Re: [Cfrg] Curve manipulation, revisited

Nico Williams <nico@cryptonector.com> Tue, 30 December 2014 17:41 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FEDE1A039D for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 09:41:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.855
X-Spam-Level:
X-Spam-Status: No, score=0.855 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8L75iWDM-QOX for <cfrg@ietfa.amsl.com>; Tue, 30 Dec 2014 09:41:19 -0800 (PST)
Received: from homiemail-a26.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E99921A0381 for <cfrg@irtf.org>; Tue, 30 Dec 2014 09:41:19 -0800 (PST)
Received: from homiemail-a26.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTP id C22C2B805B for <cfrg@irtf.org>; Tue, 30 Dec 2014 09:41:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=clnOeaYX8yu2p+7dti6G 7zoXfSs=; b=JBtMZbdg3KHZOy6AxahiDdE6Oru5C3e8zF8J5ray6LuRx7jFXSPH /mHtOtfu5dkMMrJkydL10w/Xf+J2ed5hIzSflfrkIVWpqv4jrmQUvaHFLIap4RpX xplJCsjx/qKkZlOtLA/U6CVtJ367Kf1C8L69YdrUNd/pyFtkbFi8og8=
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTPSA id 9BC24B8057 for <cfrg@irtf.org>; Tue, 30 Dec 2014 09:41:19 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id k14so21171813wgh.29 for <cfrg@irtf.org>; Tue, 30 Dec 2014 09:41:18 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.180.211.2 with SMTP id my2mr106374459wic.3.1419961278470; Tue, 30 Dec 2014 09:41:18 -0800 (PST)
Received: by 10.217.7.206 with HTTP; Tue, 30 Dec 2014 09:41:18 -0800 (PST)
In-Reply-To: <FA87F77E-5709-4F4D-858E-A98F390283AB@vpnc.org>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <CAHOTMV+jO+8pvU4-McPb+t-4=0jp0-5Gg-3Psis+zZ-FRu-R3w@mail.gmail.com> <FA87F77E-5709-4F4D-858E-A98F390283AB@vpnc.org>
Date: Tue, 30 Dec 2014 11:41:18 -0600
Message-ID: <CAK3OfOgfibHrktLBpEUoAck2WXuPwMjm7t2G6p4SJzjYCVJyEg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/VQaHu_cQqwbQItWAQpYZ8jVaABc
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 17:41:20 -0000

On Tue, Dec 30, 2014 at 11:33 AM, Paul Hoffman <paul.hoffman@vpnc.org>; wrote:
> On Dec 29, 2014, at 6:52 PM, Tony Arcieri <bascule@gmail.com>; wrote:
>> I think you can avoid this slippery slope by the CFRG recommending Curve25519 as one of potentially many curves at a 128-bit security level, for now, as an interim solution, simply to avoid the current situation of apparent infinite deadlock.
>
> No, please no. An "interim solution" signature algorithm is stillborn. Few people would want to take the operational effort to create *and maintain* keys for an interim solution when the current solution (P256) is good enough.

That's not what Tony proposed though.  Tony proposed recommending
Curve25519 for ECDH soone and considering digital signatures later.  I
think that's a fine proposal, but the slippery slope can't be avoided
anyways: many developers are aching to use off-the-shell ECDH and
anything better than RSA, and EdDSA is looking pretty good.  If
developers should be told not to (e.g., because EdDSA might be no
good), then CFRG should say so.  Waiting won't stop the slide, and it
might be a fun slope to sled anyways, not a dangerous one (pardon the
terrible analogy).

Nico
--