Re: [Cfrg] Safecurves draft

[Adam Back <adam@cypherspace.org>]

Erm I guess Bernstein, Lange et al already got  to name the curves because
they *generated them*?

You could certainly put a descriptive sub-heading in an RFC.

They are actually significantly better designed in their security,
performance, and demonstrable non-cooked status and several other highly
implementation security related factors.  They are actually scientifically
better curves on multiple factors and they have made strong arguments to
prove it.  Safe is in fact a reasonable name.  Clearly its partly marketing,
but so what I dont see how a third party can go rename
*their* curves.

Adam

On Thu, Jan 09, 2014 at 03:11:45AM +0000, Dan Brown wrote:
>I don't object to these curves.
>
>Still, could we please call these curves something more specific and neutral than just "safe"?
>
>Aren't many other curves safe so far as we know?
>
>For example, take the Brainpool curves, use a Montgomery (Brier-Joye?) ladder, and an extra careful implementation, and do ECDHE, with some other kind of safe auth. Is that not safe?
>
>Indeed, what about the NIST curves?
>
>Implying them to be unsafe in the sense of a weak DLP implies a hypotheses that mildly reduces the conventional notion of security for all ECC.
>
>Anyway, I debated all this already with Bernstein over at the TLS list, with virtually no  agreement confirmed. For now, I'll try to focus on the naming issue.
>
>Is it that "safe" means something less than "secure" in the conventional sense above? And safe is the best that can be hoped for in ECC, and maybe all PKC? That's just too strong to say.
>
>To be constructive, I suggest a name: "minimal - coefficient Montgomery" curves. Implicit in this name is that minimality is subject avoiding known DLP attacks, though the Monty should tip one of the crypto app. The short name could be "mini Monty".
>
>From: Watson Ladd
>Sent: Wednesday, January 8, 2014 12:11 PM
>To: cfrg@irtf.org
>Subject: [Cfrg] Safecurves draft
>
>
>Dear all,
>draft-ladd-safecurves contains the Safecurves with orders
>2^255+\epsilon and higher.
>I forgot to update the TOC, but that shouldn't stop the substantive
>conversation.
>
>Does anyone object to these curves being approved for IETF standard
>body use/typos/general nastiness?
>Sincerely,
>Watson Ladd
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg
>---------------------------------------------------------------------
>This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg