Re: [Cfrg] Progress on curve recommendations for TLS WG

Watson Ladd <> Fri, 15 August 2014 14:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DEBB21A8A64 for <>; Fri, 15 Aug 2014 07:29:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N6vr3M4jsGOz for <>; Fri, 15 Aug 2014 07:29:07 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 597441A0AEF for <>; Fri, 15 Aug 2014 07:29:07 -0700 (PDT)
Received: by with SMTP id 19so2121757ykq.16 for <>; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8lelvuGaqE91Kar1fX0eOEB3d+Aoqw8U/qlbXEE74Qo=; b=weWb3VHCRmtaoWpMxMfzmTkY+2xPixr4Pp7bNokkPOx2djm4/uoUJHWssodkX8mMbL A6fZaI9fwnqxltgTNsUbvZKqBorUJqh2jI7nrCXKTl2HgnBRIyjS/59jYKNUhEJHromQ b/QWbhwjoFsMBqusVRKrQU8AgQFy0xG2VP7PUjSqra+GYZ3m/7J0RIiAogSEXBYnV77L 3z/E3G/LJUx4pTIsO6LZZqLc8Mo3jUdf8n2q24DNUawetmdcocsemQ0iKHfaDlAQ9mO6 XeOWbkdluJeDI3i/YV6Ch6r4a1ku3i0Jv5gx4PXZvf2+ZxkbN9d/9f0LmB/RxnBhUm4D 1Vrw==
MIME-Version: 1.0
X-Received: by with SMTP id s56mr27608853yhi.4.1408112946627; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
Received: by with HTTP; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
Received: by with HTTP; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
Date: Fri, 15 Aug 2014 07:29:06 -0700
Message-ID: <>
From: Watson Ladd <>
To: Johannes Merkle <>
Content-Type: multipart/alternative; boundary="20cf303a2bbbfccc7e0500abd7e6"
Subject: Re: [Cfrg] Progress on curve recommendations for TLS WG
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Aug 2014 14:29:09 -0000

On Aug 15, 2014 7:23 AM, "Johannes Merkle" <>
> Alyssa Rowan wrote on 15.08.2014 14:35:
> > Respectfully, deferring choices made in the curve generation process
back to ANSI X9.62 (even though it may have
> > made sense at the time) doesn't alleviate any potential concerns about
lack of rigidity in those choices; it merely
> > means they weren't Brainpool's own choices, and no-one thought to
question them at the time quite as deeply as they
> > do today.
> >
> > If X9.62's choices had full, rigid, transparent explanations, perhaps
this discussion would have not arisen, and in
> > that vein perhaps neither would Brainpool? But they did not (and
although Certicom/NSA indeed seem to have
> > performed a brute-force seed search for the SECG/NIST curves, we may
never be certain what all the parameters of
> > that search were): so here we are.
> >
> The issue many people on this list (including me) have with the NIST
curves is not the curve generation method but the
> unexplained seeds. If you mean to imply that the method itself is
suspicious, independent of the seeds, then this is a
> position I have not yet seen expressed, and I doubt that many people will
find it plausible.
> Actually, this is the core of the problem with the discussion on
rigidity: It is more about sense than about facts. Do
> you feel comfortable with this generation procedure or with those
constants, or with others? Something that you might
> deem very straightforward and rigid may look arbitrary and even
suspicious to others. Rigidity can not be measured
> objectively. This makes it easy to argue against one or the other
> It is important that, whatever curves CFRG selects, anyone can feel
comfortable with their rigidity and that there
> will be no doubts about their security and the lack of back-doors. The
BADA55 paper and the post I was responding to,
> though intended to be provocative and entertaining, introduce FUD in that
respect and are contra-productive. I am
> quite sure that one could also construct a "one in a million curve" using
a seed-less approach very similar to
> curve25519, but this would only introduce more unjustified discredit and

Hic rhodes, hic saltus.

> We should focus on establishing trust not FUD.
> --
> Johannes
> _______________________________________________
> Cfrg mailing list