Re: [Cfrg] ECC reboot (Was: When's the decision?)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 21 October 2014 09:05 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 782141A0149 for <cfrg@ietfa.amsl.com>; Tue, 21 Oct 2014 02:05:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhk1l-Yw8krW for <cfrg@ietfa.amsl.com>; Tue, 21 Oct 2014 02:05:33 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 467651A017D for <cfrg@irtf.org>; Tue, 21 Oct 2014 02:05:33 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id 51639407F; Tue, 21 Oct 2014 12:05:30 +0300 (EEST)
Date: Tue, 21 Oct 2014 12:05:29 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Message-ID: <20141021090529.GA12154@LK-Perkele-VII>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <842BF4E0-8132-42F6-BDE6-65717E004006@shiftleft.org> <54418A8F.3090506@cs.tcd.ie> <201410211027.13608.manfred.lochter@bsi.bund.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <201410211027.13608.manfred.lochter@bsi.bund.de>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/PdWB5DbiUAg90mnQsp3goL2sJew
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 09:05:35 -0000

On Tue, Oct 21, 2014 at 10:27:13AM +0200, Lochter, Manfred wrote:
> 
> Actually, we do not even propose that the cfrg choose the Brainpool curves, we 
> just propose to generate two sets of curves, one using special primes and one 
> using special primes. Here we assume the generation process to be a trusted 
> pocess. We also note that a flexible approach that allows an easy replacement 
> of curves is very desirable.

You mean pseudorandom primes and special primes, right?

And what would advantage of generating a new pseudorandom set be, compared to
just using Brainpool if pseudorandom primes are needed?

I don't see any advantage (at least based on properties you have claimed to
be desirable and properties you have claimed for Brainpool to have). Nor do
I see such curves would be used much in practice.


> As the cfrg  also discusses parameter lengths I would like to add that it is 
> completely adequate to use 384 bit curves even for highest security demands. 
> So, 384 bit curves must be included in any proposed set of curves.

Not if you can get more security at less or equal cost. There are some above-
384bit primes with very good performance (there doesn't seem to be that good
primes near 384bit).


-Ilari