Re: [Cfrg] When's the decision?

"Parkinson, Sean" <> Fri, 17 October 2014 08:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B92AF1A9139 for <>; Fri, 17 Oct 2014 01:51:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1nE4Q0TbpBaZ for <>; Fri, 17 Oct 2014 01:51:02 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD6421A9135 for <>; Fri, 17 Oct 2014 01:51:01 -0700 (PDT)
Received: from ( []) by (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s9H8owpX014560 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 17 Oct 2014 04:51:00 -0400
X-DKIM: OpenDKIM Filter v2.4.3 s9H8owpX014560
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=jan2013; t=1413535860; bh=4BDkHMLPQAGDgofKcFkzvG6eWmQ=; h=From:To:CC:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=QlTBaDSQmEaKKdGG8Yq0mooQYR6bIuv/NoBMFjuAiA9kHDWErrBiczmLDesjak8oR FSQuSXPmzII8u3VB7xiO6yG+2zxN3DLvmJxPPe6Rq27s9cWCYSu3nIS/OHAa1Y2c1a 5TJ4/YeZJHRQNvyCW0P9+aSjCNZGp4Slal8w5sgw=
X-DKIM: OpenDKIM Filter v2.4.3 s9H8owpX014560
Received: from ( []) by (RSA Interceptor); Fri, 17 Oct 2014 04:50:44 -0400
Received: from ( []) by (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s9H8opBP015309 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Oct 2014 04:50:52 -0400
Received: from ([]) by ([::1]) with mapi; Fri, 17 Oct 2014 04:42:10 -0400
From: "Parkinson, Sean" <>
To: "Paterson, Kenny" <>
Date: Fri, 17 Oct 2014 04:42:09 -0400
Thread-Topic: [Cfrg] When's the decision?
Thread-Index: AQHP4XoCGxb9lbfhS02i9PAKELf1JZwmeIwAgABZUQCADDoRgIAA+SiQ
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Classifications: public
Cc: "" <>
Subject: Re: [Cfrg] When's the decision?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Oct 2014 08:51:03 -0000

While I still think that X25519 has speed and implementation simplicity advantages over numsp256t1, the fact that it can only be used for key exchange makes it difficult to recommend - you need another curve implementation anyway.
X25519 is already in use and, even if the CFRG don't recommend it, I believe it will be used - any speed advantage, despite code complexity cost, will be taken by implementers.

How this relates to other possible Montgomery curves I don't know. When a decision is made on the stronger curve a Montgomery equivalent may appear.

Sean Parkinson | Consultant Software Engineer | RSA, The Security Division of EMC
Office +61 7 3032 5232 | Fax +61 7 3032 5299

-----Original Message-----
From: Paterson, Kenny [] 
Sent: Friday, 17 October 2014 2:35 AM
To: Parkinson, Sean;
Subject: Re: [Cfrg] When's the decision?


Are you planning to bring additional information on the issues that you refer to below to the list?

Your additional input would be most welcome of course, but without concrete details, it's difficult to factor your initial comments below into our deliberations.



On 08/10/2014 23:51, "Parkinson, Sean" <> wrote:

>I have concerns about a decision being made about which curves to 
>recommend 'before Halloween'.
>I am unaware of 3rd parties implementing and confirming all the curves 
>that have been proposed.
>Making a decision on new elliptic curves based on data that hasn't been 
>corroborated by a 3rd party is bad practice.
>I have been implementing as many of the curves as I can and my 
>performance results, so far, do not always match those that I have seen 
>in papers.
>Also, I am concerned that, while some curves are being implemented to 
>be constant time, not all curves are being implemented to be cache 
>attack resistant. Either all implementations need to be resistant or 
>all implementations not. Only then can a true comparison be made.
>Until these issues are dealt with I feel there is not sufficient 
>information to make a decision.
>Sean Parkinson | Consultant Software Engineer | RSA, The Security 
>Division of EMC Office +61 7 3032 5232 | Fax +61 7 3032 5299 
>Cfrg mailing list