Re: [Cfrg] Progress on curve recommendations for TLS WG

[Alyssa Rowan <akr@akr.io>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 15 August 2014 12:12:13 BST, Johannes Merkle <johannes.merkle@secunet.com> wrote:

>- The method used to generate the coefficients of the Brainpool curves
>was taken from ANSI X9.62 (including the use of
>SHA-1), which was - at least at that time - the only reference for a
>method for pseudo-random curve generation. There is
>only the slight deviation that the second coefficient was computed in
>exactly the same way as the first one, while ANSI
>X9.62 computes the fraction of these, but this straightforward
>simplification does not introduce significant flexibility.
>
>- Pi and e are by far the most prominent mathematical constants, while
>cosinus(1) (used in that analysis) is quite
>arbitrarily chosen. Expressing Pi as 4*arctan(1) doesn't change this
>fact.
>
>It is perfectly OK to point out that the Brainpool curves do not allow
>optimal performance, or that Montgomery and
>Edwards curves allow simplified arithmetic. But it is not ok to imply
>that the Brainpool curves could potentially have
>been designed with a backdoor built in. This suggestion is completely
>unjustified, misleading and gives a false color.

Respectfully, deferring choices made in the curve generation process back to ANSI X9.62 (even though it may have made sense at the time) doesn't alleviate any potential concerns about lack of rigidity in those choices; it merely means they weren't Brainpool's own choices, and no-one thought to question them at the time quite as deeply as they do today.

If X9.62's choices had full, rigid, transparent explanations, perhaps this discussion would have not arisen, and in that vein perhaps neither would Brainpool? But they did not (and although Certicom/NSA indeed seem to have performed a brute-force seed search for the SECG/NIST curves, we may never be certain what all the parameters of that search were): so here we are.

Please do not take the BADA55 paper personally; it is simply an entertaining, instructive demonstration of how, just because a conjurer seems to have nothing up their sleeves, doesn't necessarily mean they can't do magic tricks and perhaps we should all remember to look under their hat, too. :-)

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJT7f6MGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t6bRcP/0p8PkEtRAxzDfeSm83GBUMWfVDozB7yjvRXCtKf8QpzItVus7y4
bPYCRTUqPh0EoAIj+4LtgzElc0hvSWGaXXXeC73AS+8n3ky4SNFXZNsncY8Oehdx
tQ1J2XViV7VssOHu0laTWd4vIZtItHmfB1u6oNhlbsW4MRZ0eYNHk8mUv/lpIoN2
dE+iBKby/BkIusWbEcSgT3uh8zF6VCzdMEGlwXk7+0jscZkFxJdjGU6BVQce9z//
MiTgy+wnkM2J/QUFf3HX3y4YmecjI/PKvH9vDnp+PpJjAzWe0/yRYT5YiXj10z6G
AJ6ncCsa00I0ZbRkWQUGj2zYqvbxNRNCAjs+WxvckI1lC7R1sqQk3TWXliIH0808
Vpu9DzuauxTBCfYqwoJ/XIT9lglPCxWCFiTg44kFnE6/XjI/xvsxKgYfk84G1xcc
09EI7GQJ0cGYZo844xPIc+54arNRVKUMOGeXPUfHkm74u8xWy8NtM2FEYx+W1Y/R
yvKbUBZ1jyqBKtzkxqYuROCAQoSofe//eRuHu2iylw3j3FXKc9QcA401gQQ07Bkj
r1hCDCwFEBzuLbUHHYFtGk2MhggI/XYW7EQB8KDVFC5yhzNXm30eiz3vCTOmRLzQ
sRIoLz4UU8lm/D1qiqrTGzirSGCJTrirrTagSNM+GzKWYWhZC/Tjvp3a
=5wiX
-----END PGP SIGNATURE-----