Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves

Brian LaMacchia <bal@microsoft.com> Sun, 20 July 2014 23:53 UTC

Return-Path: <bal@microsoft.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C8FF1B2A57 for <cfrg@ietfa.amsl.com>; Sun, 20 Jul 2014 16:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wQ7NATTi5PZ for <cfrg@ietfa.amsl.com>; Sun, 20 Jul 2014 16:53:37 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F4E01B2A5A for <cfrg@irtf.org>; Sun, 20 Jul 2014 16:53:37 -0700 (PDT)
Received: from BL2PR03MB242.namprd03.prod.outlook.com (10.255.231.18) by BL2PR03MB241.namprd03.prod.outlook.com (10.255.231.15) with Microsoft SMTP Server (TLS) id 15.0.990.7; Sun, 20 Jul 2014 23:53:22 +0000
Received: from BL2PR03MB242.namprd03.prod.outlook.com ([169.254.8.232]) by BL2PR03MB242.namprd03.prod.outlook.com ([169.254.8.232]) with mapi id 15.00.0990.007; Sun, 20 Jul 2014 23:53:22 +0000
From: Brian LaMacchia <bal@microsoft.com>
To: Watson Ladd <watsonbladd@gmail.com>, Nigel Smart <nigel@cs.bris.ac.uk>
Thread-Topic: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
Thread-Index: Ac+kYjXWFCn4j3nZR7i6WM7bROKhBQ==
Date: Sun, 20 Jul 2014 23:53:22 +0000
Message-ID: <c37f9974d2be4614b9a03392572dd29c@BL2PR03MB242.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [38.121.226.131]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 02788FF38E
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(199002)(377454003)(189002)(87936001)(77096002)(99286002)(95666004)(106356001)(64706001)(92566001)(74316001)(20776003)(66066001)(21056001)(81342001)(50986999)(86362001)(80022001)(79102001)(85852003)(101416001)(83072002)(76576001)(2656002)(77982001)(107046002)(74662001)(83322001)(76482001)(86612001)(85306003)(99396002)(74502001)(31966008)(19580405001)(54356999)(81542001)(19580395003)(33646002)(4396001)(46102001)(105586002)(108616002)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB241; H:BL2PR03MB242.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/gFiPvOS6XN77l2HWxLnE_qr6lAs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 23:53:39 -0000

Well, not exactly, there are some important differences between Curve25519 and the two NUMS curve sub-families.  In particular, note that draft-black-numscurves includes both a set of Weierstrass *and* a set of twisted Edwards curves.  We included the Weierstrass curves in order to provide a deterministically-generated curve family for TLS that could be used as a "drop-in replacement" for the NIST prime curves in existing implementations.  This seems particularly important given that the TLS WG charter for TLS 1.3 focuses on improving the confidentiality aspects of the protocol, not its performance, and includes an admonition to "minimize gratuitous changes" to the protocol.  It has also been my experience that of those customers now asking for non-NIST curves, their motivation is more about the way the NIST curves were generated than their performance.  As the NUMS paper and released libraries demonstrate, one can get significant performance improvements over the NIST curves while still using Weierstrass curves at the same security level.

					--bal

-----Original Message-----
From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd
Sent: Sunday, July 20, 2014 2:51 PM
To: Nigel Smart
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves

[snip]

This process began with Curve25519 for TLS. Then Microsoft showed up with substantially similar NUMS curves. I think it was obvious that new code was going to be written and this was understood by the TLS 1.3 WG.