Re: [Cfrg] Hardware requirements for elliptic curves

Watson Ladd <> Fri, 12 September 2014 01:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 09CB51A0353 for <>; Thu, 11 Sep 2014 18:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qd8h_XyauFjF for <>; Thu, 11 Sep 2014 18:56:55 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A6A1A1A0352 for <>; Thu, 11 Sep 2014 18:56:55 -0700 (PDT)
Received: by with SMTP id c41so37240yho.18 for <>; Thu, 11 Sep 2014 18:56:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=r5ygrPGlphsOHA3PnsBmZ3bzZlsW8DWauvkQj/K8T2g=; b=wi0Ie+mZ8PwNyDOs2IbPQx5GwrgetWRuDq0kUSLa1tlrPUWeOemw/AxAPTVkL1L1Mb wMB1bJMdpmI++43TRAIEfj9wqCMiq2MHWAthWNGiNmBQGJRiYzfiWQwXIYzzlc0Mo8DD MWXH2+NnROjEg2ZFeQhsLYMsX8YS4rU1xtcC9gwlBw9TtFAIdfNzDeL2CzEL7DEhq6Xg o7WPmgOBJo3hv7cCGm+ExWMoSMynr46ShEJK3/iJe3RPHDfoYBC+5AWQkiSQvREUS3Ul DC2ZtwRfZM7rkhkyYfod4ar9DMPI/T6hxG/1WOaialBl+3QD8hWd2GjmWUWm9kTG/5x8 93qg==
MIME-Version: 1.0
X-Received: by with SMTP id i25mr6131542yhh.85.1410487014838; Thu, 11 Sep 2014 18:56:54 -0700 (PDT)
Received: by with HTTP; Thu, 11 Sep 2014 18:56:54 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Thu, 11 Sep 2014 18:56:54 -0700
Message-ID: <>
From: Watson Ladd <>
To: Torsten Schuetze <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] Hardware requirements for elliptic curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Sep 2014 01:56:57 -0000

So I don't understand why you are asking for something that the
brainpool curves don't already give you. We are not removing curves
from TLS, and we already knew that FIPS users were likely to not adopt
the new curves, so nonsupport isn't an issue. Even if we had only the
NIST curves, and did nothing, you would be in the same position. There
is an enormous performance benefit in software for special primes, and
the sort of side channel attacks that require special blinding don't
matter on servers, even if the curve is implemented on hardware.

I think it's clear that the desired properties are different enough
that there is no way to satisfy everyone.

Watson Ladd