Re: [Cfrg] revised requirements for new curves

Manuel Pégourié-Gonnard <> Mon, 08 September 2014 14:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5A24F1A8843 for <>; Mon, 8 Sep 2014 07:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.893
X-Spam-Level: **
X-Spam-Status: No, score=2.893 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FH_RELAY_NODNS=1.451, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.793] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p4JE7mEgkkUi for <>; Mon, 8 Sep 2014 07:30:26 -0700 (PDT)
Received: from (unknown [IPv6:2001:4b98:dc0:41:216:3eff:feeb:c406]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2473D1A8837 for <>; Mon, 8 Sep 2014 07:30:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id C461C16148; Mon, 8 Sep 2014 16:30:22 +0200 (CEST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 25A071F63C; Mon, 8 Sep 2014 16:30:22 +0200 (CEST)
Message-ID: <>
Date: Mon, 08 Sep 2014 16:30:21 +0200
From: Manuel Pégourié-Gonnard <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: William Whyte <>, "Paterson, Kenny" <>,
References: <> <>
In-Reply-To: <>
OpenPGP: id=98EED379; url=
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] revised requirements for new curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Sep 2014 14:30:28 -0000

On 08/09/2014 15:49, William Whyte wrote:
> IN1: I don't understand how a curve could be incompatible with a TLS RFC. A
> new curve would be a new ciphersuite: to support a new curve, you reserve a
> ciphersuite identifier and define behavior for that ciphersuite identifier.

I guess you mean a NamedCurve identifier (RFC 4492 sec. 5.1.1) rather than a
ciphersuite identifier. Currently, ciphersuites only specify the high-level
mechanism (ECDH(E), ECDSA), not the specific curve(s) used by this mechanism.
(There is a draft for including curve selection in the ciphersuite identifier,
but for now it's only a draft). And possibly some new ECPointFormat (sec 5.1.2)
in addition, if the new curves support other representations than short
Weierstrass, and the decision is made to allow those representations on the wire
(rather than to force conversion to short Weierstrass).

By the way, the TLS curve/point negotiation doesn't allow peers to negotiate the
use of different point formats for different curves. That's probably something
to bear in mind when discussing point formats.