Re: [Cfrg] ECC reboot (Was: When's the decision?)

Andy Lutomirski <luto@amacapital.net> Thu, 16 October 2014 18:07 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 295A41A6FEE for <cfrg@ietfa.amsl.com>; Thu, 16 Oct 2014 11:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BbU9emjpv6ZV for <cfrg@ietfa.amsl.com>; Thu, 16 Oct 2014 11:07:02 -0700 (PDT)
Received: from mail-lb0-f171.google.com (mail-lb0-f171.google.com [209.85.217.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C5101A037C for <cfrg@irtf.org>; Thu, 16 Oct 2014 11:07:02 -0700 (PDT)
Received: by mail-lb0-f171.google.com with SMTP id z12so3293637lbi.16 for <cfrg@irtf.org>; Thu, 16 Oct 2014 11:07:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rUctzJ5EtVWXgJVddNMuDe9NsLX3ON1XXC9fg5qAFhM=; b=dKiopJ6LN0NchAheB0UTzRipMux+MNRQIC5AwlK+mZfTvm2D9RTokJopI+ks2BpLmS sot08q3yiKWaqoH+bd9+tuuo55crVA0csifz4OVsiRv/YIW0w+2x8xlReSoksAZq8CYk /3Yx0wA3emRH43lZdIB1Y5yhmUW79r9QWcVYbaf6lvWBCa41LFnuA1bzZNIOhJTOyb2e Fu9nGmoqx2UDaTuk3BnKIcYtw8ZhLrpMHADoBcAROS3yYj7BK+QwpstkRvaWkXRgZKkM xIFQhZkn/rEi5qPmCyC+uITrWJMUDIQPtsPLQB7l0lDpYHfmmCTivpVQZVaCA9A5Dn6n z1fg==
X-Gm-Message-State: ALoCoQnb6iKv4xvI1st6U3zBrronfHeikx14aYm0HIHyStGMd0EVrdEtLEkuVJX3NYtAsVlTTr8Z
X-Received: by 10.152.42.172 with SMTP id p12mr3395654lal.11.1413482820384; Thu, 16 Oct 2014 11:07:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.36.106 with HTTP; Thu, 16 Oct 2014 11:06:40 -0700 (PDT)
In-Reply-To: <20141016180045.GA20823@LK-Perkele-VII>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <543FF1A7.8030908@secunet.com> <544002AF.1020107@akr.io> <20141016180045.GA20823@LK-Perkele-VII>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 16 Oct 2014 11:06:40 -0700
Message-ID: <CALCETrWJfEzvgV=LiAc4SFsbDGSFNxiJsMx2b2H8XTOn0bOsew@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/hh50uXnkBTig6NlBPjdj6G1uEWw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 18:07:05 -0000

On Thu, Oct 16, 2014 at 11:00 AM, Ilari Liusvaara
<ilari.liusvaara@elisanet.fi> wrote:
> On Thu, Oct 16, 2014 at 06:38:55PM +0100, Alyssa Rowan wrote:
>>
>> It seems to me at this stage that the requirements of the
>> existing-hardware stakeholders of the Brainpool may be not only
>> orthogonal, but actually (potentially) in direct opposition to the
>> requirements of the software stakeholders - and further their
>> requirements may (perhaps) already be satisfied by the Brainpool curves?
>
> I think the requirements are in direct opposition.
>
> And I know no reason why existing Brainpool curves wouldn't be usable
> for "high-security" hardware.

Are the Brainpool curves really VPR?  They're certainly far better in
that regard than the NIST curves, but the BADA55 paper points out
correctly that the "verifiably" part is weak.

(The BADA55 curves themselves might actually not be so bad.  They were
clearly fudged, but the BADA55 property seems highly unlikely to be a
cryptographic weakness, and fudging them to have some other unlikely
property as well would have been rather expensive.)

--Andy