Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves

Watson Ladd <> Tue, 15 July 2014 14:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3629A1B28BC for <>; Tue, 15 Jul 2014 07:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SsbqeeIMpIbS for <>; Tue, 15 Jul 2014 07:41:26 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1B691B28D7 for <>; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
Received: by with SMTP id 131so373648ykp.28 for <>; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vEMnfeTlCi2+qCZx4VfDEGomTqZu6yGq91C6v+KvTJ4=; b=UC0wi0jwTx6rtK67t99gY9SzsTVytF+56SsbqvERK3e3svXi0zBSO0nc9Ken8N5Qzi HivFp7t8HnTL4aXt/Nj7/8UviM8lAX6npF7dtdsjc/pDXPfg1qyUZ1OSVapsD/9wXk35 m0eQLDSIjFcDOkW6VFfVv/kx9sW3m3VMUSkntlQU5KsaWs8Cmqp5nPezstc9ht8kMFdH 1uzKZERh6uks6WfMzMpPpe+9TbdkuG7ph+dr5MJAtBbrjIDO8yG6eI3euM+QdMl2r/2u u3j3kC+eWY3+xZ47b3CST9GZ/DFxgLI5Jc537yUf7oLxuWNNmq0WhTpyZ67ZxJOoxMH9 dY6Q==
MIME-Version: 1.0
X-Received: by with SMTP id d32mr41132494yhb.66.1405435194238; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
Received: by with HTTP; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
Date: Tue, 15 Jul 2014 07:39:54 -0700
Message-ID: <>
From: Watson Ladd <>
To: Johannes Merkle <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Jul 2014 14:41:34 -0000

On Tue, Jul 15, 2014 at 2:51 AM, Johannes Merkle
<> wrote:
> Watson Ladd wrote on 15.07.2014 03:11:
>>> Interoperability
>>>    R6.  Desired: can be used with current software implementations
>>>    (using different curve parameters) of TLS, PKIX, SSH, and IKE [4]
>>>    R7.  Desired: can be used within current ECC standards of TLS,
>>>    PKIX, SSH, and IKE [4]
>> These desiderata are worthwhile, but implementors have signalled they
>> are willing to make
>> large changes for performance.
> Well, I'm not so sure. On the TLS mailing list, there have been some messages expressing the opposite opinion.
> Actually, you have responded to most of these, but this does not necessarily eliminate the objections.

Since we aren't replacing the NIST curves its fine if some, even a lot
of, people don't want to use them. Not everyone uses
Camelia or AES after all.

By contrast, the interest in Curve25519 comes from the speed: no one
wants or uses Brainpool because it is slow.
(The fact that we already have a set of alternative curves with
nothing to recommend them beyond alternative generation is frequently
forgotten in these arguments). If we sacrifice speed in favor of
Weierstrass form, I'm not going to be very happy:

1: We asked about using something very fast
2: There were no security objections
3: The IETF happened
4: We got something slow, out of deference to people who won't use it anyway.

Now, for GLV curves there may be patent issues, and for
hyper-and-elliptic (use hyperelliptic curves for variable base,
elliptic curves for fixed base with deep cleverness to interconvert)
the complexity might not be worth the added speed. It's not that
simplicity isn't important, but that the range of performance vs.
complexity tradeoffs tends to strongly favor speed in this domain.

(One interesting counterexample is Bitcoin: the CM is not used despite
the curve being designed for it)

Watson Ladd