Re: [Cfrg] Progress on curve recommendations for TLS WG

Watson Ladd <watsonbladd@gmail.com> Fri, 15 August 2014 17:07 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7111F1A0062 for <cfrg@ietfa.amsl.com>; Fri, 15 Aug 2014 10:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBe_BI3ziwNl for <cfrg@ietfa.amsl.com>; Fri, 15 Aug 2014 10:07:05 -0700 (PDT)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8FF41A00A3 for <cfrg@irtf.org>; Fri, 15 Aug 2014 10:07:04 -0700 (PDT)
Received: by mail-yk0-f177.google.com with SMTP id 79so2273069ykr.22 for <cfrg@irtf.org>; Fri, 15 Aug 2014 10:07:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Gue7PxFjTfbuqrdOiLMNfECeXlHQbjpfe1zjIAcFADs=; b=0oQ4GDLZEY1Cw7uxVUVlQDz/6ixaBnSCjXLx67wPw+WkTvCih5xdZuE+ouZCs1QZ8j 5t6T6uIy1MPiku/Zo0G9HzEMjOViTtJUJNhU0i1EAbwo/EAuvmHXr4/n/HBygGe56fFF quJ24RCs2S8oHBDswvybejHFp9z0CUEZ395iUqlZxRXdeOK3CPz4Iyvp8ePVUIfSVsYy Fb1EkS2buE7PzIi/6OLsogORgceF+MwMbHkTUG5YTbdPFCXhxwnU/6x1npHPfLZH0iPZ WQyB6meyxJH3tPBzgpeYCm5Hh2mRTtlLLTq9im9GnQBNdGNS4ieSO+ZoYjsvjt37IswK 1fnQ==
MIME-Version: 1.0
X-Received: by 10.236.172.161 with SMTP id t21mr29024458yhl.65.1408122424035; Fri, 15 Aug 2014 10:07:04 -0700 (PDT)
Received: by 10.170.202.86 with HTTP; Fri, 15 Aug 2014 10:07:03 -0700 (PDT)
Received: by 10.170.202.86 with HTTP; Fri, 15 Aug 2014 10:07:03 -0700 (PDT)
In-Reply-To: <53EE3839.7010009@secunet.com>
References: <20140801013659.11640.qmail@cr.yp.to> <53EDEB0D.9040304@secunet.com> <925e123f-d396-443f-9fc7-b1f6601bcd4c@email.android.com> <53EE17A9.7080408@secunet.com> <CACsn0c=eS-=6dapjrw07uEbxW0MHqn6=3caftfA6geZNOUcu9w@mail.gmail.com> <53EE3839.7010009@secunet.com>
Date: Fri, 15 Aug 2014 10:07:03 -0700
Message-ID: <CACsn0c=hEwPPL_zrXnoXnWfQ6oQPE-U8P3mGCA3a7=djfXAAqw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
Content-Type: multipart/alternative; boundary=20cf304273e0e2975b0500ae0c0c
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/egtmK3ANObank7pJyE8PJ2hB528
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Progress on curve recommendations for TLS WG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 17:07:06 -0000

On Aug 15, 2014 9:41 AM, "Johannes Merkle" <johannes.merkle@secunet.com>;
wrote:
>
> Watson Ladd wrote on 15.08.2014 16:29:
> >>
> >> It is important that, whatever curves CFRG selects, anyone can feel
> > comfortable with their rigidity and that there
> >> will be no doubts about their security and the lack of back-doors. The
> > BADA55 paper and the post I was responding to,
> >> though intended to be provocative and entertaining, introduce FUD in
that
> > respect and are contra-productive. I am
> >> quite sure that one could also construct a "one in a million curve"
using
> > a seed-less approach very similar to
> >> curve25519, but this would only introduce more unjustified discredit
and
> > FUD.
> >>
> >
> > Hic rhodes, hic saltus.
>
> Consider Dan Brown's construction as an example. You may consider his
construction artificial as he considers attacks
> that are already known. However, this is exactly my point: You can find
such examples if you stretch the boundaries of
> the scope in order to increase the degrees of freedom. In order to create
sufficient flexibility, the BADA55 paper has
> generalized the method(s) of ANSI and Brainpool in many aspects, but
these generalizations are much less natural and
> straightforward as the original approaches. In the same vein, one could
slightly modify the rules for selecting the
> curve parameters used in a seed-less approach, and this generalization
would certainly provoke your criticism as not
> being straightforward. So we would arrive at an example that does not
really show anything but could be easily mistaken
> by someone with less insight (e.g. the press) to wrongly conclude that
the seed-less approach is generally suspicious.
> This FUD effect would be bad.

Put the string BADA55 in the hex output of the parameters to convince us.
It's that simple. The reason Dan Brown's example isn't convincing is that
having only  prime factors of not that small size is common.

>
> For this reason, I tried to appeal to stop this unfortunate discussion in
which contrived examples are used to discredit
> much more straightforward approaches, but unfortunately, my post seem to
have stimulated it.
>
>
> --
> Johannes