IETF Logo Mail Archive

Re: [Cfrg] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?

Tony Arcieri <bascule@gmail.com> Fri, 23 October 2015 04:07 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91DA01B2AA7 for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 21:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0L5qP_cdERPv for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 21:07:14 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF8691A6F7A for <cfrg@irtf.org>; Thu, 22 Oct 2015 21:07:14 -0700 (PDT)
Received: by igbni9 with SMTP id ni9so27422386igb.1 for <cfrg@irtf.org>; Thu, 22 Oct 2015 21:07:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=AhAclRYx4DkGIGBDqdTcGbT1M9+5igIXwRdkTGHpElg=; b=0wgKYO5Tt8ErQjRRvZ1veGt0wX/NvMG35tffV1zatckiK81cOfqMqABr5afLtYeg0G rZ7s8JDPdz2YYVAGBp3wukn0nSEYoFyOevo6JyF8+kfCMTI7L7m8AvaiT+DIVp83FEbi OmYiOFUTTLO4jInzN2bXHd7nrfxiF4QHNs0UArSl4d8uVwFip6g+xmgEDDX05yGq0u1b DQ9shaZzAsmbzHdYJ/Y0tauDS/6lDHtSaYLXntMmurg4Jfe1RlTp4iPX/k1JdUzunnm2 sqA3DFwQkqYSj3wlNgdQPs+Qfc5w3l8nbnvhrv+oswI3j4qI7rkYUNc50MTG9fiogxq5 iHqg==
X-Received: by 10.50.66.141 with SMTP id f13mr1966302igt.51.1445573234031; Thu, 22 Oct 2015 21:07:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.39.133 with HTTP; Thu, 22 Oct 2015 21:06:54 -0700 (PDT)
In-Reply-To: <95750F19-2233-4CE9-BD91-6B1AA0C91F16@taoeffect.com>
References: <95750F19-2233-4CE9-BD91-6B1AA0C91F16@taoeffect.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Thu, 22 Oct 2015 21:06:54 -0700
Message-ID: <CAHOTMVJ2hoq5=Hh2tjGUWe3FGn-xX-gr5Gvn2h_RW8TwC3d8jA@mail.gmail.com>
To: Tao Effect <contact@taoeffect.com>
Content-Type: multipart/alternative; boundary="047d7bdc0dd21c857a0522bdbf63"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/EpYwKh9g8QlGvTix3G0Jwvn9bAg>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 04:07:16 -0000

Hi Greg,

I think some context and basic fact-checking is in order.

I read the Koblitz paper[1] before Matt Green blogged about it and have
been discussing it with several people found it rather interesting, however
much of what it describes is about the early history of ECC (particularly
in the 1990s) and the "verifiably random" process used by NIST for
generating their curves. I'd say Brainpool used a similar process, but it
turns out if you actually tried to verify their curves they screwed up[2].

I am not sure why you are quoting the phrase "Abandoning ECC" in the
subject line of your email as it appears in neither the Matt Green blog
post or the Koblitz paper, and if you actually read the Koblitz paper,
hypothetical claims we should "abandon ECC altogether" (actually in the
paper) are countered by phrasing like "This scenario is highly implausible
for several reasons" and claims that it is "preferable to use other curves
(either the Edwards curves recommended by Bernstein-Lange [5, 6], or the
curves being promoted by the Microsoft group [10], or perhaps some others)"
which is exactly what the CFRG is doing. The "rigid" curve generation
guidelines described in draft-irtf-cfrg-curves were the subject of a
painful, rather long bikeshedding debate, however I think the result is a
foundation for trust in next-generation ECC standards which are not
susceptible to the sorts of attacks discussed in the Koblitz paper, and in
fact the paper specifically calls out curves generated in this fashion as
being such.

The larger concern cited by both the Koblitz paper and Matt Green's blog
post is that the NSA feels it is urgent to move to post-quantum
cryptography. I'll quote Matt Green:

"despite the fact that quantum computers seem to be a long ways off and
reasonable quantum-resistant replacement algorithms are nowhere to be seen,
NSA decided to make this announcement publicly and not quietly behind the
scenes. Weirder still, if you haven’t yet upgraded to Suite B, you are now
being urged not to. In practice, that means some firms will stay with
algorithms like RSA rather than transitioning to ECC at all. And RSA is
also vulnerable to quantum attacks."

This is a legitimate concern, and perhaps ECC is not long for this world,
but if the threat is large quantum computers which can break the ECC
algorithms we use today, RSA and all other "pre-quantum" algorithms will be
affected too. And per Matt Green: the post-quantum algorithms are not only
slow but we are still not certain of their security properties.

If anything, I hope the takeaway for the CFRG is after the current ECC
standardization work is done, perhaps it would be prudent to move onto
evaluating post-quantum algorithms and standardizing them for use in e.g.
TLS. I suspect this is probably already on the chairs' roadmap.

[1]: https://eprint.iacr.org/2015/1018.pdf
[2]: http://bada55.cr.yp.to/brainpool.html

v2.23.0 | Report a Bug | By Email