Re: [Cfrg] big-endian short-Weierstrass please

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 29 January 2015 13:21 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C01D1A0397 for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 05:21:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.622
X-Spam-Level:
X-Spam-Status: No, score=0.622 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JalSf9pCfY6q for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 05:21:17 -0800 (PST)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C6DE1A038E for <cfrg@irtf.org>; Thu, 29 Jan 2015 05:21:17 -0800 (PST)
Received: by mail-lb0-f169.google.com with SMTP id f15so27961189lbj.0 for <cfrg@irtf.org>; Thu, 29 Jan 2015 05:21:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=UrUnwPsKfnB91VQMGDymqgZUXJpH9DgOaipPVzJfecU=; b=jJK/qPo0DPE/Fvdi4QSj7YXZE8XjTaRa5jaQRMS5MbnVTD5P03baOeUMgS/n1a2/xQ bqod9dgK3eBQliDcCB6BVsw6Nj02jkDsrjdQeaAVuxaG9NW59fUbbPJ6xuqeddkbts2K Rr7X5BVRBBg09J7DU9P8tyiPwMEHOYVyWxz/PWkc8ydAplZOYvk73S4GAUm2+98xTU2D PkBhPHvsDZNVIC8CLZcyH5c/PGyYHBeT9TY+0QK6J6hCue+uRiQ9ErQdWKJj3rtV8G+X EH5Y71AUd8IIo7sgBvM//gInFBkOtlNKzJzZrNXGG6RvA2buk/Bfa60hoN2wqGH0/vpx Et/w==
MIME-Version: 1.0
X-Received: by 10.112.199.69 with SMTP id ji5mr577693lbc.45.1422537675582; Thu, 29 Jan 2015 05:21:15 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.147.193 with HTTP; Thu, 29 Jan 2015 05:21:15 -0800 (PST)
In-Reply-To: <54CA0591.3070308@cs.tcd.ie>
References: <810C31990B57ED40B2062BA10D43FBF5D42BDA@XMB116CNC.rim.net> <87386ug2r7.fsf@alice.fifthhorseman.net> <810C31990B57ED40B2062BA10D43FBF5D4413B@XMB116CNC.rim.net> <87r3ueedx7.fsf@alice.fifthhorseman.net> <CAMm+Lwj6eG_KAhb-r5QrDeui7w8AoSN=71X8ywEyn9jj0rALQg@mail.gmail.com> <54C9DD8E.9040302@akr.io> <54CA0591.3070308@cs.tcd.ie>
Date: Thu, 29 Jan 2015 08:21:15 -0500
X-Google-Sender-Auth: jrLPHQeSsAiNKluS8YTHjsMGUL0
Message-ID: <CAMm+Lwi5skMnsaPxSzdVmDtHTjjGPRJ54xpaF8GL84ihMHePrA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a11c23908d5365f050dca5cc3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/iZ9Ms_590X0ud4RrrClpRtKUWRo>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 13:21:19 -0000

On Thu, Jan 29, 2015 at 5:04 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 29/01/15 07:13, Alyssa Rowan wrote:
> > unless NIST surprise us and come to like the curves and algorithms
> > we do.
>
> Well, NIST are planning a workshop on the topic so you have
> the opportunity to submit a position paper or comment to the
> effect that they ought do exactly that. Sometimes they are
> fairly reasonable after all (though perhaps that is not the
> overall impression one gets of 140-1;-)
>

Fortunately the decision making body relevant here isn't NIST, it is
CABForum which is the browser providers and CAs. And the issue there is
simply 'can we do this safely'.

So by FIPS-140 equivalent, what is meant is something that we can get a
group of experts to agree is equivalent and safe. It probably means that
the hardware is certified FIPS-140 but not necessarily for the particular
algorithm. This may or may not require wording changes but I don't expect
they would be controversial.

On the NIST side, I think that in the current circumstances it is very
likely we get a FIPS published on the new curves and algorithms. In the
medium term it is more or less certain. NIST exists to serve the needs of
commerce, not the other way round.

Snowden has changed the game in several ways. First, as in the Sony hack,
the real damage is done by revealing the trash talk inside the NSA. I have
my own theories about how the BULLRUN slides got made: Majors trying to
make Colonel by spinning their activities as meeting the director's fetish
for cyber-attack. Majors who don't make colonel become civilians so they
are likely to bend the truth. Only in the process they are essentially
saying that the NSA has been performing sabotage operations on other
government agencies. That type of behavior has consequences within a
bureaucracy, not just without.

The second, more important game change is that the NSA demonstrated that it
is unable to keep its own secrets, let alone advise the rest of government
on how to do it. And as BULLRUN demonstrates, it can't be trusted to do so
even if they were capable. Snowden has ended many military careers and
brought the survival of the NSA into question. I don't expect changes under
this president, but I think it very likely that the NSA loses
responsibility for information security assurance under the next and NIST
is the logical home.

So in these circumstances I expect NIST is very likely to be sanctioning
FIPS for the new curves, with or without NSA approval. The new curves are
technically superior and far more likely to appear in COTS products.