Re: [Cfrg] MAY use specified curves

Watson Ladd <watsonbladd@gmail.com> Wed, 10 September 2014 01:18 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A3D81A0337 for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 18:18:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sPMQaB4mRz63 for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 18:18:05 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2CC01A035E for <cfrg@irtf.org>; Tue, 9 Sep 2014 18:18:05 -0700 (PDT)
Received: by mail-yh0-f49.google.com with SMTP id z6so10699100yhz.36 for <cfrg@irtf.org>; Tue, 09 Sep 2014 18:18:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/Kud54MUlCT7TsTA5uR5ExnouZwgpWB4RkzdaCNMmNg=; b=THvj/qy5WQfuYMsV2ertLBGoJ9i5YgkKNkN4OBKbxyFyuxoAVVVd27xvMWdMTnmx45 bMc2g6DT9B4JT8FKnyLbiG+hRjCWvu+dXm7WYOoC8hHXVfA7RPmJsWnvdpNeUqmiSWVX SDsDGxN/yHTyoUSzTsCD9yBUD9Rw4yKwlHlvy9E1i0I3jVD1cOpf6U7cM3nsqc5M9j4W hbgm2Pl9VWUD4MWWIjvgmg2Y8hh+ILaY5tYlZNhuPq+kKr4O30/2l6XZPhWimP3MYpK0 jgdy1rBoJsiiahct0/v6wHh2DK8QzTOBMTBugGGCH+jdGnwCtRZiNcmH+V3C1LTEGy/z afuQ==
MIME-Version: 1.0
X-Received: by 10.236.129.205 with SMTP id h53mr59039879yhi.74.1410311884875; Tue, 09 Sep 2014 18:18:04 -0700 (PDT)
Received: by 10.170.207.216 with HTTP; Tue, 9 Sep 2014 18:18:04 -0700 (PDT)
In-Reply-To: <1410311251564.45a3662d@Nodemailer>
References: <540F72AC.2050502@fifthhorseman.net> <1410311251564.45a3662d@Nodemailer>
Date: Tue, 9 Sep 2014 18:18:04 -0700
Message-ID: <CACsn0cnMyi5T8vRLwueoVMCQ3jWDVYdFhr8cybwY=8WByQE5Ag@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: David Leon Gil <coruus@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/QKZ0kYHW57NEqSaBUInLZgCZiTc
Cc: Dan Brown <dbrown@certicom.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] MAY use specified curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Sep 2014 01:18:08 -0000

On Tue, Sep 9, 2014 at 6:07 PM, David Leon Gil <coruus@gmail.com> wrote:
>
>
>> i'd say that custom groups or curves are at best a SHOULD NOT, unless
>> there are some very clear guidelines on how to evaluate them at
>> connection time to determine what approximate security level they provide.

There are a number of "attacks" on ECDSA where an existing signature
can be made to verify under a newly created key by using a custom
group. While these do not violate the security assumptions in the
standard signature model, they are occasionally annoying. Insofar as
we can trust servers not to be stupid, there isn't an issue with
custom curves in TLS, but sadly that is not the case.

Furthermore, no security benefit to using custom curves exists: the
batching attacks are of no consequence as getting even one discrete
log is hard. The only claimed security benefit is adapting to changes
in ECC security.

>
> To expand on this, I think that the CFRG should provide a method for
> evaluating curves for safety for IETF WGs to use.
>
> A number of people have mentioned applications with specific criteria that
> may not be satisfied by curves that are good for TLS. This matter is --
> unlike performance considerations, or cipher-equivalent-security-level
> minutiae -- very clearly in-scope for CFRG.

Which applications with which criteria? So far the only one has been
random primes for hardware, with an eye towards TLS and PKIX. If you
really want to know, look at safecurves.cr.yp.to. I don't see why we
should have dozens of curves, one for each protocol with a WG, further
complicating the work of implementers, and harming interoperability in
situations where only a few curves can be built in.

Your argument looks to me that CFRG should not recommend new curves,
and should say all the proposals are fine, and kick them back to the
TLS WG.

Sincerely,
Watson Ladd

>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin