Re: [Cfrg] big-endian short-Weierstrass please

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On Wed 2015-01-28 18:38:49 -0500, Blumenthal, Uri - 0558 - MITLL wrote:
> The problem is - reasonably-vetted by who? NIST? DJB? Yourself? All of the
> above?

If this lengthy process we're involved in doesn't turn out to be
reasonable vetting by a multistakeholder group, i'll be sorely
disappointed.

> Attractiveness of the ability to select a custom curve is similar to that
> of PGP Web of Trust: you can make a choice for yourself, rather than being
> forced into what other experts (or “experts” :) decide for you.

This is different from the PGP Web of Trust.  If i'm communicating with
a new peer using TLS, and they want to use MagicCurveX that i've never
seen before, my TLS client is not going to be able to evaluate it
properly, certainly not before the TLS handshake expires.

Anyone can of course decide what curves are worth using, and can apply
their own analysis with their peers to come to that decision.  But if
you're communicating with the arbitrary outside world, there needs to be
some broader consensus about which curves to commonly use.

The act of naming and identifying the curve doesn't mean it's good, of
course; We have named codepoints for curves insufficient for modern
cryptanalysis, like sect163k1.  But you're right, people should be able
to use curves internally that no one else has to weigh in on.
fortunately, we can already do that (at least in TLS); we have a range
of the codepoints set aside for private use (RFC 4492):

  Values 0xFE00 through 0xFEFF are reserved for private use.

At any rate, saying that being able to select your curve using the
parameterized curve space, but leaving the algorithms and structure
(e.g. ECDSA, short-weierstrass) fixed by "experts" doesn't get all the
way the autonomy you want.  Better to use the private-use range, where
you can establish not just a curve of your choice, but also the
algorithms, point formats, etc.

  --dkg