IETF Logo Mail Archive

Re: [Cfrg] Progress on curve recommendations for TLS WG

Watson Ladd <watsonbladd@gmail.com> Fri, 15 August 2014 14:29 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEBB21A8A64 for <cfrg@ietfa.amsl.com>; Fri, 15 Aug 2014 07:29:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6vr3M4jsGOz for <cfrg@ietfa.amsl.com>; Fri, 15 Aug 2014 07:29:07 -0700 (PDT)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 597441A0AEF for <cfrg@irtf.org>; Fri, 15 Aug 2014 07:29:07 -0700 (PDT)
Received: by mail-yk0-f171.google.com with SMTP id 19so2121757ykq.16 for <cfrg@irtf.org>; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8lelvuGaqE91Kar1fX0eOEB3d+Aoqw8U/qlbXEE74Qo=; b=weWb3VHCRmtaoWpMxMfzmTkY+2xPixr4Pp7bNokkPOx2djm4/uoUJHWssodkX8mMbL A6fZaI9fwnqxltgTNsUbvZKqBorUJqh2jI7nrCXKTl2HgnBRIyjS/59jYKNUhEJHromQ b/QWbhwjoFsMBqusVRKrQU8AgQFy0xG2VP7PUjSqra+GYZ3m/7J0RIiAogSEXBYnV77L 3z/E3G/LJUx4pTIsO6LZZqLc8Mo3jUdf8n2q24DNUawetmdcocsemQ0iKHfaDlAQ9mO6 XeOWbkdluJeDI3i/YV6Ch6r4a1ku3i0Jv5gx4PXZvf2+ZxkbN9d/9f0LmB/RxnBhUm4D 1Vrw==
MIME-Version: 1.0
X-Received: by 10.236.134.208 with SMTP id s56mr27608853yhi.4.1408112946627; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Fri, 15 Aug 2014 07:29:06 -0700 (PDT)
In-Reply-To: <53EE17A9.7080408@secunet.com>
References: <20140801013659.11640.qmail@cr.yp.to> <53EDEB0D.9040304@secunet.com> <925e123f-d396-443f-9fc7-b1f6601bcd4c@email.android.com> <53EE17A9.7080408@secunet.com>
Date: Fri, 15 Aug 2014 07:29:06 -0700
Message-ID: <CACsn0c=eS-=6dapjrw07uEbxW0MHqn6=3caftfA6geZNOUcu9w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
Content-Type: multipart/alternative; boundary="20cf303a2bbbfccc7e0500abd7e6"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/B_0W9YhL1v_3Evjdxu8dI7jOSg0
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Progress on curve recommendations for TLS WG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 14:29:09 -0000

On Aug 15, 2014 7:23 AM, "Johannes Merkle" <johannes.merkle@secunet.com>
wrote:
>
> Alyssa Rowan wrote on 15.08.2014 14:35:
> > Respectfully, deferring choices made in the curve generation process
back to ANSI X9.62 (even though it may have
> > made sense at the time) doesn't alleviate any potential concerns about
lack of rigidity in those choices; it merely
> > means they weren't Brainpool's own choices, and no-one thought to
question them at the time quite as deeply as they
> > do today.
> >
> > If X9.62's choices had full, rigid, transparent explanations, perhaps
this discussion would have not arisen, and in
> > that vein perhaps neither would Brainpool? But they did not (and
although Certicom/NSA indeed seem to have
> > performed a brute-force seed search for the SECG/NIST curves, we may
never be certain what all the parameters of
> > that search were): so here we are.
> >
>
>
> The issue many people on this list (including me) have with the NIST
curves is not the curve generation method but the
> unexplained seeds. If you mean to imply that the method itself is
suspicious, independent of the seeds, then this is a
> position I have not yet seen expressed, and I doubt that many people will
find it plausible.
>
> Actually, this is the core of the problem with the discussion on
rigidity: It is more about sense than about facts. Do
> you feel comfortable with this generation procedure or with those
constants, or with others? Something that you might
> deem very straightforward and rigid may look arbitrary and even
suspicious to others. Rigidity can not be measured
> objectively. This makes it easy to argue against one or the other
approach.
>
> It is important that, whatever curves CFRG selects, anyone can feel
comfortable with their rigidity and that there
> will be no doubts about their security and the lack of back-doors. The
BADA55 paper and the post I was responding to,
> though intended to be provocative and entertaining, introduce FUD in that
respect and are contra-productive. I am
> quite sure that one could also construct a "one in a million curve" using
a seed-less approach very similar to
> curve25519, but this would only introduce more unjustified discredit and
FUD.
>

Hic rhodes, hic saltus.

> We should focus on establishing trust not FUD.
>
> --
> Johannes
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email