IETF Logo Mail Archive

Re: [Cfrg] big-endian short-Weierstrass please

Dan Brown <dbrown@certicom.com> Thu, 29 January 2015 17:58 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CB6B1A1AD3 for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 09:58:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oSnlMn9wRVxU for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 09:58:11 -0800 (PST)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 56A5F1A0370 for <cfrg@irtf.org>; Thu, 29 Jan 2015 09:58:10 -0800 (PST)
Received: from xct108cnc.rim.net ([10.65.161.208]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 29 Jan 2015 12:58:04 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT108CNC.rim.net ([fe80::8dc1:9551:6ed8:c618%17]) with mapi id 14.03.0210.002; Thu, 29 Jan 2015 12:58:03 -0500
From: Dan Brown <dbrown@certicom.com>
To: "'watsonbladd@gmail.com'" <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] big-endian short-Weierstrass please
Thread-Index: AdA6QfeHnVWfJGNlTzek7rmrn4E15gBEvvUAAAkmA5D///TDAIAACxgA//+0JACAAW5uAIAAUxDQ//+8gYCAAFEYUA==
Date: Thu, 29 Jan 2015 17:58:03 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5D44EC6@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5D42BDA@XMB116CNC.rim.net> <87386ug2r7.fsf@alice.fifthhorseman.net> <810C31990B57ED40B2062BA10D43FBF5D4413B@XMB116CNC.rim.net> <87r3ueedx7.fsf@alice.fifthhorseman.net> <20150128231006.GJ3110@localhost> <D0EED79E.204B1%uri@ll.mit.edu> <878ugleei5.fsf@alice.fifthhorseman.net> <810C31990B57ED40B2062BA10D43FBF5D44DD8@XMB116CNC.rim.net> <CACsn0cn23jC2q-_5q8oFuhw+_j45yZWZ9SL+mP+b=SMK7mQXUA@mail.gmail.com>
In-Reply-To: <CACsn0cn23jC2q-_5q8oFuhw+_j45yZWZ9SL+mP+b=SMK7mQXUA@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.249]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0075_01D03BC3.379B23C0"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/iRBoCUvx256tx04G0aNdR8hWIbM>
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 17:58:14 -0000


>From: Watson Ladd [mailto:watsonbladd@gmail.com]
>On Jan 29, 2015 8:50 AM, "Dan Brown" <dbrown@certicom.com> wrote:
>
>> [DB] Wouldn't users of these private values have to then customize their 
>> software this?  Well, I guess TLS would work for that.  So, it seems that 
>> the advantage of specified curves, is that if a trustworthy WebSiteABC TLS 
>>  >>server, elects to use MagicCurveX, then anonymous TLS clients could 
>> connect to WebSiteABC, relying on the current trust of the WebSiteABC, and 
>> their own software.

>This is not how TLS negotiation works: the client offers and the server 
>picks. Due to vulnerabilities in all versions of TLS (still unfixed) one 
>always has to check the offered parameters for correctness.

[DB] Ah, too bad. I guess named curves (and FFDHE groups) is, among other 
things, one way to fix this problem with TLS.  (I vaguely recalled a proposal 
for the server being able to suggest alternatives outside the clients' list, I 
guess I misremembered.)

Anyway, to paraphrase others, a downside of TLS limiting curves to a small 
set, is this limitation can be spun sourly, albeit a tad unfairly, as 
pressuring users to use particular curves. That said, leaving in arbitrary 
curves, can also be spun badly, too, catch 22.

>That's on top of the fact that people don't want to use Curve25519 because 
>it's Curve25519. They want to use it because the design choices support high 
>speed secure implementations.

[DB] Right, but other users might want to use some other curves with high 
speed secure implementations, e.g., maybe a larger curve, but they disagree 
with CFRG advice about rigidity, etc.

>It's possible to get the existing extension to do this, but only if we have a 
>magic list of what to offer, and do all sorts of contortions in our 
>calculations. Much easier to negotiate an extension as the TLS WG extensively 
> >discussed.

v2.23.0 | Report a Bug | By Email