Re: [Cfrg] (SPAM) Re: FourQ draft now available

Hanno Böck <> Fri, 23 September 2016 16:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2623812B922 for <>; Fri, 23 Sep 2016 09:35:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IRK72Qol1fPk for <>; Fri, 23 Sep 2016 09:35:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E9EA012B8C8 for <>; Fri, 23 Sep 2016 09:35:50 -0700 (PDT)
Received: from localhost.localdomain ([2001:2012:115:3d00:8e6b:8908:764f:9343]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by with ESMTPSA; Fri, 23 Sep 2016 18:35:46 +0200 id 000000000000009E.0000000057E559E3.000068E6
Date: Fri, 23 Sep 2016 18:35:45 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <>
To: Erwann Abalea <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary=""
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] (SPAM) Re: FourQ draft now available
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Sep 2016 16:35:53 -0000

On Fri, 23 Sep 2016 14:11:00 +0000
Erwann Abalea <> wrote:

> Maybe that doesn’t count as a « major protocol », or even as an
> Internet use, but I see a potential benefit in the C-ITS domain
> (Cooperative Intelligent Transport Systems), where cars and
> infrastructure broadcast signed messages up to 10 times per second,
> maybe more frequently in some specific use-cases. With a 300m
> reception range in urban areas, that’s a lot of signed messages to
> check each second, with safety concerns. Current standards (IEEE 1609
> and ETSI ITS) use ECDSA under NIST-P256 curve, some are pushing for
> Brainpool (guess who?), a few people would like to see something new
> but see resistance. In the corresponding working groups, cryptography
> is often seen as very costly (bandwidth, CPU, hardware, …), it’s good
> to see progress in some of these costs.

I don't see this as a very convincing case. First of all this strikes
me as a "this may be useful for X" argument, highly speculative and
very different from a "we want to use this in X once it's standardized".

If they currently use P256 and consider switching to brainpool then
probably performance isn't their biggest concern, because it's well
known that the brainpool curves are amongst the slowest options. (I
have some guesses why brainpool is considered, but that has probably
more to do with nationalism than with technology arguments.) I also
wonder if the people who see cryptography as costly base their opinion
on real numbers or just myths (I see this a lot in the TLS space where
people often have unrealistically high ideas about the performance

Given that my trust in these industries to implement cryptography in a
careful way is limited I'd consider giving them a safer option (aka
curve25519) is probably smarter than giving them one that has
implementation pitfalls.

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42