[Cfrg] MAY use specified curves

Dan Brown <dbrown@certicom.com> Tue, 09 September 2014 17:03 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14D5A1A7003 for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 10:03:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Level:
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6eiskPGYHPQ for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 10:03:14 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 41FB71A802B for <cfrg@irtf.org>; Tue, 9 Sep 2014 10:03:12 -0700 (PDT)
Received: from xct101cnc.rim.net ([10.65.161.201]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 09 Sep 2014 13:03:12 -0400
Received: from XCT115CNC.rim.net (10.65.161.215) by XCT101CNC.rim.net (10.65.161.201) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 9 Sep 2014 13:03:11 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT115CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Tue, 9 Sep 2014 13:03:10 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: MAY use specified curves
Thread-Index: Ac/MS9WEcVQyhv+MQ4eAE/FZsUdlsA==
Date: Tue, 9 Sep 2014 17:03:10 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5CD8CE5@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_005B_01CFCC2E.6845A3B0"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/d38T6sgSu5OoaYG7ceJZBQaPFSQ
Subject: [Cfrg] MAY use specified curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 17:03:19 -0000

Dear CFRG,

 

In addition to CFRG responding to the TLS request for recommending one or
two curves per security level, possibly as mandatory-to-implement, I think
CFRG should make a further recommendation to permit a MAY for IETF
implementations to specify elliptic curves.  

 

My understanding is that many IETF WGs have applied a MUST NOT to the
ANSI/SECG mechanisms of specifying an elliptic curve.  I do not know recall
the rationale for this MUST NOT, but I presume it was to improve
interoperability.   But this seems to _force_ users of the protocols to use
certain curves.  By contrast, ANSI and SECG recommended certain curves, but
they did not require them.

 

The main justification for allowing specified curves is that all _known_
attacks on the ECDLP and ECDHP are fairly easy to avoid, either by users
checking the parameters, or trusting them via some authentication channel,
e.g. in a certificate.  So, there's no fundamental security concerns with
specified curves.  Side channels must be listed as an important security
consideration for implementation of specified curves.

 

Allowing users to specify their own curves, instead of forcing particular
curves upon them, appears to have the following minor security benefits:

+1) resistance certain types of _suspected_ attacks, e.g. maliciously
generated curves, since users can select their own curves, or their friend's
curves.

+2) algorithm agility: in the unlikely event that the named curves are
discovered to be compromised (some breakthrough attack on the named curves),
then users can switch over to a specified curve quite quickly if using
implementations that support specified curves.  

+3) the effort spent to solve one ECDLP can be re-used to solve another the
ECDLP on the _same_ curve, whereas, for a different curve, almost all of any
previous effort is not useful.

 

Specified curves add the costs:

-1) decreased interoperability and efficiency: 

-2) complicated negotiation: extra bandwidth to convey the curves details,
and extra effort (for implementations or CAs) to verify the curve
parameters.

-3) difficulty to achieve side channel resistance, etc.

This cost appears to be the inherent price for the whatever security benefit
of specified curves.  Whether or not is an acceptable cost should perhaps be
left to the implementer, except perhaps the side channel resistance problem.

 

Securing the ensuing negotiation of the specified curves might be done with
the MTI curves, again expensive but not abnormal.  For example, a relying
party has to trust the CA's choice of algorithm used in the root
certificates, say ECDSA with a named curve, but then builds on this trust
(of the CA and of the named curve) to accept the algorithm indicated in the
issued certificate, say some specified curve.   I think that that this would
be an instance of the principle that authentication requires only short term
security, making the named curve adequate, while confidentiality requires
long-term security, and thus much greater caution, perhaps warranting a
specified curve.

 

Regarding the risk that specified curves can be misinterpreted as something
else, e.g. some weak non-EC DH or some weak RSA key, that should be
correctible by unambiguous formatting (in conjunction with secured
negotiation).

 

To make this proposal more specific to TLS without client authentication, if
a client specifies a curve, the server must validate the curve, which
especially includes checking that it is not vulnerable to Pohlig-Hellman, by
doing a primality check on the large subgroup order.  This could be costly
for the server.  The TLS protocol itself must ensure that such a client will
not allow client curve proposals to be substituted: but this is an issue
with the named curves, not just specified curves.  On the other hand, if the
server specifies the curve, the server's authentication can be added onto
the specified curve.  If the specified curve itself is used for the
authentication, e.g. for the server signatures, then it will be the CA's
signature from which the client derives trust of the specified curve.  In
addition, the client could validate the specified curve.

 

ANSI and SECG already provide mechanisms to specify curves, but perhaps
these could be updated for other types of curves.

 

Best regards,

 


Daniel Brown


Research In Motion Limited