Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves

Brian LaMacchia <> Sun, 20 July 2014 23:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9C8FF1B2A57 for <>; Sun, 20 Jul 2014 16:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3wQ7NATTi5PZ for <>; Sun, 20 Jul 2014 16:53:37 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6F4E01B2A5A for <>; Sun, 20 Jul 2014 16:53:37 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.990.7; Sun, 20 Jul 2014 23:53:22 +0000
Received: from ([]) by ([]) with mapi id 15.00.0990.007; Sun, 20 Jul 2014 23:53:22 +0000
From: Brian LaMacchia <>
To: Watson Ladd <>, Nigel Smart <>
Thread-Topic: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
Thread-Index: Ac+kYjXWFCn4j3nZR7i6WM7bROKhBQ==
Date: Sun, 20 Jul 2014 23:53:22 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 02788FF38E
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(199002)(377454003)(189002)(87936001)(77096002)(99286002)(95666004)(106356001)(64706001)(92566001)(74316001)(20776003)(66066001)(21056001)(81342001)(50986999)(86362001)(80022001)(79102001)(85852003)(101416001)(83072002)(76576001)(2656002)(77982001)(107046002)(74662001)(83322001)(76482001)(86612001)(85306003)(99396002)(74502001)(31966008)(19580405001)(54356999)(81542001)(19580395003)(33646002)(4396001)(46102001)(105586002)(108616002)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB241;; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Jul 2014 23:53:39 -0000

Well, not exactly, there are some important differences between Curve25519 and the two NUMS curve sub-families.  In particular, note that draft-black-numscurves includes both a set of Weierstrass *and* a set of twisted Edwards curves.  We included the Weierstrass curves in order to provide a deterministically-generated curve family for TLS that could be used as a "drop-in replacement" for the NIST prime curves in existing implementations.  This seems particularly important given that the TLS WG charter for TLS 1.3 focuses on improving the confidentiality aspects of the protocol, not its performance, and includes an admonition to "minimize gratuitous changes" to the protocol.  It has also been my experience that of those customers now asking for non-NIST curves, their motivation is more about the way the NIST curves were generated than their performance.  As the NUMS paper and released libraries demonstrate, one can get significant performance improvements over the NIST curves while still using Weierstrass curves at the same security level.


-----Original Message-----
From: Cfrg [] On Behalf Of Watson Ladd
Sent: Sunday, July 20, 2014 2:51 PM
To: Nigel Smart
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves


This process began with Curve25519 for TLS. Then Microsoft showed up with substantially similar NUMS curves. I think it was obvious that new code was going to be written and this was understood by the TLS 1.3 WG.