Re: [Cfrg] ECC reboot (Was: When's the decision?)

Johannes Merkle <johannes.merkle@secunet.com> Fri, 17 October 2014 09:49 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE1A1AC3AB for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 02:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZNI-Jt_pYaP for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 02:49:09 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 319F61AC3B1 for <cfrg@irtf.org>; Fri, 17 Oct 2014 02:49:09 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 34E461A0084; Fri, 17 Oct 2014 11:49:02 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id jCVR32CortuY; Fri, 17 Oct 2014 11:48:53 +0200 (CEST)
Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) by a.mx.secunet.com (Postfix) with ESMTP id 9B9671A008F; Fri, 17 Oct 2014 11:48:53 +0200 (CEST)
Received: from [10.208.1.76] (10.208.1.76) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.210.2; Fri, 17 Oct 2014 11:48:58 +0200
Message-ID: <5440E60A.8050505@secunet.com>
Date: Fri, 17 Oct 2014 11:48:58 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Andy Lutomirski <luto@amacapital.net>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <543FF1A7.8030908@secunet.com> <544002AF.1020107@akr.io> <20141016180045.GA20823@LK-Perkele-VII> <CALCETrWJfEzvgV=LiAc4SFsbDGSFNxiJsMx2b2H8XTOn0bOsew@mail.gmail.com>
In-Reply-To: <CALCETrWJfEzvgV=LiAc4SFsbDGSFNxiJsMx2b2H8XTOn0bOsew@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.208.1.76]
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ie6Gp2A0820Wye_Mv9XqXW-pFQE
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 09:49:11 -0000

Andy Lutomirski wrote on 16.10.2014 20:06:
> Are the Brainpool curves really VPR?  They're certainly far better in
> that regard than the NIST curves, but the BADA55 paper points out
> correctly that the "verifiably" part is weak.

This assertion is very wrong, as I have already explained on this list. The BADA55 paper took much more freedom (in
several respects) than the Brainpool method did. It is also obvious that there approach worked only for one of the
relevant bit lengths.

As the NUMS paper correctly points out, there is no perfect rigidity as a certain degree of freedom in inevitable (e.g.,
there are many proposals for curves where the coefficients had been chosen to be minimal, so this approach is not fully
rigid either). However, to call the rigidity of the Brainpool curves "weak" is a gross exaggeration.

The Brainpool curve generation method was not just made up by BSI, but was openly discussed and agreed upon within the
Brainpool group (which comprises a diversity of companies, academic institutions and public authorities), and there were
no objections or reservations expressed. By the way, one of the authors of the BADA55 paper participated in that process
and didn't express any objections either.

-- 
Johannes