Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
Watson Ladd <watsonbladd@gmail.com> Fri, 21 November 2014 16:58 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F22091AD572 for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 08:58:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bY_zJ6aoZ9ya for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 08:58:41 -0800 (PST)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E58B1AD56E for <cfrg@irtf.org>; Fri, 21 Nov 2014 08:58:41 -0800 (PST)
Received: by mail-yh0-f49.google.com with SMTP id f10so2558341yha.36 for <cfrg@irtf.org>; Fri, 21 Nov 2014 08:58:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=PUd78iETE7D+DYTllLx8auqS1KzmKd7PpzHGRtvO/q8=; b=qp85EZmKANm8hQueMlDbEfoHpV2yG4l7G+hIzx0+s4q4mX8INY3NC81dW9f6JndOq6 HT6gNUoHlJb1ssOW2OM82o0DhjsMOZItQaFf2dz/JTovPXzaRYLm8kzRePoBk5UWx38i vjbxNV455lj94vp6FQxeFdrBB13k52v8Kw2/J5iTJRE9tXnXJ1GvMEe5UDhQq3J/t39H 1E9dnA87LAM021jGYvweqpFL2weDZmSr9jhMZHGijjwBLLHQDogEwcTuQpcSZhcmv/VB WhU45tvH9P6t3kYN7CAYZkgRY/DtH72Mr76D2KYupCOisI3Ntwd+uoobPgdQJYlAjQeh +nNQ==
MIME-Version: 1.0
X-Received: by 10.236.30.197 with SMTP id k45mr3067330yha.163.1416589120098; Fri, 21 Nov 2014 08:58:40 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Fri, 21 Nov 2014 08:58:39 -0800 (PST)
In-Reply-To: <201411211351.04473.manfred.lochter@bsi.bund.de>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <201411200901.53517.manfred.lochter@bsi.bund.de> <CACsn0cmV6aOMx+eiLa0iP7rYiU4ZVmeDbNPhTSz_a6oU1=kWjA@mail.gmail.com> <201411211351.04473.manfred.lochter@bsi.bund.de>
Date: Fri, 21 Nov 2014 08:58:39 -0800
Message-ID: <CACsn0ckUoijv-uD3yksOQpRW9E-smF1wg9=+L2BVrN1+wRv0tw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/QwBqF4b0FRJSYkL11IJ9LBWNYGQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 16:58:49 -0000
On Fri, Nov 21, 2014 at 4:51 AM, Lochter, Manfred <manfred.lochter@bsi.bund.de> wrote: > > > > > > __________ ursprüngliche Nachricht __________ > > Von: Watson Ladd <watsonbladd@gmail.com> > Datum: Donnerstag, 20. November 2014, 16:21:50 > An: "Lochter, Manfred" <manfred.lochter@bsi.bund.de> > Kopie: "cfrg@irtf.org" <cfrg@irtf.org> > Betr.: Re: [Cfrg] Requirements for elliptic curves with a view towards > constrained devices > >> On Thu, Nov 20, 2014 at 12:01 AM, Lochter, Manfred >> >> <manfred.lochter@bsi.bund.de> wrote: >> >> Of course, you don't need to take my word for it: Cloudflare was very >> >> clear that widespread ECDSA support was essential to making TLS free. >> >> Mobile devices are having issues with verification times for NIST >> >> P384. V2V proposals involves a staggering number of verifications a >> >> second, but oddly enough don't use batching or efficient signatures, >> >> thus forcing larger, more expensive hardware. >> > >> > Is there really a requirement for mobile devices to use a 384 bit curve? >> > Why is 256 not sufficient? In which scenarios do you see the neccessity >> > to use P-384? Which specific mobile devices are having issues with >> > verification times? Are they having these problems only in connection >> > with the proposed protocols you mention? >> >> When my mobile phone's browser connects to a website whose certificate >> is signed by P384, a P384 verification better take place. Not >> supporting P384 introduces an interoperability problem. > > I'm glad that you agree with my previously stated position that 384-bit curves > are needed. Following your reasoning 256/384/512(521) bit curves have to be > supported. In this case I would rather see performance problems on the > 512/521 end. > I would very much appreciate if you could also answer my other questions > above. > You seem to say that car-to-car communication will use the curves proposed by > the cfrg. This supports the inital position we took in the Brainpool position > paper (eprint 832/2014). I'm glad that we seem to agree on that. The V2V projects aren't. Despite high performance constraints they are not making optimal choices. Batch signatures would seem a natural fit, and yet ECDSA is still being used. P256 seems to be selected, despite Koblitz curves existing. But blinding won't be used: the performance hit is too much, and the security model doesn't require it. It doesn't seem like they will switch to Curve25519 if the CFRG recommends it. Performance problems don't show up where you want them to. Any time the fastest implementation isn't fast enough, there is a performance problem. I don't see why users who want to use more secure curves wouldn't care about performance, or why users who care about performance wouldn't want the option to use larger curves. I also don't see why random primes are good from a security perspective: they permit a smaller multiplier, but the speed advantage of a nonrandom curve permits a much bigger multiplier at the same cost. Users don't care if we give them extra security. They do care if their performance requirements aren't met by curves with adequate security, or vice versa. The Brainpool position paper equates hardware with high-assurance hardware designed to resist side channel attacks, arguing that because we can't write echo servers correctly, more people will put keys in hardware. But this doesn't mean they need to resist side channel attacks with large amounts of physical access to the hardware, and certainly doesn't mean they are willing to suffer a massive performance loss for that benefit. Most of the applications which Brainpool inexplicably calls "hardware" aren't. They use off the shelf microcontrollers, which don't have bignum acceleration, and likely can't make it faster than built in arithmetic. (There is nothing magical about doing the same computations in a hard-coded circuit). They are much closer to yesterday's software. This includes several "HSMs". Sincerely, Watson Ladd
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley