IETF Logo Mail Archive

Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices

Alyssa Rowan <akr@akr.io> Fri, 21 November 2014 13:43 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 504601A026C for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 05:43:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.502
X-Spam-Level:
X-Spam-Status: No, score=-0.502 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZ1x8G5L8gW3 for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 05:43:35 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C164E1A0169 for <cfrg@irtf.org>; Fri, 21 Nov 2014 05:43:35 -0800 (PST)
In-Reply-To: <201411211351.04473.manfred.lochter@bsi.bund.de>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <201411200901.53517.manfred.lochter@bsi.bund.de> <CACsn0cmV6aOMx+eiLa0iP7rYiU4ZVmeDbNPhTSz_a6oU1=kWjA@mail.gmail.com> <201411211351.04473.manfred.lochter@bsi.bund.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Fri, 21 Nov 2014 13:43:29 +0000
To: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>, Watson Ladd <watsonbladd@gmail.com>
Message-ID: <06AAD770-F7E8-48CD-A9D4-B008E59A4F59@akr.io>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/D3WSahjlLY4dg6jNSD7dhJ441ig
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 13:43:38 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 21 November 2014 12:51:04 GMT+00:00, "Lochter, Manfred" <manfred.lochter@bsi.bund.de> wrote:

>> [Watson Ladd] When my mobile phone's browser connects to a website whose certificate is signed by P384, a P384 verification better take place. Not supporting P384 introduces an interoperability problem.
> [Manfred Lochter] I'm glad that you agree with my previously stated position that 384-bit curves are needed.

No, with respect, I think perhaps you may have simply misunderstood what he's saying here.

What Watson is talking about is simply the practical requirement that many TLS-supporting peers will have to continue to support the NIST curves in existing deployments - because existing ECC root CAs in the PKIX tree, such as Comodo's, are apparently all using ECDSA_P384_SHA384 (i.e., the NIST curve secp384r1), and naturally they will need to verify that chain of trust to remain secure.

However, the NIST curves are of course firmly outside the scope of our recommendations here; such a legacy consideration regarding the NIST curves has no bearing at all on what curves we may choose, or not, to recommend.

secp384r1 appears to have particularly unfortunate performance in software, and this can have some impact on mobile devices forced to use it for interoperability (they almost always have no hardware acceleration for it). That is the context of Watson's post, I believe?

As discussed previously, there are no particuarly efficient special primes in the immediate area of 2^384, and as a result there are several curves such as Curve41417 and Ed448-Goldilocks which are both faster (in software) and stronger than secp384r1.


Regarding side channel defences, I refer you to my previous replies and reference above. I note again that the NIST curves are themselves special primes, and are quite widely deployed with plenty of 'high-assurance' implementations of them already: clearly therefore, most competent vendors have had no insurmountable problems producing implementations with effective side-channel defenses for special prime fields.

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJUb0GBGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t6Gc4QAL7Q1BiytPBO84yeVMtOoioipnDiLJfQEatl7tWinARiHJT6evPC
1E3Wdm6JIfHERJEjNmcMr0TR4YH9Fn7NWXsKgZIqWX+uwo+rS3cnfDwSMUVK+tVK
5kJIF/CJAoOOwwugZ7KDFYZSDLErEMXexxAmABrBYe6y5zmVBTzudhO020MGiGiM
bGJlt2FLri4u4Yez4tmj8Ky2yIciGZa6zNJroooH/VUudcWZmk2hnloJTfEqSvHT
oeNQ7a7wHd3UlVkg4u4gvGxeCxH+ikeNmNfMA6cJ1lm8uglBrE5+alRKlUwtVxtL
R7y3bPK+0h7Hq1D+jqMUyDLQsp/65yX2cOvPMlSStJk6/AnaBm19XU63JN04sZ7y
z3z6huJ9WEEsdGs8kzJ+2jKHIMvvSmObqNg+Wd6hwKz3pYjY+9nCd3bO3ORV/pOz
S6H9X1sPye+laqphw5/wBTtM7FcawqdFGNit7qNf/Ne0cVxD4jbvugqfuwDV/xtO
4xHORPZjcBj2I6i6EgQhTrUs5wMNSIPfF5uT/RgA1UDgFNNlYjJ5ZhIurBbmtBRq
kFCWSlrODtYPpoZ4xoOtthu/DGlm8dkbb79HQaCuRUziEUm7y5lKPluqbUms7ewM
g6xXGTOTO+u+v8dEknimvpxnd8xxZ3/sof/nQBZeo18a3ZK2CReFbkZQ
=a5/K
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email