRe9Vg4TJMUg-+c8vbB2e-QKuHbuZ_NiqC2UA@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF91123@uxcn10-5.UoA.auckland.ac.nz> <BE305B0B-80D2-48C6-ACE6-6F6544A04D69@vpnc.org> <CACsn0ckHyRiLBiRe9Vg4TJMUg-+c8vbB2e-QKuHbuZ_NiqC2UA@mail.gmail.com>
Date: Sat, 28 Feb 2015 12:39:07 -0500
X-Google-Sender-Auth: tBcsLbKFeSiLnv0daSl2BWqdA8A
Message-ID: <CAMm+Lwiqn9rXoaJx6vO8ULcd4aJeLqcCAcLMyckCLWYRjPLYEg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=001a1134303a4ca72c0510297649
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9rTg8UpqiCVozvEpTOcRiQYLQHk>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] On "non-NIST"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Feb 2015 17:39:12 -0000

On Sat, Feb 28, 2015 at 12:17 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Sat, Feb 28, 2015 at 7:41 AM, Paul Hoffman <paul.hoffman@vpnc.org>
> wrote:
> > On Feb 28, 2015, at 12:59 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
> >>
> >> Paul Hoffman <paul.hoffman@vpnc.org> writes:
> >>
> >>> The term "non-NIST" is predictive, and the crypto community kinda
> sucks at
> >>> predictions. We have no idea what NIST will do in the future if a
> bunch of
> >>> IETF WGs adopt specific elliptic curves that are not P256/P384.
> >>
> >> Why is NIST seen as the ultimate arbiter of what's appropriate though?
> >
> > Not "the", but "an". The reason is that NIST controls what can and
> cannot be given a FIPS-140 certification, and that certification is
> considered important both by companies who want to sell to the US Govt and
> companies that use their certification as a statement that "we did it
> right". If you make an HSM that uses an algorithm not allowed by NIST, you
> cannot get it certified in the CMVP regime. Thus, when NIST is slow to keep
> up with the best practices adopted by the community, it becomes a roadblock
> to deploying better crypto.
>
> This is factually untrue: CMVP certified modules are permitted to
> implement other algorithms: they just can't be in FIPS mode when those
> are used. I also don't see how NIST approval or lack thereof slowed
> down RC4 deployment or accelerated SHA1 replacing MD5.
>
> The reality is lots of new designs are using Curve25519 and Ed25519.
> That's because of factors like simple design of APIs, high
> performance, and very good security. Standards body acceptance is not
> a concern here. Just as the reality is that E-521 was picked by
> Brazil, while the new GOST is still being worked on, and the upper
> size limit is just a random number. But never mind reality: we've got
> to expose "signs of strength". We need big numbers for marketing:
> never mind attackers can't break authentication in the future, while
> mobile devices already struggle to validate certificates. We need to
> vote on endianness: nothing more needs to be said.
>
> Is anyone surprised we've become a punchline?
>
> Sincerely,
> Watson Ladd
>
> >
> > This is why we hope that, when this RG finally moves on both the the
> curve and the signing algorithm, NIST adds those to its list of acceptable
> crypto for the FIPS 140 testing. If they don't, people can still deploy it,
> but deployment will be hampered.
> >
> > --Paul Hoffman
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > http://www.irtf.org/mailman/listinfo/cfrg


US NIST chose P521
Brazil chose P521

Isn't that a pattern emerging?