IETF Logo Mail Archive

Re: [Cfrg] Task looming over the CFRG

Paul Lambert <paul@marvell.com> Tue, 06 May 2014 20:43 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6ABF1A03FD for <cfrg@ietfa.amsl.com>; Tue, 6 May 2014 13:43:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFWJ0FAt5TV9 for <cfrg@ietfa.amsl.com>; Tue, 6 May 2014 13:43:12 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id DFC951A03EE for <cfrg@irtf.org>; Tue, 6 May 2014 13:43:10 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s46KgqVm013520; Tue, 6 May 2014 13:43:05 -0700
Received: from sc-owa01.marvell.com ([199.233.58.136]) by mx0b-0016f401.pphosted.com with ESMTP id 1kpnkuau2c-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 06 May 2014 13:43:05 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA01.marvell.com ([10.93.76.21]) with mapi; Tue, 6 May 2014 13:43:04 -0700
From: Paul Lambert <paul@marvell.com>
To: Johannes Merkle <johannes.merkle@secunet.com>, Rene Struik <rstruik.ext@gmail.com>, "Igoe, Kevin M." <kmigoe@nsa.gov>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Tue, 06 May 2014 13:44:30 -0700
Thread-Topic: [Cfrg] Task looming over the CFRG
Thread-Index: Ac9pa8cR0+MkM8IbR3yenMEGuE+7kQ==
Message-ID: <CF8E940C.3A603%paul@marvell.com>
References: <3C4AAD4B5304AB44A6BA85173B4675CABAA4022F@MSMR-GH1-UEA03.corp.nsa.gov> <5367DA09.7020906@gmail.com> <CF8D298B.3A3C3%paul@marvell.com> <5367E67B.4050705@gmail.com> <CF8D3B8D.3A425%paul@marvell.com> <5368D023.7000706@secunet.com>
In-Reply-To: <5368D023.7000706@secunet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-05-06_06:2014-05-06,2014-05-06,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1405060306
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/d9iuQdN1wJoXmSwU3s5rsC4X16M
Subject: Re: [Cfrg] Task looming over the CFRG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 20:43:14 -0000

Johannes,

On 5/6/14, 5:05 AM, "Johannes Merkle" <johannes.merkle@secunet.com> wrote:

>Paul Lambert wrote on 05.05.2014 22:52:
>> NIST curves were created over 15 years ago.  NIST has not kept pace in
>>this period with recommendations to mitigate attacks documented by
>>industry. NIST has not considered the advancements in open cryptographic
>>publications that have identified new curves and algorithms that provide
>>improved performance and better ³safety² of implementations.
>
>
>We should not mix up curves with (possibly insufficient) recommendations
>for side-channel resistance. These are two
>different things.
>
>I do not mean to advocate the NIST curves, but lack of "safety" is a weak
>argument against them.

Yes.  I agree, and normally avoid the term ³safe² for these comparisons.
However, after close reading of the last decade of NIST publications there
is no recomendations on such potential vulnerabilities.
Plus 
>It has been shown that
>time-constant and exception-free implementations of Weierstrass curves
>are easily possible while still obtaining good
>efficiency [1]. 
None of which are documented by NIST.


>And invalid-point attacks are very easily (and cheaply) thwarted by point
>validation as recommended by
>NIST and ANSI standards.
Yes.  ³Safe² has become a smoke cloud of several possible issues some more
important than others.  The point validation is well covered by NIST.
The comparable topic for Curve25519 is the special selection of the secret
key which is never mentioned as a issue/criteria.


>
>IMHO, lack of rigidity and slightly inferior performance are much better
>arguments against NIST curves.


Here¹s another attempt at ranking (from --- to +++ range)


               NIST   Twisted Edwards
Side Channel    +         +++
Performance     +         +++
Rigidity        -         +++

I¹m not sure it¹s possible to get this mailing list to agree on the
subjective value of some of the criteria.   My earlier rant was trying to
stress the time period that has passed without evaluation or improvements
on the NIST recommendations.  Progress has been made that should be
captured in recomendations for new curves.

Paul


>
>Johannes
>
>[1] Joppe W. Bos, Craig Costello, Patrick Longa, Michael Naehrig:
>Selecting Elliptic Curves for Cryptography: An
>Efficiency and Security Analysis. Cryptology ePrint Archive, Report
>2014/130.
>
>
>

v2.23.0 | Report a Bug | By Email