Re: [Cfrg] Safecurves draft

Adam Back <adam@cypherspace.org> Thu, 09 January 2014 09:47 UTC

Return-Path: <adam@cypherspace.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5FB61AE1EA for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 01:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.998
X-Spam-Level: *
X-Spam-Status: No, score=1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FB_CIALIS_LEO3=3.899, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWvaGpX5XWFj for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 01:47:54 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 317FD1AE1B2 for <cfrg@irtf.org>; Thu, 9 Jan 2014 01:47:54 -0800 (PST)
Received: from netbook (c107-70.i07-27.onvol.net [92.251.107.70]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0Lee62-1VbRtZ1eXe-00qIqx; Thu, 09 Jan 2014 04:47:40 -0500
Received: by netbook (Postfix, from userid 1000) id 35CE22E283A; Thu, 9 Jan 2014 10:47:34 +0100 (CET)
Received: by flare (hashcash-sendmail, from uid 1000); Thu, 9 Jan 2014 10:47:32 +0100
Date: Thu, 9 Jan 2014 10:47:31 +0100
From: Adam Back <adam@cypherspace.org>
To: Dan Brown <dbrown@certicom.com>
Message-ID: <20140109094731.GA12327@netbook.cypherspace.org>
References: <20140109031144.6111382.52184.8264@certicom.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20140109031144.6111382.52184.8264@certicom.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Hashcash: 1:20:140109:dbrown@certicom.com::Vlwdv98AIrg0EmsI:000000000000000000 0000000000000000000000008571
X-Hashcash: 1:20:140109:watsonbladd@gmail.com::6/WxB0wL9uWsAoBq:0000000000000000 0000000000000000000000000IQ8
X-Hashcash: 1:20:140109:cfrg@irtf.org::HpQz8Iz490t7MRnP:00002DfF
X-Hashcash: 1:20:140109:adam@cypherspace.org::nSm9jehYhGAw0KzM:00000000000000000 0000000000000000000000003Ouk
X-Provags-ID: V02:K0:zLpmsVuhYwIqADE27PcJK+HBLOtP/wRH/7WU6yk8OmR UYCCC+4C8uWLBHbpEjLSIucQ6qqM0YmupiZ0wQCq5pmNE50gYo uCp3nZ3sdlieSoK5Gv+PM+tnBds+/lB1yZsqbpvjuipOQCssFd hWuZI/X7xD9eVNYaHgMlcz7Xs6s2FF2ns5JrzSYbK0Tj/DSKVM ZU9tm6HWRJ/TUkzRP5uiMKvTSAeV8VMUTitea4FvCuFqoUmcC8 7PdTP+yo9H7i25gdv5B/fEAuSntiIb8TwduZ9yyZt6PpEm4RK1 QtnzAuNXqr/qsSJK1zOVv0YyokdwQyblWNYcUkYNBTdjYIUPm2 hnQwlCetKDkxy0vN4LmM3CqiDZhRU9deuSMYkKBzc
Cc: Adam Back <adam@cypherspace.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Safecurves draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 09:47:56 -0000

Erm I guess Bernstein, Lange et al already got  to name the curves because
they *generated them*?

You could certainly put a descriptive sub-heading in an RFC.

They are actually significantly better designed in their security,
performance, and demonstrable non-cooked status and several other highly
implementation security related factors.  They are actually scientifically
better curves on multiple factors and they have made strong arguments to
prove it.  Safe is in fact a reasonable name.  Clearly its partly marketing,
but so what I dont see how a third party can go rename
*their* curves.

Adam

On Thu, Jan 09, 2014 at 03:11:45AM +0000, Dan Brown wrote:
>I don't object to these curves.
>
>Still, could we please call these curves something more specific and neutral than just "safe"?
>
>Aren't many other curves safe so far as we know?
>
>For example, take the Brainpool curves, use a Montgomery (Brier-Joye?) ladder, and an extra careful implementation, and do ECDHE, with some other kind of safe auth. Is that not safe?
>
>Indeed, what about the NIST curves?
>
>Implying them to be unsafe in the sense of a weak DLP implies a hypotheses that mildly reduces the conventional notion of security for all ECC.
>
>Anyway, I debated all this already with Bernstein over at the TLS list, with virtually no  agreement confirmed. For now, I'll try to focus on the naming issue.
>
>Is it that "safe" means something less than "secure" in the conventional sense above? And safe is the best that can be hoped for in ECC, and maybe all PKC? That's just too strong to say.
>
>To be constructive, I suggest a name: "minimal - coefficient Montgomery" curves. Implicit in this name is that minimality is subject avoiding known DLP attacks, though the Monty should tip one of the crypto app. The short name could be "mini Monty".
>
>From: Watson Ladd
>Sent: Wednesday, January 8, 2014 12:11 PM
>To: cfrg@irtf.org
>Subject: [Cfrg] Safecurves draft
>
>
>Dear all,
>draft-ladd-safecurves contains the Safecurves with orders
>2^255+\epsilon and higher.
>I forgot to update the TOC, but that shouldn't stop the substantive
>conversation.
>
>Does anyone object to these curves being approved for IETF standard
>body use/typos/general nastiness?
>Sincerely,
>Watson Ladd
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg
>---------------------------------------------------------------------
>This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg