Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
Alyssa Rowan <akr@akr.io> Fri, 21 November 2014 13:43 UTC
Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 504601A026C for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 05:43:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.502
X-Spam-Level:
X-Spam-Status: No, score=-0.502 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZ1x8G5L8gW3 for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 05:43:35 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C164E1A0169 for <cfrg@irtf.org>; Fri, 21 Nov 2014 05:43:35 -0800 (PST)
In-Reply-To: <201411211351.04473.manfred.lochter@bsi.bund.de>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <201411200901.53517.manfred.lochter@bsi.bund.de> <CACsn0cmV6aOMx+eiLa0iP7rYiU4ZVmeDbNPhTSz_a6oU1=kWjA@mail.gmail.com> <201411211351.04473.manfred.lochter@bsi.bund.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Fri, 21 Nov 2014 13:43:29 +0000
To: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>, Watson Ladd <watsonbladd@gmail.com>
Message-ID: <06AAD770-F7E8-48CD-A9D4-B008E59A4F59@akr.io>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/D3WSahjlLY4dg6jNSD7dhJ441ig
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 13:43:38 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 21 November 2014 12:51:04 GMT+00:00, "Lochter, Manfred" <manfred.lochter@bsi.bund.de> wrote: >> [Watson Ladd] When my mobile phone's browser connects to a website whose certificate is signed by P384, a P384 verification better take place. Not supporting P384 introduces an interoperability problem. > [Manfred Lochter] I'm glad that you agree with my previously stated position that 384-bit curves are needed. No, with respect, I think perhaps you may have simply misunderstood what he's saying here. What Watson is talking about is simply the practical requirement that many TLS-supporting peers will have to continue to support the NIST curves in existing deployments - because existing ECC root CAs in the PKIX tree, such as Comodo's, are apparently all using ECDSA_P384_SHA384 (i.e., the NIST curve secp384r1), and naturally they will need to verify that chain of trust to remain secure. However, the NIST curves are of course firmly outside the scope of our recommendations here; such a legacy consideration regarding the NIST curves has no bearing at all on what curves we may choose, or not, to recommend. secp384r1 appears to have particularly unfortunate performance in software, and this can have some impact on mobile devices forced to use it for interoperability (they almost always have no hardware acceleration for it). That is the context of Watson's post, I believe? As discussed previously, there are no particuarly efficient special primes in the immediate area of 2^384, and as a result there are several curves such as Curve41417 and Ed448-Goldilocks which are both faster (in software) and stronger than secp384r1. Regarding side channel defences, I refer you to my previous replies and reference above. I note again that the NIST curves are themselves special primes, and are quite widely deployed with plenty of 'high-assurance' implementations of them already: clearly therefore, most competent vendors have had no insurmountable problems producing implementations with effective side-channel defenses for special prime fields. - -- /akr -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQI3BAEBCgAhBQJUb0GBGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE jtkWi2t6Gc4QAL7Q1BiytPBO84yeVMtOoioipnDiLJfQEatl7tWinARiHJT6evPC 1E3Wdm6JIfHERJEjNmcMr0TR4YH9Fn7NWXsKgZIqWX+uwo+rS3cnfDwSMUVK+tVK 5kJIF/CJAoOOwwugZ7KDFYZSDLErEMXexxAmABrBYe6y5zmVBTzudhO020MGiGiM bGJlt2FLri4u4Yez4tmj8Ky2yIciGZa6zNJroooH/VUudcWZmk2hnloJTfEqSvHT oeNQ7a7wHd3UlVkg4u4gvGxeCxH+ikeNmNfMA6cJ1lm8uglBrE5+alRKlUwtVxtL R7y3bPK+0h7Hq1D+jqMUyDLQsp/65yX2cOvPMlSStJk6/AnaBm19XU63JN04sZ7y z3z6huJ9WEEsdGs8kzJ+2jKHIMvvSmObqNg+Wd6hwKz3pYjY+9nCd3bO3ORV/pOz S6H9X1sPye+laqphw5/wBTtM7FcawqdFGNit7qNf/Ne0cVxD4jbvugqfuwDV/xtO 4xHORPZjcBj2I6i6EgQhTrUs5wMNSIPfF5uT/RgA1UDgFNNlYjJ5ZhIurBbmtBRq kFCWSlrODtYPpoZ4xoOtthu/DGlm8dkbb79HQaCuRUziEUm7y5lKPluqbUms7ewM g6xXGTOTO+u+v8dEknimvpxnd8xxZ3/sof/nQBZeo18a3ZK2CReFbkZQ =a5/K -----END PGP SIGNATURE-----
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley