IETF Logo Mail Archive

Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices

Watson Ladd <watsonbladd@gmail.com> Fri, 21 November 2014 16:58 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F22091AD572 for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 08:58:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bY_zJ6aoZ9ya for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 08:58:41 -0800 (PST)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E58B1AD56E for <cfrg@irtf.org>; Fri, 21 Nov 2014 08:58:41 -0800 (PST)
Received: by mail-yh0-f49.google.com with SMTP id f10so2558341yha.36 for <cfrg@irtf.org>; Fri, 21 Nov 2014 08:58:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=PUd78iETE7D+DYTllLx8auqS1KzmKd7PpzHGRtvO/q8=; b=qp85EZmKANm8hQueMlDbEfoHpV2yG4l7G+hIzx0+s4q4mX8INY3NC81dW9f6JndOq6 HT6gNUoHlJb1ssOW2OM82o0DhjsMOZItQaFf2dz/JTovPXzaRYLm8kzRePoBk5UWx38i vjbxNV455lj94vp6FQxeFdrBB13k52v8Kw2/J5iTJRE9tXnXJ1GvMEe5UDhQq3J/t39H 1E9dnA87LAM021jGYvweqpFL2weDZmSr9jhMZHGijjwBLLHQDogEwcTuQpcSZhcmv/VB WhU45tvH9P6t3kYN7CAYZkgRY/DtH72Mr76D2KYupCOisI3Ntwd+uoobPgdQJYlAjQeh +nNQ==
MIME-Version: 1.0
X-Received: by 10.236.30.197 with SMTP id k45mr3067330yha.163.1416589120098; Fri, 21 Nov 2014 08:58:40 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Fri, 21 Nov 2014 08:58:39 -0800 (PST)
In-Reply-To: <201411211351.04473.manfred.lochter@bsi.bund.de>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <201411200901.53517.manfred.lochter@bsi.bund.de> <CACsn0cmV6aOMx+eiLa0iP7rYiU4ZVmeDbNPhTSz_a6oU1=kWjA@mail.gmail.com> <201411211351.04473.manfred.lochter@bsi.bund.de>
Date: Fri, 21 Nov 2014 08:58:39 -0800
Message-ID: <CACsn0ckUoijv-uD3yksOQpRW9E-smF1wg9=+L2BVrN1+wRv0tw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/QwBqF4b0FRJSYkL11IJ9LBWNYGQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 16:58:49 -0000

On Fri, Nov 21, 2014 at 4:51 AM, Lochter, Manfred
<manfred.lochter@bsi.bund.de> wrote:
>
>
>
>
>
> __________ ursprüngliche Nachricht __________
>
> Von:            Watson Ladd <watsonbladd@gmail.com>
> Datum:  Donnerstag, 20. November 2014, 16:21:50
> An:             "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
> Kopie:  "cfrg@irtf.org" <cfrg@irtf.org>
> Betr.:  Re: [Cfrg] Requirements for elliptic curves with a view towards
> constrained devices
>
>> On Thu, Nov 20, 2014 at 12:01 AM, Lochter, Manfred
>>
>> <manfred.lochter@bsi.bund.de> wrote:
>> >> Of course, you don't need to take my word for it: Cloudflare was very
>> >> clear that widespread ECDSA support was essential to making TLS free.
>> >> Mobile devices are having issues with verification times for NIST
>> >> P384. V2V proposals involves a staggering number of verifications a
>> >> second, but oddly enough don't use batching or efficient signatures,
>> >> thus forcing larger, more expensive hardware.
>> >
>> > Is there really a requirement for mobile devices to use a 384 bit curve?
>> > Why is 256 not sufficient? In which scenarios do you see the neccessity
>> > to use P-384? Which specific mobile devices are having issues with
>> > verification times? Are they having these problems only in connection
>> > with the proposed protocols you mention?
>>
>> When my mobile phone's browser connects to a website whose certificate
>> is signed by P384, a P384 verification better take place. Not
>> supporting P384 introduces an interoperability problem.
>
> I'm glad that you agree with my previously stated position that 384-bit curves
> are needed. Following your reasoning 256/384/512(521) bit curves have to be
> supported. In this case I would rather see performance problems on the
> 512/521 end.
> I would very much appreciate if you could also answer my other questions
> above.
> You seem to say that car-to-car communication will use the curves proposed by
> the cfrg. This supports the inital position we took in the Brainpool position
> paper (eprint 832/2014). I'm glad that we seem to agree on that.

The V2V projects aren't. Despite high performance constraints they are
not making optimal choices. Batch signatures would seem a natural fit,
and yet ECDSA is still being used. P256 seems to be selected, despite
Koblitz curves existing. But blinding won't be used: the performance
hit is too much, and the security model doesn't require it. It doesn't
seem like they will switch to Curve25519 if the CFRG recommends it.

Performance problems don't show up where you want them to. Any time
the fastest implementation isn't fast enough, there is a performance
problem. I don't see why users who want to use more secure curves
wouldn't care about performance, or why users who care about
performance wouldn't want the option to use larger curves. I also
don't see why random primes are good from a security perspective: they
permit a smaller multiplier, but the speed advantage of a nonrandom
curve permits a much bigger multiplier at the same cost.

Users don't care if we give them extra security. They do care if their
performance requirements aren't met by curves with adequate security,
or vice versa.

The Brainpool position paper equates hardware with high-assurance
hardware designed to resist side channel attacks, arguing that because
we can't write echo servers correctly, more people will put keys in
hardware. But this doesn't mean they need to resist side channel
attacks with large amounts of physical access to the hardware, and
certainly doesn't mean they are willing to suffer a massive
performance loss for that benefit.

Most of the applications which Brainpool inexplicably calls "hardware"
aren't. They use off the shelf microcontrollers, which don't have
bignum acceleration, and likely can't make it faster than built in
arithmetic. (There is nothing magical about doing the same
computations in a hard-coded circuit). They are much closer to
yesterday's software. This includes several "HSMs".

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email