Re: [Cfrg] Comparing ECC curves

Phillip Hallam-Baker <> Thu, 24 July 2014 02:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9F63C1A02BA for <>; Wed, 23 Jul 2014 19:56:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0bBsftqzEzgT for <>; Wed, 23 Jul 2014 19:56:28 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B98C51A0B07 for <>; Wed, 23 Jul 2014 19:56:27 -0700 (PDT)
Received: by with SMTP id a1so2033053wgh.35 for <>; Wed, 23 Jul 2014 19:56:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=x/O/U42X3eCnnEvF2QnFaHwiLEEnuH3yH+GAc+dgJyE=; b=z9PbiWisvBe1FC70jPnSb5aB033LKjE19rCN9xpZkUNyBtu+h4djBNMrDeGHOvGZ/y NliNB5MvQLtSctaWZgH4MOtKoAHLf48obRdX99gayFSYb4OrZLsuPbhJXXUHs0mDs98V E6CH7ZgmW9j+QMGa8SpRgb5VkThLga1Uny8gWacNkiMX2calggUBfhJjrLlm0mwRZmAV ozk3iSBSdymwpOi1xYhDR1fOINppGzmtAwGzcyow1H0+OY6IL6ngMSpN7a1l1sT0ozat zncMQE3oIs9RRuk+r0fs3xfm2ocVl+mdT6Z5DUWwW+y/vUrY6vXxIhQ9vYUVr/jv+pcm AdHw==
MIME-Version: 1.0
X-Received: by with SMTP id gb10mr30173600wib.65.1406170586286; Wed, 23 Jul 2014 19:56:26 -0700 (PDT)
Received: by with HTTP; Wed, 23 Jul 2014 19:56:26 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
Date: Wed, 23 Jul 2014 22:56:26 -0400
X-Google-Sender-Auth: cyy6sY8Ayftxiq3ItkE7bvMtoIQ
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Watson Ladd <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [Cfrg] Comparing ECC curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jul 2014 02:56:29 -0000

On Wed, Jul 23, 2014 at 9:10 PM, Watson Ladd <> wrote:
> On Wed, Jul 23, 2014 at 4:17 PM, Phillip Hallam-Baker
> <> wrote:
>> On Wed, Jul 23, 2014 at 6:33 PM, Benjamin Black <> wrote:
>>> On Wed, Jul 23, 2014 at 3:28 PM, Phillip Hallam-Baker
>>> <> wrote:
>>>> 3) Do we need to consider 2^192 work factor?
>>>> I can't see any case where I am interested in a work factor of 2^192.
>>>> Either I am willing to make some concession to performance or I want
>>>> it gold plated and 2^256. I would quite like to see the 2^192 work
>>>> factor nuked.
>>> Phillip,
>>> This was our conclusion, as well. If you haven't seen it, here's the NUMS
>>> TLS draft which only specifies the twisted Edwards curves at 128 and 256 bit
>>> security levels:
>> Just trying to push back on the idea we need the options .. :-)
>> Similarly, I am not interested in a set of curves that is
>> hyperoptimized for TLS and can't be used for S/MIME. When we were
>> discussing random curves, changing the curve was pretty much the same
>> as changing the key. Now that we are doing the close to powers of 2
>> curves with highly optimized code, changing the curve is like changing
>> to a whole new algorithm.
>> As far as the code is concerned it is better to think about them as
>> choosing between ECDHE-25519 and ECDHE-256p rather than ECDHE with a
>> named curve. Changing the curve is going to select a different
>> implementation.
>> The end product I want from this is a set of backup public key
>> algorithms that can be made a RECOMMENDED algorithm with a view to
>> making them a MUST algorithm replacing RSA-2048 at some point in the
>> future. I want to encourage dedicated hardware support, etc. etc.
> Why will that happen with these curves when it didn't with the NIST
> curves vs. RSA?
> Yes, I'm aware of patent issues that used to exist, but this was an
> unforced error in
> standardization: RSA is of a similar vintage.

Several reasons.

First off, we had this philosophy that lots of algorithm choices was a
good thing. It is only recently that it is generally acknowledged that
adding stronger algorithms does not improve security. Only stopping
using weak algorithms helps matters.

So back in the mid 90s we had dozens of symmetric ciphers and RSA and
DSA and DH and it was thought to be a good thing. Then we got the idea
that there should be as few algorithms as possible, preferably one
good one. And now I am pushing for a scheme where we have one REQUIRED
and one RECOMMENDED per type of algorithm and make no other
recommendations except in unusual circumstances where a legacy
transition is in progress.

The main reason we haven't had consensus across the IETF on mandatory
to implement algorithms before is that the decisions were taken at
different times and the field moved on. So the mandatory to implement
algorithms for quite a few specs are now out of date. S/MIME requires
3DES for example. This was changed for SIP but not for mail as far as
I can see.

It is possible that some people used to enjoy algorithm discussions.
At this point I think we all realize that the discussion is necessary
but not so much fun that I want to have it repeated for each working

But the main reason I want to change that practice is that when we
decided to move to AES in place of 3DES, that was a decision made
independent of any particular protocol but implementation required us
to make changes to every protocol separately. That is silly and
tedious and lots of makework for authors and the IESG.

Hence the rationale for this draft:

The idea of this is that future protocols would not make MTI choices
of algorithms, they would reference the consensus RFC and leave it at
that. If we change our idea of what necessary crypto is, the consensus
RFC would be made obsolete and replaced by a new one.

The reason for having backup algorithms is that unless we are in panic
mode (like Google starts selling a Quantum Computer just for S&G) the
pattern should be that the new REQUIRED algorithm is a previous
RECOMMENDED algorithm. Since they are backup algorithms there is a
requirement that they be constructed in a distinctly different fashion
(e.g. SHA-3 is a logical backup to SHA-2 because it is spongeworthy).
The backups also need to be distinctly stronger.

I will also note that it looks like we now have a pretty strong
primary and backup for hash functions and MACs and seem to be
approaching consensus on public key (RSA plus ECC exact scheme to be
decided). That leaves a gap for backup encryption algorithm.