Re: [Cfrg] Curve manipulation, revisited

Harry Halpin <hhalpin@w3.org> Tue, 06 January 2015 10:25 UTC

Return-Path: <hhalpin@w3.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07601A9164 for <cfrg@ietfa.amsl.com>; Tue, 6 Jan 2015 02:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6H0VQAb7Y1Hg for <cfrg@ietfa.amsl.com>; Tue, 6 Jan 2015 02:25:19 -0800 (PST)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972C41A9153 for <cfrg@irtf.org>; Tue, 6 Jan 2015 02:25:19 -0800 (PST)
Received: from men75-11-88-175-104-179.fbx.proxad.net ([88.175.104.179] helo=[192.168.1.36]) by jay.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <hhalpin@w3.org>) id 1Y8RK8-0008D7-O1; Tue, 06 Jan 2015 05:25:16 -0500
Message-ID: <54ABB7FC.2080509@w3.org>
Date: Tue, 06 Jan 2015 11:25:00 +0100
From: Harry Halpin <hhalpin@w3.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: David Gil <dgil@yahoo-inc.com>, Adam Langley <agl@imperialviolet.org>
References: <1223557431.954984.1419630657780.JavaMail.yahoo@jws100194.mail.ne1.yahoo.com>
In-Reply-To: <1223557431.954984.1419630657780.JavaMail.yahoo@jws100194.mail.ne1.yahoo.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/N4XTr1zXiHJn_7KhLA5Ft9x542M
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 10:25:22 -0000

On 12/26/2014 10:50 PM, David Gil wrote:
> On Thursday, December 25, 2014 1:05 PM, Adam Langley <agl@imperialviolet.org>; wrote:
> [replying to someone else]
>> . . .               On the other hand, each additional curve dilutes
>> implementation resources and implementation bugs happen.
> 
> I assume that you mean finite fields, not curves?
> 
> (This would seem to be just as good of an argument for generating
> Edwards curves over the Salinas primes, which are rather widely
> implemented...)
> 
> On Thu, Dec 25, 2014 at 8:38 PM, David Gil <dgil@yahoo-inc.com>; wrote:
>>> In particular, w.r.t. Yahoo's eventual release of an End-to-End
>>> messaging extension, we will generate EC keys for extension users
>>> on a curve subgroup with log2(#K) >= 376. The additional computational
>>> expense is, frankly, negligible.
>>
>> I think my argument here is the same as above. (Although, in this
>> situation, you would have the advantage of being able to use the
>> simplest, clearest code possible . . . 
> 
> Alas, no, I don't have that advantage: WebCrypto [has more-or-less
> decided][w3c_curves] that they will only implement CFRG-recommended
> curves. I need WebCrypto support -- for non-extractable keys.
> But I also need to have something that is relatively clean to
> implement in JS, for support of legacy-ish browsers.

Quick point of clarification re W3C's position - we have an formal
position that *if* the decision is made by CFRG  made by March 12th [1],
we will return to Last Call Working Draft. After a month or so, if
implementers believe the proposal is mature, there are no objections,
and it is possible to achieve interop within a reasonable time-frame,
then we will add it to the algorithms listed in the spec for interop
testing and return to implementation interop.

If the decision is made *after* March 12th, we can amend the
recommendation using the "errata" process detailed here [2] (and likely
to be made easier in future) and return to interop testing.

>From WebCrypto's side, we can only recommend that browsers follow CFRG's
recommendation, but if we do not end up with two inter-operable
implementations of the CFRG recommendation by the time we exit Candidate
Recommendation, we will drop that curve from the Recommendation although
the "errata" path can be taken at any time, even after WebCrypto has
achieved Recommendation status. This lets "legacy" browsers upgrade when
they see fit.

In summary, we can add a curve at anytime, and only a curve that has
genuine interop will stay in the W3C spec. So while we have a preferred
deadline, CFRG is not bound to it and we can cope with CFRG's decision
whenever it is made.

We do not want to hurry CFRG's decision along, and believe the decision
should be made purely on technical merits, as makes sense for a Research
Group, and in public as is fitting given the amount of public attention
on crypto post-Snowden. In that regard, the earlier draft of technical
requirements (not sure what happened to it) was very useful and any
proposal should ideally be judged against such requirements.

The Working Groups like TLS or W3C Web Crypto can then deal with the
politics around implementation, but obviously we do understand having
major implementers on board with the CFRG decision helps. If there's
anything we can do to help, just ask.

   cheers,
      harry

[1] http://www.w3.org/TR/2014/CR-WebCryptoAPI-20141211/
[2] http://www.w3.org/2005/10/Process-20051014/tr.html#errata


> 
> And I'm not convinced that the NUMS curve proposal can be implemented with decent performance in simple and clear JS.
> 
>> . . . because performance isn't a concern.)
> 
> And alas, it is: JavaScript is not particularly ideal for k-time
> bignum arithmetic. The choice of finite field has a major impact
> on performance.
> 
> --
> 
>> TOP SECRET just needed to have a bigger number than SECRET :)
> 
> Sure; but why then not secp224r1/SHA-224 and secp256r1/SHA-256?
> 
> And does a code-breaking agency have any reason to publicly
> *overestimate* the probability a cryptosystem might be broken?
> 
> (Or: perhaps they chose randomly ;)
> 
> --
> 
> [w3c_curves]: http://lists.w3.org/Archives/Public/public-webcrypto/2014Sep/0011.html "[W3C Web Crypto WG] CfC : Call for Consensus on the integration of new curves in Web Crypto API - vote before the 16th of sept"
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>