Re: [Cfrg] Hardware requirements, Brainpool (was: ECC reboot)

Alyssa Rowan <akr@akr.io> Fri, 17 October 2014 21:07 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C9C1A6FED for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 14:07:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVZgJNhZ5IFt for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 14:07:18 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B9D31A6FEB for <cfrg@irtf.org>; Fri, 17 Oct 2014 14:07:18 -0700 (PDT)
Message-ID: <54418508.8070006@akr.io>
Date: Fri, 17 Oct 2014 22:07:20 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <0FC829CD89DE224E98637A5D757BC1B81F0245DD@GSBEEX01.int.gematik.de>
In-Reply-To: <0FC829CD89DE224E98637A5D757BC1B81F0245DD@GSBEEX01.int.gematik.de>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/gKui6Ky0g5abhOYTJ1w32uaUbqg
Subject: Re: [Cfrg] Hardware requirements, Brainpool (was: ECC reboot)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 21:07:22 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 17/10/2014 16:24, Hallof, Andreas wrote:

> (RSA-based keys + dedicated TLS-Certificate).

Irrelevant. You're citing deployment (of RSA?) in (another) very limited
field of specific governmental stakeholders.

Brainpool is quite rarely deployed in IETF protocols worldwide,
despite it being standardised for some time now and being available in
some
libraries: a fact that anyone with zmap and Python can easily verify.

Consider: If Brainpool-style curves addressed the TLS WG's needs, they
wouldn't be asking us for new curves, they'd be using the Brainpool
curves they've already got, wouldn't they?

The _very_ poor software performance of random primes is the reason why.
No mystery there.

> In medium term we want to migrate to an ECC-based scheme.

And you're free to choose any you want to.

Brainpool isn't magically going away for those that want it, you know. I
am not expecting the NIST curves will vanish overnight either!

> If independent from each other three different
> Chipcard-Manufacturer tell me they prefer using curves with random
> primes then this tells me something.

It tells me something, too - those three are being cheap as hell.

They are reusing an old rusty RSA multiplier whose blinding falls short
over sparse prime fields, and they're not really willing to redesign or
recertify their decade-plus-old designs to improve that, even in the
face of improved attacks and 'high assurance' hardware they're shipping
tens of millions of units of.

There are more than 3 smartcard vendors, and some others have
supported the NIST curves (which are special primes) just fine.

So no, I don't find that argument compelling, or highly assuring.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUQYUIAAoJEOyEjtkWi2t6qroP/inaHS009QQMCuv577C617mQ
/KqT6hGJ7y2klk6SjinYVUHNks4wTw7X0BAUkUy7TSp2u8PSb9vA0t5B5BXfUsm7
m/sh1H+Q4TniO/JSDvH27GeCC0nU0+clD/thmGAvoSZJw2VFKN2kLwrafTowGXc6
8OdbGJoO4v6vvladTHsByzV2N56d9E4rIhYxkzRe4GwnrE5aMZZEIBKp1I72bmgY
Xla5/Ze2SnK8uH5t+t35lj8F6BcARHRwOQrmrxjZ1LmwNRyy+Aj/eQddl9ION/Qj
150lTXmeiSTnnjP/SK5gKCZXu2EBR8k2wrU6BreNv02oc6iIyPWKTjptqvXj1WxA
eg0WZlfJ9nvCtrtuQH5OAR4MhxIauRiHU5HGtJWEj3ZKk3ARf1QAIdJyBRGl0tgi
gsQ74iNYui+o7FRY5R1KbP74FFD3BaVNbAAUHgho00s50whubpYx8qjoip+banTz
b2Mrv9SHfmAx1Vd9Por2CZYY7+nZmjzZYLT3c7TUENkdQzA4cbfc7DqBj5kNuZQD
DYZlc3Q+/N5sDe6egNmcZuOaN83x32aOiIjF6VigJYgoOq3iw3NuapryuU1WJa5l
gOM6LwsJBbv81Rz1/HEHZaSPLnwk2RAU2O8K/L21ubUuLPS+rofsIq0Xbmnjr1xT
JaAkRYi72P6b9FhWkzdU
=yTnT
-----END PGP SIGNATURE-----