Re: [Cfrg] Requirements for curve candidate evaluation update

Watson Ladd <> Thu, 14 August 2014 14:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4EF711A02DE for <>; Thu, 14 Aug 2014 07:39:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tl2E_a8BSErB for <>; Thu, 14 Aug 2014 07:39:51 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 89ACA1A0275 for <>; Thu, 14 Aug 2014 07:39:51 -0700 (PDT)
Received: by with SMTP id 79so1016906ykr.8 for <>; Thu, 14 Aug 2014 07:39:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=J4K6YKj4Xyp5ZvRtj5qBHs5hClYIQ1Pm34uVbSGzCm0=; b=ng7EtZF5O9kVVvoZAuLdW7OB5hsYv/gkwoU6CwwxVl8Rc4w7JL44jnJDNgetRygcdP +Z9Uh12pfMP4uSgXbtGfisK/B9V9KgA7KnMqRav0cqSvUWS3GnOb/SweS/hiaAFRF3nM 8sP/qkScrYS3X4HZY2FdYDXzgOgWM8x9APoVlleFT25jhzMDze8L91UDsTxtgUBVbzrj vI4+HQmr9pVv429jDElein60svaAmw9lvE+zojFMJooM8NTRp63tNF81DRUeT9uePs95 xPv2CJGasQdYOiVz1gdKPVfCWScvtkXV4Imz/pZgVoCOzhR0EbmZ4CZnrmL2LU62yZpK qvfQ==
MIME-Version: 1.0
X-Received: by with SMTP id o10mr17781735yhb.49.1408027190838; Thu, 14 Aug 2014 07:39:50 -0700 (PDT)
Received: by with HTTP; Thu, 14 Aug 2014 07:39:50 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <>
Date: Thu, 14 Aug 2014 07:39:50 -0700
Message-ID: <>
From: Watson Ladd <>
To: Phillip Hallam-Baker <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [Cfrg] Requirements for curve candidate evaluation update
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Aug 2014 14:39:54 -0000

On Thu, Aug 14, 2014 at 5:26 AM, Phillip Hallam-Baker
<> wrote:
> On Thu, Aug 14, 2014 at 1:49 AM, Alyssa Rowan <> wrote:
>> Hash: SHA512
>> On 14/08/2014 03:42, Phillip Hallam-Baker wrote:
>>> To be clear, I am arguing that we put HSM support way ahead of a
>>> single model. HSM support is essential, a single model is
>>> someone's idea of tidiness.
>> That is a null property. Anything we can specify can be implemented in
>> software or hardware. As I said before, there will _eventually_ be new
>> HSMs, and new HSM firmware. People have already begun work on that.
> What the constraint means is that if we come down to two curves and
> little to choose between them and there is a significant difference in
> the HSM situation then the curve that allows re-use of existing HSMs
> wins, if neither does that then the curve that has support from HSM
> manufacturers wins.
> So folk peddling a curve would do well to line up HSM vendor support.

Let's back up a bit: every curve can be expressed in Weierstrass form
over the same field, so will work with todays ECDSA implementations.
Good? No.

1: Some implementations may have dedicated hardware to do reduction on
the NIST primes
2: Some implementations may assume prime order for correctness
3: Some implementations may not permit the use of arbitrary parameters

So to the extent that we are changing curves, it's not clear that
there is any way, even if we use prime order Weierstrass over the same
primes, to get complete support on HSMs. It's also not clear that
different curves materially differ in this respect.

> It isn't quite true to say that you can do everything in hardware or
> software. There are very specific constraints here to do with side
> channels and IPR that could have a huge bearing on what curve families
> are viable and which are not.

All the proposals look about the same: if you were to quiz me on which
was which, just showing me the primes and the coefficients, I would
have to do some arithmetic to see if they were complete or not, and so
if they were the NUMS curves or not.

Watson Ladd

>> The commercial world of this are however glacially slow-moving, partly
>> due to onerous and ineffective governmental certification requirements
>> (one of the things that has been - rightly - criticised). Several do
>> not support ECDSA (or ECDHE, where applicable) properly or at all, and
>> this is why RSA is still far more common in the wild and ECDSA is
>> quite honestly barely used by anyone publicly (there are _very few_
>> ECDSA PKIX roots...) - those that are using it are running it in
>> software and are therefore not relevant to your 'essential' requirement.
> There are very few serious CAs. So its not surprising there are few
> ECC roots. We have ECC roots, so do the other leading CAs. But the
> reason for the lag has been IPR FUD.
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin