[Cfrg] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?

Tao Effect <contact@taoeffect.com> Fri, 23 October 2015 02:16 UTC

Return-Path: <contact@taoeffect.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A371B30B4 for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 19:16:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.165
X-Spam-Level:
X-Spam-Status: No, score=0.165 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 080VK932LV8i for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 19:16:57 -0700 (PDT)
Received: from homiemail-a8.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) by ietfa.amsl.com (Postfix) with ESMTP id EB60E1B30B3 for <cfrg@irtf.org>; Thu, 22 Oct 2015 19:16:56 -0700 (PDT)
Received: from homiemail-a8.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a8.g.dreamhost.com (Postfix) with ESMTP id 69C7DD22072 for <cfrg@irtf.org>; Thu, 22 Oct 2015 19:16:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h=from :content-type:subject:message-id:date:mime-version:to; s= taoeffect.com; bh=NAWmEHyTzJUxSfOfIIgYXuEke4I=; b=HCkrcKlr7/2CqD tMAAOhJ45bWcvwj5UrjE8e8/bryP0xqOAillTJ8mem++Kbmz88201Tf+tag7y1g3 lagt202O64G1Kit2ZlFEaZ9umEiv9ZqPVeWQUwK0qE8OYAyrHBT5lPPGfHsBWtqz huszhIIZIHFU3ifayzOeXlwZd3FDs=
Received: from [192.168.42.65] (50-0-163-57.dsl.dynamic.fusionbroadband.com [50.0.163.57]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a8.g.dreamhost.com (Postfix) with ESMTPSA id 37968D22069 for <cfrg@irtf.org>; Thu, 22 Oct 2015 19:16:56 -0700 (PDT)
From: Tao Effect <contact@taoeffect.com>
X-Pgp-Agent: GPGMail 2.6b2
Content-Type: multipart/signed; boundary="Apple-Mail=_66C4664C-8E35-4231-A1E2-1116076E15DD"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Mao-Original-Outgoing-Id: 467259415.085115-d1c497d9a00ab6e89d29064b59eb06ce
Message-Id: <95750F19-2233-4CE9-BD91-6B1AA0C91F16@taoeffect.com>
Date: Thu, 22 Oct 2015 19:16:55 -0700
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
To: cfrg@irtf.org
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Fd0lPM7htbG6_qyhed34gMbitSM>
Subject: [Cfrg] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 02:16:58 -0000

Matthew Green references [cfrg] and this email specifically: https://www.ietf.org/mail-archive/web/cfrg/current/msg06426.html <https://www.ietf.org/mail-archive/web/cfrg/current/msg06426.html>

From this blog post: http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html <http://blog.cryptographyengineering.com/2015/10/a-riddle-wrapped-in-curve.html>

In it he says there’s an argument for abandoning all of ECC, including curve25519.

<BEGIN>

By calculating the number of possible curve families, Koblitz and Menezes show that a vast proportion of curves (for P-256, around 2^{209} out of 2^{257}) would have to be weak in order for the NSA to succeed in this attack. The implications of such a large class of vulnerable curves is very bad for the field of ECC. It dwarfs every previous known weak curve class and would call into question the decision to use ECC at all.

In other words, Koblitz and Menezes are saying that if you accept the weak curve hypothesis into your heart, the solution is not to replace the NIST elliptic curves <https://www.ietf.org/mail-archive/web/cfrg/current/msg06426.html> with anything at all, but rather, to leave the building as rapidly as possible and perhaps not shut the door on the way out. No joke.

On the gripping hand, this sounds very much like the plan NSA is currently implementing. Perhaps we should be worried.

</END>

So, I’m not a cryptographer, but ya’ll (supposedly) are. What say the list?

- Greg