Re: [Cfrg] ECC reboot (Was: When's the decision?)

Watson Ladd <> Fri, 17 October 2014 16:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 828EA1A1BC6 for <>; Fri, 17 Oct 2014 09:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OBGMuf5iOndW for <>; Fri, 17 Oct 2014 09:23:23 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7063F1A1BA9 for <>; Fri, 17 Oct 2014 09:23:23 -0700 (PDT)
Received: by with SMTP id 200so479571ykr.24 for <>; Fri, 17 Oct 2014 09:23:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=PmwK3ZP4A5IyAC5RPh3GGpQyfTO8zY9GNWVo0yrKO5I=; b=k5hYXgwupCFkQQgzDmW221yIqcXxIBcvnt14lOzYxnQd1bYi+JCDvpJM1cLC6NhHYH 51RSmUfWXuiIJsR18ZGbm4o3TFmGOdySMELYOBK11pR9TCWlNtiLBO8jzyWFCcP99491 zt3olcf1nktsvOjHGaiRctS2Nn5keSIcHF51u2Sx/cgXr5eV5NoZIpGLuk11AnS49G+6 NaXKUc7TBUtD+LE0M4/VcUjs7SoJXuivzITia1I+VbinB+X6GX+ONbQpYWRPdSY+hB8M uoZhq4bLCRcMIMKJNRKioLL/b3BgysMzlbbF/WkmQ+yOlNEbenO9acvwaJ58a0l66/hq LG9Q==
MIME-Version: 1.0
X-Received: by with SMTP id s25mr5681426yhs.138.1413563002690; Fri, 17 Oct 2014 09:23:22 -0700 (PDT)
Received: by with HTTP; Fri, 17 Oct 2014 09:23:22 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <20141017094755.GA29915@LK-Perkele-VII> <>
Date: Fri, 17 Oct 2014 09:23:22 -0700
Message-ID: <>
From: Watson Ladd <>
To: "Hallof, Andreas" <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "" <>
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Oct 2014 16:23:25 -0000

On Fri, Oct 17, 2014 at 9:13 AM, Hallof, Andreas
<> wrote:
>> And what's wrong with just using Brainpool for implementations that need random primes for extended side channel resistance?
> Nothing is wrong about that.
> The point that Mr. Merkle is addressing, is that there is a huge world outside PC/Server-based TLS-Authentication.
> I have the impression the current discussion at the cfrg is too narrowly focused on software implementations in unconstrained environments with only global timing SCA.
> In the infrastructure surrounding the german eHealth-Card the majority of all TLS-Connection are based on smartcards on one communication-endpoint (the other being a server / non-smartcards).
> The same is true for the smartmeter-infrastructure.
> Like it is stated in a result of the current discussion at the cfrg could be that there are two sets of curves.
> I have the impression the Brainpool-group would happily accept/(=> switch to) the one set (with random primes), that has the necessary cryptographic properties.
> Thus reducing the implementation-costs at smartcards, Web-browsers, servers etc..

What sort of decision do you think we are going to make? We obviously
cannot remove curves. So Brainpool will remain in TLS. The question is
about curves which make software implementations easier and faster.
Why does hardware matter for the choice we are going to make?

>> Performance.
> If a ECDSA-Brainpool-based-signaturecreation cost around 90 ms on a cheap smartcard, it is of little concern to me if it would be 20% faster or slower.
> SCA-resistance is a concern for me.
> Regards,
>  Andreas Hallof
> --
> Andreas Hallof, Datenschutz und Datensicherheit / Kryptographie
> -----Ursprüngliche Nachricht-----
> Von: Cfrg [] Im Auftrag von Ilari Liusvaara
> Gesendet: Freitag, 17. Oktober 2014 11:48
> An: Johannes Merkle
> Cc:
> Betreff: Re: [Cfrg] ECC reboot (Was: When's the decision?)
> On Fri, Oct 17, 2014 at 11:21:43AM +0200, Johannes Merkle wrote:
>> Alyssa Rowan wrote on 16.10.2014 19:38:
>> > I can see why they might want that, if VPR is the most convenient
>> > for their implementations - but from what I see from the hesitant
>> > adoption of Brainpool in the wider community,
>> this assertion is only true for software implementations. Brainpool
>> curves are used by more than 50 million smart cards rolled out and
>> several vpn solutions (e.g., based on IPSec) widely used within German
>> and EU public authorities.
> And what's wrong with just using Brainpool for implementations that need random primes for extended side channel resistance? Not rigid enough? Not standard enough?
> For software implementations only needing defenses against software attack (including attacks from different process in the same host/VM) there is plenty wrong with using Brainpool.
> If attacker can get enough access to pull off EM attacks against most of the endpoints, one has more severe problems than software vulernable to EM attack.
> There is a good reason (singular!) why NIST/NSA curves are used far far more in TLS than Brainpool, despite there being codepoints for both:
> Performance.
> -Ilari
> _______________________________________________
> Cfrg mailing list
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin