Re: [Cfrg] ECC reboot (Was: When's the decision?)

Ilari Liusvaara <> Tue, 21 October 2014 09:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 782141A0149 for <>; Tue, 21 Oct 2014 02:05:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qhk1l-Yw8krW for <>; Tue, 21 Oct 2014 02:05:33 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 467651A017D for <>; Tue, 21 Oct 2014 02:05:33 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 51639407F; Tue, 21 Oct 2014 12:05:30 +0300 (EEST)
Date: Tue, 21 Oct 2014 12:05:29 +0300
From: Ilari Liusvaara <>
To: "Lochter, Manfred" <>
Message-ID: <20141021090529.GA12154@LK-Perkele-VII>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Oct 2014 09:05:35 -0000

On Tue, Oct 21, 2014 at 10:27:13AM +0200, Lochter, Manfred wrote:
> Actually, we do not even propose that the cfrg choose the Brainpool curves, we 
> just propose to generate two sets of curves, one using special primes and one 
> using special primes. Here we assume the generation process to be a trusted 
> pocess. We also note that a flexible approach that allows an easy replacement 
> of curves is very desirable.

You mean pseudorandom primes and special primes, right?

And what would advantage of generating a new pseudorandom set be, compared to
just using Brainpool if pseudorandom primes are needed?

I don't see any advantage (at least based on properties you have claimed to
be desirable and properties you have claimed for Brainpool to have). Nor do
I see such curves would be used much in practice.

> As the cfrg  also discusses parameter lengths I would like to add that it is 
> completely adequate to use 384 bit curves even for highest security demands. 
> So, 384 bit curves must be included in any proposed set of curves.

Not if you can get more security at less or equal cost. There are some above-
384bit primes with very good performance (there doesn't seem to be that good
primes near 384bit).