Re: [Cfrg] ECC reboot (Was: When's the decision?)

[Watson Ladd <watsonbladd@gmail.com>]

On Fri, Oct 17, 2014 at 9:13 AM, Hallof, Andreas
<Andreas.Hallof@gematik.de> wrote:
>> And what's wrong with just using Brainpool for implementations that need random primes for extended side channel resistance?
> Nothing is wrong about that.
>
> The point that Mr. Merkle is addressing, is that there is a huge world outside PC/Server-based TLS-Authentication.
> I have the impression the current discussion at the cfrg is too narrowly focused on software implementations in unconstrained environments with only global timing SCA.
>
> In the infrastructure surrounding the german eHealth-Card the majority of all TLS-Connection are based on smartcards on one communication-endpoint (the other being a server / non-smartcards).
> The same is true for the smartmeter-infrastructure.
>
> Like it is stated in http://eprint.iacr.org/2014/832 a result of the current discussion at the cfrg could be that there are two sets of curves.
> I have the impression the Brainpool-group would happily accept/(=> switch to) the one set (with random primes), that has the necessary cryptographic properties.
> Thus reducing the implementation-costs at smartcards, Web-browsers, servers etc..

What sort of decision do you think we are going to make? We obviously
cannot remove curves. So Brainpool will remain in TLS. The question is
about curves which make software implementations easier and faster.
Why does hardware matter for the choice we are going to make?

>
>> Performance.
> If a ECDSA-Brainpool-based-signaturecreation cost around 90 ms on a cheap smartcard, it is of little concern to me if it would be 20% faster or slower.
> SCA-resistance is a concern for me.
>
>
> Regards,
>  Andreas Hallof
>
> --
> Andreas Hallof, Datenschutz und Datensicherheit / Kryptographie
>
> -----Ursprüngliche Nachricht-----
> Von: Cfrg [mailto:cfrg-bounces@irtf.org] Im Auftrag von Ilari Liusvaara
> Gesendet: Freitag, 17. Oktober 2014 11:48
> An: Johannes Merkle
> Cc: cfrg@irtf.org
> Betreff: Re: [Cfrg] ECC reboot (Was: When's the decision?)
>
> On Fri, Oct 17, 2014 at 11:21:43AM +0200, Johannes Merkle wrote:
>>
>> Alyssa Rowan wrote on 16.10.2014 19:38:
>> > I can see why they might want that, if VPR is the most convenient
>> > for their implementations - but from what I see from the hesitant
>> > adoption of Brainpool in the wider community,
>>
>> this assertion is only true for software implementations. Brainpool
>> curves are used by more than 50 million smart cards rolled out and
>> several vpn solutions (e.g., based on IPSec) widely used within German
>> and EU public authorities.
>
> And what's wrong with just using Brainpool for implementations that need random primes for extended side channel resistance? Not rigid enough? Not standard enough?
>
>
> For software implementations only needing defenses against software attack (including attacks from different process in the same host/VM) there is plenty wrong with using Brainpool.
>
> If attacker can get enough access to pull off EM attacks against most of the endpoints, one has more severe problems than software vulernable to EM attack.
>
> There is a good reason (singular!) why NIST/NSA curves are used far far more in TLS than Brainpool, despite there being codepoints for both:
> Performance.
>
>
> -Ilari
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin