Re: [Cfrg] big-endian short-Weierstrass please

Daniel Kahn Gillmor <> Thu, 29 January 2015 16:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 852FB1A6EF4 for <>; Thu, 29 Jan 2015 08:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HHL8kWu2mZAR for <>; Thu, 29 Jan 2015 08:30:14 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 829AB1A212D for <>; Thu, 29 Jan 2015 08:30:13 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTPSA id 83666F984 for <>; Thu, 29 Jan 2015 11:30:11 -0500 (EST)
Received: by (Postfix, from userid 1000) id 2EBDC1FD43; Thu, 29 Jan 2015 11:30:10 -0500 (EST)
From: Daniel Kahn Gillmor <>
In-Reply-To: <>
References: <> <> <> <> <20150128231006.GJ3110@localhost> <>
User-Agent: Notmuch/0.18.2 ( Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Thu, 29 Jan 2015 11:30:10 -0500
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jan 2015 16:30:16 -0000

On Wed 2015-01-28 18:38:49 -0500, Blumenthal, Uri - 0558 - MITLL wrote:
> The problem is - reasonably-vetted by who? NIST? DJB? Yourself? All of the
> above?

If this lengthy process we're involved in doesn't turn out to be
reasonable vetting by a multistakeholder group, i'll be sorely

> Attractiveness of the ability to select a custom curve is similar to that
> of PGP Web of Trust: you can make a choice for yourself, rather than being
> forced into what other experts (or “experts” :) decide for you.

This is different from the PGP Web of Trust.  If i'm communicating with
a new peer using TLS, and they want to use MagicCurveX that i've never
seen before, my TLS client is not going to be able to evaluate it
properly, certainly not before the TLS handshake expires.

Anyone can of course decide what curves are worth using, and can apply
their own analysis with their peers to come to that decision.  But if
you're communicating with the arbitrary outside world, there needs to be
some broader consensus about which curves to commonly use.

The act of naming and identifying the curve doesn't mean it's good, of
course; We have named codepoints for curves insufficient for modern
cryptanalysis, like sect163k1.  But you're right, people should be able
to use curves internally that no one else has to weigh in on.
fortunately, we can already do that (at least in TLS); we have a range
of the codepoints set aside for private use (RFC 4492):

  Values 0xFE00 through 0xFEFF are reserved for private use.

At any rate, saying that being able to select your curve using the
parameterized curve space, but leaving the algorithms and structure
(e.g. ECDSA, short-weierstrass) fixed by "experts" doesn't get all the
way the autonomy you want.  Better to use the private-use range, where
you can establish not just a curve of your choice, but also the
algorithms, point formats, etc.