Re: [Cfrg] ECC reboot (Was: When's the decision?)

David Leon Gil <> Fri, 17 October 2014 19:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C9D061A6F5A for <>; Fri, 17 Oct 2014 12:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oFlNUoPTaXDz for <>; Fri, 17 Oct 2014 12:19:29 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D6CF1A6F58 for <>; Fri, 17 Oct 2014 12:19:29 -0700 (PDT)
Received: by with SMTP id p9so1217849lbv.35 for <>; Fri, 17 Oct 2014 12:19:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=hJhSsWBzXG0/y1p0aGsBllKn/SmSt+4+HwGPbQhssbM=; b=AjMlflu//kat3uRzPzICpuPnCRKkH4vLK1KkTYoBW8mmFRuNVdNvKAV+ormT/Mkhcd v+KLQMo2pS7x2sORV9o+Z02x98LqY1Merf0VdpwHoP6K7+mqRHyQGhkm2PPYC1UU2QrB 2dYiNMGWT2SGlid6KiS2xow/lgPYDPASkTF0Yw63m4RDg+brP0KJxTFFH2I+fXzaGxww 5NtebQfzX+QEMvoI3N2Rf7tE0JCLLv0TMFOrN3Udf33XoA0jvApu2yENf2EcYBF/JieH p4uNdd7wtUKo5x8h1D5ixv3kbhJ9bG8Jv2DsrUFbMHgY7pXPKVK42lAWh+mBGfSW+l+S HjzA==
X-Received: by with SMTP id tm7mr5306832lbb.92.1413573567303; Fri, 17 Oct 2014 12:19:27 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 17 Oct 2014 12:19:06 -0700 (PDT)
In-Reply-To: <>
References: <>
From: David Leon Gil <>
Date: Fri, 17 Oct 2014 15:19:06 -0400
Message-ID: <>
To: "Hallof, Andreas" <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Oct 2014 19:19:31 -0000

On Fri, Oct 17, 2014 at 11:24 AM, Hallof, Andreas
<> wrote:
> If independent from each other three different Chipcard-Manufacturer tell me they prefer using curves with random primes then this tells me something.

It tells you that, like most semiconductor companies, they are
cheapskates. They would rather you continue to use their (existing)
inadequately protected solutions, so that they can save on design

If they can cite published work that shows that a higher level of
assurance can be achieved, given a correctly implemented masking
scheme, by using a random prime, they are free to share one.

(The previous citation from the manufacturers, AFAIK, shows an attack
on the sort of blinding scheme Joye and others have demonstrated is
inadequate -- and which does not even pass a basic smell test.)