[Cfrg] Submission of curve25519 to NIST from CFRG -> was RE: On "non-NIST"

Paul Lambert <paul@marvell.com> Tue, 10 March 2015 21:37 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 7A6E11A8A4B for <cfrg@ietfa.amsl.com>; Tue, 10 Mar 2015 14:37:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Oy9j1m0g2FZl for <cfrg@ietfa.amsl.com>; Tue, 10 Mar 2015 14:37:39 -0700 (PDT)
Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BDF41A87AC for <cfrg@irtf.org>; Tue, 10 Mar 2015 14:37:39 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net []) by mx0a-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id t2ALYKSH031264; Tue, 10 Mar 2015 14:37:39 -0700
Received: from sc-owa.marvell.com ([]) by mx0a-0016f401.pphosted.com with ESMTP id 1t1e6j5011-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 10 Mar 2015 14:37:39 -0700
Received: from SC-vEXCH2.marvell.com ([]) by SC-OWA.marvell.com ([::1]) with mapi; Tue, 10 Mar 2015 14:37:38 -0700
From: Paul Lambert <paul@marvell.com>
To: "Igoe, Kevin M." <kmigoe@nsa.gov>, Alexey Melnikov <alexey.melnikov@isode.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Date: Tue, 10 Mar 2015 14:37:37 -0700
Thread-Topic: Submission of curve25519 to NIST from CFRG -> was RE: [Cfrg] On "non-NIST"
Thread-Index: AdBTbP29zVqLxqasSbCRT4iQfSJfGgICaY5Q
Message-ID: <7BAC95F5A7E67643AAFB2C31BEE662D020E29C4319@SC-VEXCH2.marvell.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF91123@uxcn10-5.UoA.auckland.ac.nz> <BE305B0B-80D2-48C6-ACE6-6F6544A04D69@vpnc.org>
In-Reply-To: <BE305B0B-80D2-48C6-ACE6-6F6544A04D69@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-03-10_08:2015-03-10,2015-03-10,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1503100221
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dtUZzdkrAFXf2Zth6WiWm3GkprM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "EllipticCurves@nist.gov" <EllipticCurves@nist.gov>
Subject: [Cfrg] Submission of curve25519 to NIST from CFRG -> was RE: On "non-NIST"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 21:37:41 -0000

Given that this illustrious Internet Research Task Group (IRTG) subcommittee, the Crypto Forum Research Group (CFRG), has a consensus to recommend the use of 'curve25519' for TLS, and given that NIST is soliciting input on elliptic curves it would be an opportune time for the Chairs of the CFRG to formally send the CFRG's draft recommendation (https://tools.ietf.org/html/draft-irtf-cfrg-curves-01) to NIST for the upcoming NIST Workshop on 'Elliptic Curve Standards' ( http://www.nist.gov/itl/csd/ct/ecc-workshop.cfm ).

     "NIST encourages presentations and reports
      on preliminary work that participants plan 
      to publish elsewhere."


PS - the deadline for submissions is March 15th

Workshop on Elliptic Curve Cryptography Standards

Elliptic curve cryptography will be critical to the adoption of strong cryptography as we migrate to higher security strengths. NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in NIST Special Publication 800-56A. 

In FIPS 186-2, NIST recommended 15 elliptic curves of varying security levels for use in these elliptic curve cryptography standards. The provenance of the curves was not fully specified, leading to recent public concerns that there could be a hidden weakness in these curves. We remain confident in their security and are not aware of any significant attacks on the NIST curves when used as described in our standards and implemented correctly. 

However, more than 15 years has passed since these curves were developed, and the community now knows more about the security of elliptic curve cryptography and practical implementation issues. The current state-of-the-art has advanced. In research and other standards venues, newer curves have been proposed which pursue better performance or simpler and more secure implementations.

The workshop is to provide a venue to engage the crypto community, including academia, industry, and government users to discuss possible approaches to promote the adoption of secure, interoperable and efficient elliptic curve mechanisms.

Call for Papers (submission deadline March 15, 2015)

]-----Original Message-----
]From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Paul Hoffman
]Sent: Saturday, February 28, 2015 7:41 AM
]To: Peter Gutmann
]Cc: cfrg@irtf.org
]Subject: Re: [Cfrg] On "non-NIST"
]On Feb 28, 2015, at 12:59 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
]> Paul Hoffman <paul.hoffman@vpnc.org> writes:
]>> The term "non-NIST" is predictive, and the crypto community kinda
]>> sucks at predictions. We have no idea what NIST will do in the future
]>> if a bunch of IETF WGs adopt specific elliptic curves that are not
]> Why is NIST seen as the ultimate arbiter of what's appropriate though?
]Not "the", but "an". The reason is that NIST controls what can and
]cannot be given a FIPS-140 certification, and that certification is
]considered important both by companies who want to sell to the US Govt
]and companies that use their certification as a statement that "we did
]it right". If you make an HSM that uses an algorithm not allowed by
]NIST, you cannot get it certified in the CMVP regime. Thus, when NIST is
]slow to keep up with the best practices adopted by the community, it
]becomes a roadblock to deploying better crypto.
]This is why we hope that, when this RG finally moves on both the the
]curve and the signing algorithm, NIST adds those to its list of
]acceptable crypto for the FIPS 140 testing. If they don't, people can
]still deploy it, but deployment will be hampered.
]--Paul Hoffman
]Cfrg mailing list