Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
Watson Ladd <watsonbladd@gmail.com> Tue, 15 July 2014 14:41 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3629A1B28BC for <cfrg@ietfa.amsl.com>; Tue, 15 Jul 2014 07:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsbqeeIMpIbS for <cfrg@ietfa.amsl.com>; Tue, 15 Jul 2014 07:41:26 -0700 (PDT)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1B691B28D7 for <cfrg@irtf.org>; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
Received: by mail-yk0-f169.google.com with SMTP id 131so373648ykp.28 for <cfrg@irtf.org>; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vEMnfeTlCi2+qCZx4VfDEGomTqZu6yGq91C6v+KvTJ4=; b=UC0wi0jwTx6rtK67t99gY9SzsTVytF+56SsbqvERK3e3svXi0zBSO0nc9Ken8N5Qzi HivFp7t8HnTL4aXt/Nj7/8UviM8lAX6npF7dtdsjc/pDXPfg1qyUZ1OSVapsD/9wXk35 m0eQLDSIjFcDOkW6VFfVv/kx9sW3m3VMUSkntlQU5KsaWs8Cmqp5nPezstc9ht8kMFdH 1uzKZERh6uks6WfMzMpPpe+9TbdkuG7ph+dr5MJAtBbrjIDO8yG6eI3euM+QdMl2r/2u u3j3kC+eWY3+xZ47b3CST9GZ/DFxgLI5Jc537yUf7oLxuWNNmq0WhTpyZ67ZxJOoxMH9 dY6Q==
MIME-Version: 1.0
X-Received: by 10.236.39.172 with SMTP id d32mr41132494yhb.66.1405435194238; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Tue, 15 Jul 2014 07:39:54 -0700 (PDT)
In-Reply-To: <53C4F9AD.6020605@secunet.com>
References: <CFE9F2DE.26E5A%kenny.paterson@rhul.ac.uk> <CACsn0cnxswoPzS8VFRXTO=MD+L+ezckKmWwhi26-1bJqNw5YCQ@mail.gmail.com> <53C4F9AD.6020605@secunet.com>
Date: Tue, 15 Jul 2014 07:39:54 -0700
Message-ID: <CACsn0cm4zY7fnpT4j01ZZ56jkpu5oPU-d0jBnPnEGWnzfjBB0w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/TAwsMU2O2hrYJ-vloyk6hOSB5Z4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 14:41:34 -0000
On Tue, Jul 15, 2014 at 2:51 AM, Johannes Merkle <johannes.merkle@secunet.com> wrote: > Watson Ladd wrote on 15.07.2014 03:11: >>> >>> Interoperability >>> >>> R6. Desired: can be used with current software implementations >>> (using different curve parameters) of TLS, PKIX, SSH, and IKE [4] >>> >>> R7. Desired: can be used within current ECC standards of TLS, >>> PKIX, SSH, and IKE [4] >> >> These desiderata are worthwhile, but implementors have signalled they >> are willing to make >> large changes for performance. >> > > Well, I'm not so sure. On the TLS mailing list, there have been some messages expressing the opposite opinion. > https://www.ietf.org/mail-archive/web/tls/current/msg12960.html > http://www.ietf.org/mail-archive/web/tls/current/msg12975.html > https://www.ietf.org/mail-archive/web/tls/current/msg12320.html > http://www.ietf.org/mail-archive/web/tls/current/msg12983.html > > Actually, you have responded to most of these, but this does not necessarily eliminate the objections. Since we aren't replacing the NIST curves its fine if some, even a lot of, people don't want to use them. Not everyone uses Camelia or AES after all. By contrast, the interest in Curve25519 comes from the speed: no one wants or uses Brainpool because it is slow. (The fact that we already have a set of alternative curves with nothing to recommend them beyond alternative generation is frequently forgotten in these arguments). If we sacrifice speed in favor of Weierstrass form, I'm not going to be very happy: 1: We asked about using something very fast 2: There were no security objections 3: The IETF happened 4: We got something slow, out of deference to people who won't use it anyway. Now, for GLV curves there may be patent issues, and for hyper-and-elliptic (use hyperelliptic curves for variable base, elliptic curves for fixed base with deep cleverness to interconvert) the complexity might not be worth the added speed. It's not that simplicity isn't important, but that the range of performance vs. complexity tradeoffs tends to strongly favor speed in this domain. (One interesting counterexample is Bitcoin: the CM is not used despite the curve being designed for it) Sincerely, Watson Ladd
- [Cfrg] Formal request from TLS WG to CFRG for new… Paterson, Kenny
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Ben Laurie
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Johannes Merkle
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Joseph Salowey (jsalowey)
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Andy Lutomirski
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Simon Josefsson
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Dan Harkins
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Igoe, Kevin M.
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Paterson, Kenny
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Joseph Salowey (jsalowey)
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Benjamin Black
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Paterson, Kenny
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Manuel Pégourié-Gonnard
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Nigel Smart
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Salz, Rich
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Tanja Lange
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Nigel Smart
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Michael Hamburg
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Patrick Longa Pierola
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Brian LaMacchia
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Andrey Jivsov
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Andrey Jivsov
- Re: [Cfrg] Formal request from TLS WG to CFRG for… David McGrew
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Watson Ladd
- Re: [Cfrg] [TLS] Formal request from TLS WG to CF… Salz, Rich
- Re: [Cfrg] Formal request from TLS WG to CFRG for… Joachim Strömbergson
- Re: [Cfrg] [TLS] Formal request from TLS WG to CF… Benjamin Black
- Re: [Cfrg] [TLS] Formal request from TLS WG to CF… Peter Gutmann