IETF Logo Mail Archive

Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 28 January 2015 17:58 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7192E1A6F1E for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 09:58:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEH8IHfoEgSY for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 09:58:54 -0800 (PST)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A01B31A8725 for <cfrg@irtf.org>; Wed, 28 Jan 2015 09:58:54 -0800 (PST)
Received: from [10.20.30.90] (50-1-51-206.dsl.dynamic.fusionbroadband.com [50.1.51.206]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t0SHwqqr083358 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Jan 2015 10:58:53 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-51-206.dsl.dynamic.fusionbroadband.com [50.1.51.206] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAHOTMVKcTvQbWyVexNJdrtXx-vz6HCbK+D=WLriHDQPLotL0VQ@mail.gmail.com>
Date: Wed, 28 Jan 2015 09:58:51 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F528649-1DF6-446B-A39C-75AA4B820BFC@vpnc.org>
References: <CAMr0u6=prmjMv7e+S5UAGVw+uCQWPk-f86Koa04GVx8CZs4J4Q@mail.gmail.com> <C877C13D-0178-4BDD-BC58-4E7C417600D1@akr.io> <CAMr0u6=pgV8P19zoEbztCas20XX68V40wN-3qwrbqAxQeMpJQg@mail.gmail.com> <CAHOTMVK63wE1PNypoJ_Ems734UMD_vEOq-muYLzNvVPMWwv==g@mail.gmail.com> <F1BAFC8D-F380-420F-8254-2BD17A3E4A79@vpnc.org> <CAHOTMVKcTvQbWyVexNJdrtXx-vz6HCbK+D=WLriHDQPLotL0VQ@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Rk9KPY1LSvFK1djBiLu7Z_Pehpg>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 17:58:55 -0000

On Jan 28, 2015, at 9:36 AM, Tony Arcieri <bascule@gmail.com> wrote:
> 
> On Wed, Jan 28, 2015 at 9:33 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> That is a huge overstatement of what they showed.
> 
> No it isn't. Unless these numbers are justified they can be poisoned.

Please define "justified".

>  
> They showed that if a group of people with a common interest pick the form for the verifiably random value, they can tweak parameters. There are obvious procedures that prevent the number being chosen by such a group, and instead have the number chosen by a group where even if a single person is trusted, the randomness is trusted.
> 
> I guess you're probably talking about Brainpool?

No.

> I guess the Brainpool numbers are probably ok?

I don't.

> But why use this sort of process at all? It just provides an avenue for suspicion.

Right, so don't say that I'm using that sort of process. As I said, there are many ways to hold a process that comes out with a trustable random number. Brainpool isn't that.

--Paul Hoffman

v2.30.2 | Report a Bug | By Email | System Status