[Cfrg] MAY use specified curves
Dan Brown <dbrown@certicom.com> Tue, 09 September 2014 17:03 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14D5A1A7003 for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 10:03:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Level:
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6eiskPGYHPQ for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 10:03:14 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 41FB71A802B for <cfrg@irtf.org>; Tue, 9 Sep 2014 10:03:12 -0700 (PDT)
Received: from xct101cnc.rim.net ([10.65.161.201]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 09 Sep 2014 13:03:12 -0400
Received: from XCT115CNC.rim.net (10.65.161.215) by XCT101CNC.rim.net (10.65.161.201) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 9 Sep 2014 13:03:11 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT115CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Tue, 9 Sep 2014 13:03:10 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: MAY use specified curves
Thread-Index: Ac/MS9WEcVQyhv+MQ4eAE/FZsUdlsA==
Date: Tue, 09 Sep 2014 17:03:10 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5CD8CE5@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_005B_01CFCC2E.6845A3B0"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/d38T6sgSu5OoaYG7ceJZBQaPFSQ
Subject: [Cfrg] MAY use specified curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 17:03:19 -0000
Dear CFRG, In addition to CFRG responding to the TLS request for recommending one or two curves per security level, possibly as mandatory-to-implement, I think CFRG should make a further recommendation to permit a MAY for IETF implementations to specify elliptic curves. My understanding is that many IETF WGs have applied a MUST NOT to the ANSI/SECG mechanisms of specifying an elliptic curve. I do not know recall the rationale for this MUST NOT, but I presume it was to improve interoperability. But this seems to _force_ users of the protocols to use certain curves. By contrast, ANSI and SECG recommended certain curves, but they did not require them. The main justification for allowing specified curves is that all _known_ attacks on the ECDLP and ECDHP are fairly easy to avoid, either by users checking the parameters, or trusting them via some authentication channel, e.g. in a certificate. So, there's no fundamental security concerns with specified curves. Side channels must be listed as an important security consideration for implementation of specified curves. Allowing users to specify their own curves, instead of forcing particular curves upon them, appears to have the following minor security benefits: +1) resistance certain types of _suspected_ attacks, e.g. maliciously generated curves, since users can select their own curves, or their friend's curves. +2) algorithm agility: in the unlikely event that the named curves are discovered to be compromised (some breakthrough attack on the named curves), then users can switch over to a specified curve quite quickly if using implementations that support specified curves. +3) the effort spent to solve one ECDLP can be re-used to solve another the ECDLP on the _same_ curve, whereas, for a different curve, almost all of any previous effort is not useful. Specified curves add the costs: -1) decreased interoperability and efficiency: -2) complicated negotiation: extra bandwidth to convey the curves details, and extra effort (for implementations or CAs) to verify the curve parameters. -3) difficulty to achieve side channel resistance, etc. This cost appears to be the inherent price for the whatever security benefit of specified curves. Whether or not is an acceptable cost should perhaps be left to the implementer, except perhaps the side channel resistance problem. Securing the ensuing negotiation of the specified curves might be done with the MTI curves, again expensive but not abnormal. For example, a relying party has to trust the CA's choice of algorithm used in the root certificates, say ECDSA with a named curve, but then builds on this trust (of the CA and of the named curve) to accept the algorithm indicated in the issued certificate, say some specified curve. I think that that this would be an instance of the principle that authentication requires only short term security, making the named curve adequate, while confidentiality requires long-term security, and thus much greater caution, perhaps warranting a specified curve. Regarding the risk that specified curves can be misinterpreted as something else, e.g. some weak non-EC DH or some weak RSA key, that should be correctible by unambiguous formatting (in conjunction with secured negotiation). To make this proposal more specific to TLS without client authentication, if a client specifies a curve, the server must validate the curve, which especially includes checking that it is not vulnerable to Pohlig-Hellman, by doing a primality check on the large subgroup order. This could be costly for the server. The TLS protocol itself must ensure that such a client will not allow client curve proposals to be substituted: but this is an issue with the named curves, not just specified curves. On the other hand, if the server specifies the curve, the server's authentication can be added onto the specified curve. If the specified curve itself is used for the authentication, e.g. for the server signatures, then it will be the CA's signature from which the client derives trust of the specified curve. In addition, the client could validate the specified curve. ANSI and SECG already provide mechanisms to specify curves, but perhaps these could be updated for other types of curves. Best regards, Daniel Brown Research In Motion Limited
- [Cfrg] MAY use specified curves Dan Brown
- Re: [Cfrg] MAY use specified curves Stephen Farrell
- Re: [Cfrg] MAY use specified curves Manuel Pégourié-Gonnard
- Re: [Cfrg] MAY use specified curves Dan Brown
- Re: [Cfrg] MAY use specified curves Stephen Farrell
- Re: [Cfrg] MAY use specified curves Daniel Kahn Gillmor
- Re: [Cfrg] MAY use specified curves David Leon Gil
- Re: [Cfrg] MAY use specified curves Watson Ladd