Re: [Cfrg] Recommending secp256k1 in FIPS 186-5
Christian Lundkvist <christian.lundkvist@consensys.net> Fri, 17 January 2020 13:03 UTC
Return-Path: <christian.lundkvist@consensys.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53F2D12003F for <cfrg@ietfa.amsl.com>; Fri, 17 Jan 2020 05:03:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=consensys.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rTEldTKauV7J for <cfrg@ietfa.amsl.com>; Fri, 17 Jan 2020 05:03:11 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE216120013 for <cfrg@irtf.org>; Fri, 17 Jan 2020 05:03:10 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id d5so21690811qto.0 for <cfrg@irtf.org>; Fri, 17 Jan 2020 05:03:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=consensys.net; s=google; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version; bh=1pYxlSe6LbVMykg14RS9NGKW40SAE2G+jeYsGqIEhFU=; b=QuM3PMAYpmBR5vUw5f4pYbJkAZU/iec/KWsrKK19q6xL+oAj3Aob4PU/Fv92tvU/Ms Zl51Kq7I4yG4ykOOY7ddMtXNzbWUnBw6jIOU3lgmi6hbPX4CRGiN3pvTXfDEdx5mLOM+ 3BvODVbJTVVGbjelc2YMi6TvlQyLcwxMYNRp4D+7jimmxLsPEJW7TP053kkZRtzfgVY9 1fdLvYZqauv+nJuBO7UmKT+gtjgcwgPPcRIH8t381tHE/6YQusK37UGv/5c9FT24x9oN YCYlK37rAFo47nQC3z+orAAdT1OeENloFL64xLKqegD6Ac4y796VuMgftPz/IQnM1Y+b daXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version; bh=1pYxlSe6LbVMykg14RS9NGKW40SAE2G+jeYsGqIEhFU=; b=LoJp91FweiCa8ZEimIV6eGAwRUNts13K58BuS+aF98T6JLGSOLOp2mgYn9A7EPcRz8 pq8ZzBo98tABJZ5jNFC7nHAG1FSqO4UFpUoAJ+CZlojvoxxi4bGiPQmHSPmIYqdPOj0t r+l0OALcUoVUJTxAmePAa+K1GdcxyV+NkhpbjCT1/CsN4+YdsTPHF2hgv9Sx6NymZeqf qGyQ0Jn9TIZn824u7LtV6T2BC67DxYw4+DinWWhA+1sWj2fZcLbwvDVaOFfU2hqiZIXY pWa0z4814bBdjaGxNArhtTHFbounbWEAvMccaBf2dQx/tAIPE/eZvQNwbIknRkZMd1O+ agXg==
X-Gm-Message-State: APjAAAVntcIqpewsOQoyL37zj5+vcpKSGcRin4Vq8wT/9m6OQyItbLEI mW6N2gix0styijI7IIMo9Wm3TUvbfpDH3uLV9Icj0zWoCA+l0RrfxaeCsV3YpBEIrmpOPScmVte Q7OCNexyaW6wWr7HQV7aR9BHnNDBp6inKF7zaF81xsYZf2/iDSsFu6yXqKY0Kcfb3HkXodpwcbw ==
X-Google-Smtp-Source: APXvYqyC4UKOeAsrk62an7b5yNb3DHKEJRq1Q1H72H7xE2gt4ks4ZGXVKzB189tVt1o+0c7nCKeYhg==
X-Received: by 2002:aed:2823:: with SMTP id r32mr7248938qtd.201.1579266189456; Fri, 17 Jan 2020 05:03:09 -0800 (PST)
Received: from [192.168.1.12] (pool-98-116-155-146.nycmny.ftas.verizon.net. [98.116.155.146]) by smtp.gmail.com with ESMTPSA id l25sm11471726qkk.115.2020.01.17.05.03.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Jan 2020 05:03:08 -0800 (PST)
Date: Fri, 17 Jan 2020 08:02:55 -0500
From: Christian Lundkvist <christian.lundkvist@consensys.net>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Cc: Dan Burnett <daniel.burnett@consensys.net>, Oliver Terbu <oliver.terbu@consensys.net>
Message-ID: <100b35bb-5ed6-4cca-80ee-5b2dda90fbbf@Spark>
In-Reply-To: <CALu3yZJzF6ht0k_ui8BNpkNYecaoL4NzT6qEC-2cn82a28U1pA@mail.gmail.com>
References: <CAJ-gw3Emk009ai=y9s=4TSYSC3W0yYJhW9Wd1HEYo=UW2tx5hw@mail.gmail.com> <6528B068-49DA-475D-BFD8-ECE22403B9E6@ll.mit.edu> <CALu3yZJzF6ht0k_ui8BNpkNYecaoL4NzT6qEC-2cn82a28U1pA@mail.gmail.com>
X-Readdle-Message-ID: 100b35bb-5ed6-4cca-80ee-5b2dda90fbbf@Spark
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5e21b08c_74b0dc51_4088"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fnZNIjzpcmnzBwJR0ywoYyfGK5k>
Subject: Re: [Cfrg] Recommending secp256k1 in FIPS 186-5
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 13:03:16 -0000
Hi Uri, Thanks for your response! As I understand it NIST is considering adopting support for the curve Ed25519. A large part of this is because this curve has seen fairly widespread use in the industry. What is the reason you feel that this curve is worth supporting and the curve secp256k1 is not? Is it only due to the relative security considerations of these curves? Can you point us to any specific security weaknesses or exploits of the curve secp256k1 that you feel would make it unsuitable for digital signature use? Best regards, Christian Lundkvist On Dec 19, 2019, 12:06 -0500, Oliver Terbu <oliver.terbu@consensys.net>, wrote: > Looping in Christian who is our cryptographer. > > Christian, could you please follow up? > > Thanks, > Oliver > > > On Thu, Dec 19, 2019 at 5:27 PM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote: > > > Sorry, I've said all I could (in a short email ;). > > > > > > Regards, > > > Uri > > > > > > Sent from my iPhone > > > > > > > On Dec 19, 2019, at 11:09, Dan Burnett <daniel.burnett@consensys.net> wrote: > > > > > > > > Thank you. Can you say more? The standard argument of "strongest is best" I already get, but I suspect you have other arguments than that in mind. I have cc'd Oliver Terbu, who worked on this doc, in case he has more specific questions for you. > > > > > > > > -- dan > > > > > > > > > > > > > On Thu, Dec 19, 2019 at 10:57 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote: > > > > > > In my humble opinion it is not. > > > > > > > > > > > > Regards, > > > > > > Uri > > > > > > > > > > > > Sent from my iPhone > > > > > > > > > > > > > On Dec 19, 2019, at 10:49, Dan Burnett <daniel.burnett@consensys.net> wrote: > > > > > > > > > > > > > > Out of politeness I don't want to dump the whole summary into the email, but the brief answer is for products and solutions using Bitcoin, Ethereum, etc. The question is whether it is strong enough to include, not whether it is weaker than something else. > > > > > > > > > > > > > > -- dan > > > > > > > > > > > > > > > > > > > > > > On Thu, Dec 19, 2019 at 10:37 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote: > > > > > > > > > Why would I want another curve (secp256k1) that is weaker than the currently used secp256r1? > > > > > > > > > > > > > > > > > > From: Cfrg <cfrg-bounces@irtf.org> on behalf of Dan Burnett <daniel.burnett@consensys.net> > > > > > > > > > Date: Thursday, December 19, 2019 at 10:31 AM > > > > > > > > > To: CFRG <cfrg@irtf.org> > > > > > > > > > Subject: [Cfrg] Recommending secp256k1 in FIPS 186-5 > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > I have been a participant in several IETF Working Groups over the years, most recently RTCWEB (and W3C's WebRTC), but not this RG in particular. However, I frequently recommend this group as highly knowledgeable when it comes to wise choices in cryptographic recommendations. I learn something new every time I sit in on this group's sessions at IETF meetings. > > > > > > > > > > > > > > > > > > As mentioned in another thread, NIST is seeking feedback on their recently-released draft of FIPS 186-5. [1] > > > > > > > > > My company and others are concerned about the lack of endorsement for secp256k1 in this standard and have drafted a request for its addition.[2] We would welcome any comments and/or support from this group and/or any of its members (directly in the Google Doc linked below). All comments are welcome, including those arguing against this request :) > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > Dan Burnett > > > > > > > > > ConsenSys > > > > > > > > > > > > > > > > > > [1] https://www..federalregister.gov/documents/2019/10/31/2019-23742/request-for-comments-on-fips-186-5-and-sp-800-186 > > > > > > > > > [2] https://docs.google.com/document/d/1wygRHPMGhhanDev7iZSn_AlXw6FZdTK-cIh4fXD77jk/edit#heading=h.1xljt59f35x5 > > > > > > > > >
- [Cfrg] Recommending secp256k1 in FIPS 186-5 Dan Burnett
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Tony Arcieri
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Scott Arciszewski
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Jeff Burdges
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Neil Madden
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Tony Arcieri
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Neil Madden
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Jim Schaad
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Jeff Burdges
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Christian Lundkvist
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Recommending secp256k1 in FIPS 186-5 Jeff Burdges