Re: [Cfrg] Requirements for curve candidate evaluation update

David Jacobson <> Thu, 14 August 2014 01:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9D5291A06E2 for <>; Wed, 13 Aug 2014 18:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iefNnlR8GDSJ for <>; Wed, 13 Aug 2014 18:42:07 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6BA91A06D6 for <>; Wed, 13 Aug 2014 18:42:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1407980526; bh=5donbBHLqonU/hOAY14wn8sqDLYY3v7WV4Xhu+XUsV8=; h=Received:Received:Received:DKIM-Signature:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=MRwTYOUKP47ZON8tgRAF6ab5HtWmcHVLQ7wHKkzYHOSbjiUWUw0ODVYgMwg3LIuvcSCZBE9dV6KFKrP5VmPfmMXklx03efKNu5z6ML/3em1H2Ud9XvwGooI0vUAMf23gzNqQrj7uVtwO+Oo32Rz5eCTYbRPtEBnhJRa061WA0vJ111bkiU723yJStwSr1q0WtllfCrAycWZ5NLidrwBobaRW1BEN320zBrcivBDuq7or8XYCYMefkOZdYm8VerabF/MBA8pjn55lbOd71LD+U7wzYOaM3ZNbOUdUbtGDBy0BqRcKf3izbbJLV65ihYNDtB47dws12Sh4kWNdT9E8MQ==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048;; b=S4FgL9F3NNVmdD3AMUNuQiXlp+Oou1sWpMtS8+xo5n6nZIDubwbfSRkBsOOkXrSZx0+sFmyJBRlicGmcnhBUQFakduLJQ9qIP/CzsNt0c3QJm6CDFYdpB6Z022j0/RJe80oXWshpKn7o+ddQ0zRbwL+XxGy8/Z76f5AMTdVeYZDMN2AmMwZZ93E8e0Pf/f5MqM46lv0xZkE/GAkVJEHvF237Vm7DxnSwT4T14YLR7wuFwJVdUpTAkUVEdFoXDpZk00NX6P5SXFtzBVu6sV2o0FCJSousIjk4uEp5zGNKzAsAoi2HI1eoW5XDBpNLVYKF79ERtO3mhIAgF9a+ctD3tw==;
Received: from [] by with NNFMP; 14 Aug 2014 01:42:06 -0000
Received: from [] by with NNFMP; 14 Aug 2014 01:42:06 -0000
Received: from [] by with NNFMP; 14 Aug 2014 01:42:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1407980526; bh=5donbBHLqonU/hOAY14wn8sqDLYY3v7WV4Xhu+XUsV8=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=ntqb+UzMy0mhqRkEXApkLQyyERwrVBJcu2FtaV/EB5OY2DPI01cm3N9z8wjY0Be7ZBrpTKb8Cbriytd/EWKFhXURHRvd7+7cr8EgKBEKdkzeLDg3LeZoHKEB/HDMbZlYth7bgLqMqJPGbyDtbj4TjTpOjhueqV2GtUa+3XqlJII=
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: fauA8cIVM1kIwNCya3Xgiyt5ERSyxoLiJnjbuMIxaooa_Jl 8mGJD2fiycmKr4XUeIaHyJkd795ZPKeamYmQApUFfenNqAfYPj_c1EOJ8dxD jmnB6moD4xC_SjoyHHtsGImx_RHxs6ZTnQaMDjSXH6dkI2bZYX31bD3LN1n_ 9Wq0rrfyvlDG9RA1R7qAGg0W47C62gb9DGpdaasKlGJ1i.Nn0zylTfLLDtV7 nhhpZ0mtTjVmT7EQeNkczE9praBZJAMnToZmEUxRrWBd.TaWaR.iZLkjdadU RSXzMav9I_dMzbKiN0bKz0REmsx27gg6feYgBmosr0OKloyCbcRRVVMcL5po f5sVhW0vl03PlZQHvESj2ZClyhkIZKu49cGXyiJEI60A0MDEzJWBxbNa3l2C yW_AvGc6TFNdUpiEi7B0hEpHebOEItg6Mvo9VZ7LDqDgVwgGCCQlwS0K.ufa SDpx_ZWT8xiHbIikLv2pEM9FH_3rNdvaz_3QUGu6jHY_.8IUvJRdErqvg6qj T_FnuEmUey1.HfYYfQ78WVGSa_VFGRw9ogZ35PZUxvXbGzVybiFRO
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <>
Date: Wed, 13 Aug 2014 18:42:05 -0700
From: David Jacobson <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <>, "Salz, Rich" <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: "" <>
Subject: Re: [Cfrg] Requirements for curve candidate evaluation update
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Aug 2014 01:42:08 -0000

I certainly don't agree that we need to be hamstrung by compatibility 
with existing HSM.  Clearly, the existing HSMs will work with NIST P-256.

Let's look at the risks of P-256 on an existing HSM.  The only real 
concern is that the NSA might know a vulnerability. For many users, this 
is not the end of the world.

I would not be surprised if many of the organizations with HSMs are 
financial institutions or government agencies.  These organizations are 
likely also constrained to FIPS 140-2 validated devices.  This means 
they can't escape  FIPS-approved curves, i.e. NIST P-256, etc.  And that 
means that even if we restricted ourselves to short Weierstrass curves, 
these HSM users still wouldn't be able to use their HSMs.

Finally, there is the assumption that the manufacturer of the HSM can't 
or won't upgrade the firmware.  That could be a business decision by the 
HSM manufacturer, but I doubt it is a technical one.  In a past life I 
worked for a company that built HSMs, and those could have their 
firmware updated.  Admittedly there is some possibility that the 
upgraded HSM will be slower, depending on how much of any special silcon 
can be harnessed for the new curve.

    --David Jacobson

On 8/13/14 4:48 PM, Phillip Hallam-Baker wrote:
> I really could care less about wire formats. They are completely
> mutable at this point.
> The only place where I have real legacy problems is in HSM support.
> Long term signature keys have to be generated and stored in HSMs. And
> no, that is not a 'nice to have feature', it is a 'be prepared to be
> laughed at and told that you completely wasted your time' if it isn't
> met type of feature.
> I don't need to be able to use my existing HSMs but if the curves
> chosen are not supported by any existing hardware and it takes 3 years
> for it to become available then its going to delay everything (apart
> from EDH).
> On Tue, Aug 12, 2014 at 6:05 PM, Salz, Rich <> wrote:
>> I have asked before, perhaps you missed it.
>> I take exception to your claims that “single curve model” and “no change to
>> wire formats” are facts on the ground.  Can you justify that?
>> --
>> Principal Security Engineer
>> Akamai Technologies, Cambridge MA
>> IM: Twitter: RichSalz
>> _______________________________________________
>> Cfrg mailing list
> _______________________________________________
> Cfrg mailing list