Re: [Cfrg] A big, big Elliptic Curve

Stephen Farrell <> Sun, 10 April 2016 17:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D496A12B052 for <>; Sun, 10 Apr 2016 10:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.297
X-Spam-Status: No, score=-5.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RVsOR4c6kraD for <>; Sun, 10 Apr 2016 10:43:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 70E9F12B04E for <>; Sun, 10 Apr 2016 10:43:03 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 039CEBE2D; Sun, 10 Apr 2016 18:43:02 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6uGRX7JCUhYm; Sun, 10 Apr 2016 18:43:00 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 1AF76BDF9; Sun, 10 Apr 2016 18:43:00 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1460310180; bh=ktBR2ZcLWbinXI+lBaadMjjqCTzmaidscVu2bb34U8U=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=UDNNxxblhyUqplxYa8PrKJ6DMS65ONBhbn+I7uyo9BSaNyVj36u0iDHWzKwhHgE+L cFBnOrgB8ItIBZ7RIIdt1lvTFF17fo65g4okF4AZXJtUrBjkcCe4/QvIQxRAqcuOED xdFVrNophZiJiwaACkf7q4id/mu4FE8z5uXcEuBY=
To: Ilari Liusvaara <>, Mike Hamburg <>
References: <> <> <>
From: Stephen Farrell <>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <>
Date: Sun, 10 Apr 2016 18:42:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060400000302090409010106"
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] A big, big Elliptic Curve
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Apr 2016 17:43:05 -0000

On 10/04/16 18:31, Ilari Liusvaara wrote:
> My interpretation of NSA position & announcements is:
> - QC is coming sufficently soon (and here "soon" can mean 30 years or
>   so) that there is no point in transitioning to ECC anymore.
> - NSA thinks that multiplicative-DH is significantly harder than what
>   "open literature" considers.

That seems like a reasonable interpretation if one takes what
they say at face value.

I'm not comfortable doing that to be honest. I remain concerned
that a part of this could be an attempt to discourage deployment
of current crypto by focusing attention on the next shiny thing
(pq crypto).

I do think we should be doing preparatory work on pq crypto,
but I am frankly uneasy to see people seemingly believing what
the NSA assert with no real evidence offered. These after all
are the same people (or indistinguishable from the people) who
were happy to try pull a fast one on another part of their own
government (I mean NIST/dual-ec).

I think the very least they need to do is to offer evidence if
they expect to be believed about anything non-obvious.

The solution to this quandry I think is for us to base decisions
on whatever openly available evidence we have, but on nothing else.
(So we ought not IMO factor in press-releases from anyone.)

And yes, if we don't have that evidence, that does create a
danger that we ignore qc risks more than we ought. The blame for
that however lies clearly with those who muddied the waters.