IETF Logo Mail Archive

Re: [Cfrg] RFC 7748 on Elliptic Curves for Security

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 25 January 2016 18:43 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEA51B38E5 for <cfrg@ietfa.amsl.com>; Mon, 25 Jan 2016 10:43:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkDg7ssrFm5b for <cfrg@ietfa.amsl.com>; Mon, 25 Jan 2016 10:43:38 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BE1B1B38F2 for <cfrg@irtf.org>; Mon, 25 Jan 2016 10:43:37 -0800 (PST)
Received: by mail-lf0-x229.google.com with SMTP id m198so90687898lfm.0 for <cfrg@irtf.org>; Mon, 25 Jan 2016 10:43:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=sb5YicjyekfuNL9JcO/+wn0iv7Www91sYmMI6GCPfdE=; b=jivBCljl7rEKgs/o+uvL0+uDMWLjz7AET6PejR6fTACN+tx18aucSo5/CTmPhyOlG4 bU8eEf6CvVWiH9fVfEcDs3mWHsTGTat8kJETsO4mcw4LPEdDFtP6z5xUAO5jYD9WHHIt ph8GWcfdtF51f/Wwl0dhq8Risw5NqZBXuSHB1fve4zf2NsJX1xADfRDfP/ASEX7XaY5r 3Kth+AIOf+pwQukRzDQvr3KIA6jgxje0WW07N30Q1h1knHlyBpzkEvmOyVqvXCxMaSjP 4QConsHEJaNxTOQszBvh+Ls+m+YMqiBF4wsdAShpZAzpGlY+WmK2rHVV/fhUqVlzypRq fIYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=sb5YicjyekfuNL9JcO/+wn0iv7Www91sYmMI6GCPfdE=; b=K69shxbOUEA/+Cm5/EPsa2dTgQVyNpvwovPZyD5SZMfJr0NJYkrw/ha2DXyW+Yoq7V J7dJiJxelU0KMsDNTMfGothhuF0w19Oyj9oVkr5Xtcmrjw3uoBatMMsM2Q5DKCn315s8 Kg7ba0Yt6Pv7ywnE2JPtdoyUGwYzx8pc8DNtg3P1zIqX8/XvUeHuJS/fq/wh/FyZ0pLM C5uTYqgcOk5i8cRB8CzUg7IYGFtO3YMgUePIhkGrswgFz4NyZ8IW8/M8pbsjsaDwfEcf h0hIYAaX+NCQwGmCwZHxnPb8LQxHiQX2Z88207lSTifoIlZ15EgOjfC/BFp1xD6w1sNN hq8g==
X-Gm-Message-State: AG10YORqPCftlWe43c5ojU74KbiIPAO8W7Exe+KKhajT9+XakbwrUPx7SZJrG8N4cQpAPh5CQvrjJdhc8uop6g==
MIME-Version: 1.0
X-Received: by 10.25.168.15 with SMTP id r15mr5569619lfe.166.1453747415189; Mon, 25 Jan 2016 10:43:35 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.33 with HTTP; Mon, 25 Jan 2016 10:43:35 -0800 (PST)
In-Reply-To: <CACsn0c=G8_+CPivBv92Yj5js_F-6xdSSqS=yX7r3JaU4bPBFKw@mail.gmail.com>
References: <20160123002710.B4E4818045A@rfc-editor.org> <C8C1DF70-A138-42F9-8647-DAAE9ABD3779@netapp.com> <56A4B4EA.9030004@cs.tcd.ie> <CACsn0c=G8_+CPivBv92Yj5js_F-6xdSSqS=yX7r3JaU4bPBFKw@mail.gmail.com>
Date: Mon, 25 Jan 2016 13:43:35 -0500
X-Google-Sender-Auth: iF-eecCPzmLfBZCP0dVyRRB6x0s
Message-ID: <CAMm+LwhDiEpb-t4O1xWOw0+fWZnKTP3495BDG6zu-y9OCv4VXQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/izVvIys5PdwYT3wi8UYV22AkGn8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] RFC 7748 on Elliptic Curves for Security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 18:43:40 -0000

I disagree.

The timeline in question began on Friday September 6th 2013. That was
the day that Glenn Greenwald revealed the existence of BULLRUN and the
attempts to sabotage open standards for crypto. It is a little over
two years since the initial discovery of the breach.

Until that point there was no reason to call into question the NSA
curves. And it was some time later that the DUAL_EC_RNG attack was
discovered. And it took people some time to decide on what the
appropriate response to the curve situation was.

The other bit of history here is that people have been peddling ECC
curves for almost 20 years without much interest in the broader
industry. The field has been clouded by purported IP claims that have
effectively poisoned the well for proposals.

Nor was it the case that Curve 25519 was a slam dunk proposition.
There was a very good argument for going with the completely rigid
curves proposed by Brian and his team. The CFRG was not asked to
standardize Curve 25519. On the contrary it was tasked with performing
a survey of options and picking one.

Congratulations to everyone involved and thanks for the work on what I
believe will become one of the key building blocks for future
cryptographic infrastructures.



On Mon, Jan 25, 2016 at 11:01 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Sun, Jan 24, 2016 at 3:26 AM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
>>
>>
>> On 24/01/16 08:47, Eggert, Lars wrote:
>>> Excellent work, all! This is one of the more important RFCs that the
>>> IRTF has published, and will have a direct impact on Internet user
>>> privacy.
>>
>> Indeed. Good work and thanks to all including those whose fav
>> curves didn't end up being part of the RFC - the debate, hard
>> and gnarly though it was, was also an important part of this.
>
> Really?
>
> This RFC comes some 10 years after the introduction of Curve25519, and
> some 5-6 years after everyone realized how simple it is to write
> crypto code when you actually care about making it simple. The
> existence of tools like signify and minilock was thankfully not
> dependent on our blessing, which in any case, because the result is
> Informational, apparently doesn't exist. (Nor for that matter was the
> adoption in OpenSSH dependent, etc., etc.)
>
> The process hasn't lead to increased support from industry, in fact
> the same players are now battling it out at NIST instead. I don't know
> that anyone who wasn't planning on supporting Curve25519 before this
> discussion is going to introduce it now over their own prefered
> alternative, or that it even matters for "Internet user privacy".
> Let's Encrypt has had far more of an impact, by ending an ill-thought
> out experiment in charging people money to secure their websites. The
> various attacks enabled by the bugs in implementations in the NIST
> curves generally require some precise targeting: they are not "let's
> decrypt all the data on the Internet".
>
> Blake2 didn't have to go through anything like this. Nor did Camelia,
> nor the various national elliptic curve standards. I'm glad we are
> done with this, but let's not be self-congratulatory about our impact,
> which in this case has been extremely negative.
>
>>
>> S
>>
>>>
>>> Lars
>>>
>>> On 2016-01-23, at 1:27, rfc-editor@rfc-editor.org wrote:
>>>>
>>>> A new Request for Comments is now available in online RFC
>>>> libraries.
>>>>
>>>>
>>>> RFC 7748
>>>>
>>>> Title:      Elliptic Curves for Security Author:     A. Langley, M.
>>>> Hamburg, S. Turner Status:     Informational Stream:     IRTF Date:
>>>> January 2016 Mailbox:    agl@google.com, mike@shiftleft.org,
>>>> sean@sn3rd.com Pages:      22 Characters: 39298
>>>> Updates/Obsoletes/SeeAlso:   None
>>>>
>>>> I-D Tag:    draft-irtf-cfrg-curves-11.txt
>>>>
>>>> URL:        https://www.rfc-editor.org/info/rfc7748
>>>>
>>>> DOI:        http://dx.doi.org/10.17487/RFC7748
>>>>
>>>> This memo specifies two elliptic curves over prime fields that
>>>> offer a high level of practical security in cryptographic
>>>> applications, including Transport Layer Security (TLS).  These
>>>> curves are intended to operate at the ~128-bit and ~224-bit
>>>> security level, respectively, and are generated deterministically
>>>> based on a list of required properties.
>>>>
>>>> This document is a product of the Crypto Forum Research Group of
>>>> the IRTF.
>>>>
>>>>
>>>> INFORMATIONAL: This memo provides information for the Internet
>>>> community. It does not specify an Internet standard of any kind.
>>>> Distribution of this memo is unlimited.
>>>>
>>>> This announcement is sent to the IETF-Announce, rfc-dist and
>>>> IRTF-Announce lists.To subscribe or unsubscribe, see
>>>> https://www.ietf.org/mailman/listinfo/ietf-announce
>>>> https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
>>>> https://www.irtf.org/mailman/listinfo/irtf-announce
>>>>
>>>> For searching the RFC series, see
>>>> https://www.rfc-editor.org/search For downloading RFCs, see
>>>> https://www.rfc-editor.org/rfc.html
>>>>
>>>> Requests for special distribution should be addressed to either
>>>> the author of the RFC in question, or to rfc-editor@rfc-editor.org.
>>>> Unless specifically noted otherwise on the RFC itself, all RFCs are
>>>> for unlimited distribution.
>>>>
>>>>
>>>> The RFC Editor Team Association Management Solutions, LLC
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________ Cfrg mailing list
>>> Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>
>
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email