Re: [Cfrg] ECC reboot (Was: When's the decision?)

[Alyssa Rowan <akr@akr.io>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 16/10/2014 17:26, Johannes Merkle wrote:

> with respect to the second issue, we have just published a common
> position paper of the ECC Brainpool on the requirements for new
> curves. http://eprint.iacr.org/2014/832 Most, if not all, arguments
> have been expressed on this list before, but this is a consolidated
> statement.

Upon a read, and paraphrasing broadly (feel free to correct), what the
Brainpool members seem to think meets the hardware scenario best is
curves over "verifiably pseudo-random" primes, with points represented
in short-Weierstrass form - because that matches best with their
existing "high-assurance" pieces of hardware and the ways that they
attempt to address attacks within them. They (naturally) want to
minimise any changes to that general structure, to in turn minimise
the costs of those changes.

I note that none of the concrete, implemented proposals put forward so
far are VPR. Do they have such a proposal?

They have, of course, already specified a set of verifiably
pseudo-random curves, which would be the Brainpool curves. I'm not
totally clear what CFRG can positively add to that, because they are
already specified. (An xkcd about competing standards springs to mind.)

It seems that they also want a VPR curve(s?) to be
mandatory-to-implement, presumably for interoperability's sake?

I can see why they might want that, if VPR is the most convenient for
their implementations - but from what I see from the hesitant adoption
of Brainpool in the wider community, I have serious (albeit early)
doubts that will reach wide consensus either here or in any downstream
WG, due I suspect directly to the notoriously poor software
performance characteristics of pseudo-random primes and the complexity
required to correctly implement them in software. (This will of course
be quantified during evaluation of any contender they put forward.)

It seems to me at this stage that the requirements of the
existing-hardware stakeholders of the Brainpool may be not only
orthogonal, but actually (potentially) in direct opposition to the
requirements of the software stakeholders - and further their
requirements may (perhaps) already be satisfied by the Brainpool curves?

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUQAKuAAoJEOyEjtkWi2t62L4P+gLx6CZ0GJ5+6KYdeK3eA9Dd
keqBpZjlR25r74sdtqufUZaPH8AgB2q0QGX2evQKXWZj5cDblpwq1dVFk1o17wtZ
k+3C8wdtavENvCHPaFsRoQYferk33HLRhj1jw7M69BJo5HTEerImySANDAosNOpD
0dj+axICdfZ2GH0NvKScBN/gFZvUOj197SxDH+eVdy3g5HL52gUd4HAN17ZWSysG
kwG9MRHtTkKndO4JTLxiFCTX3DWFRXVIrUBCucJnvPDC0Rlsrgk0lLBiGHKLYhJR
bwdnBxuyijnzGmOjrRanZOCCIFoq05BtmwxbGGkA5BmCbTPwcLTltd9+doCihCYb
UDPfTZ5GvDaGhq6sUmUbPZnay1gvGIO18nyzxZXINkBanENQnE/Ofa2cdr0Ps9DN
40N0bcobbuaila6v/497a0krAp9D7aQ5JFN4swI5DYicpuYVDl0nOK63bRPTY+e+
gk4AKRB4gpVodU/O0a3tACvGwD7E/vf3qNbgrkqHHwXzhzhWebCRB9xtUpikbeEv
/R5yhCSFFXJ4DJB9oMi+kJjG+VmgdC3vOzN0Tra19Pq+znLYe4lFOTqZ/EX+S3Ql
Ua/hWfvmJyvXRe9mZt/dRjwj8GeHgRGlEnvcEjXvdmevuw5TAtZrJrBLjMfWFPNO
wKHWHyo/P4Rj3NQ3NfOl
=i8MQ
-----END PGP SIGNATURE-----