Re: [Cfrg] Curve selection revisited

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 31 July 2014 19:26 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 138031A000F for <cfrg@ietfa.amsl.com>; Thu, 31 Jul 2014 12:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DlaJ5Va2QvQi for <cfrg@ietfa.amsl.com>; Thu, 31 Jul 2014 12:26:15 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 867D11A000B for <cfrg@irtf.org>; Thu, 31 Jul 2014 12:26:15 -0700 (PDT)
Received: by mail-lb0-f170.google.com with SMTP id w7so2407843lbi.15 for <cfrg@irtf.org>; Thu, 31 Jul 2014 12:26:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=KRFa8g8KAIysJXL4qoSxUTBQ05nm3ircRZao56r/Psg=; b=DYO6J9LaXiHysHNMJlU+oDtSTB+7mKsbT+BcCOCiiM4vug1tN2dQikb1J2SzUFT4kQ WZHcxXBsIkJ43RwGx5f0chwJ/mTONE9FdYZhyxydTIlWInZwxxHMjQgO9OpmJmEIoiJL wt6J4ZXkfMLyq2psStYW7B5LRaPtv2NITBWa5xgV2Em4zWE5IFbcYul2bJga+vydTQ5I 7CJ9J0XPopGo1cfZNRt7xIa9CAVTXFAJZRyAm2dqvOJA6iW3YclmjYAL4xrITiFPwcow fZE7vALu3nFQHZJzOAd1pmqGNabph2edOR25G1qXe1KL4wMiqfQAOcnfPOdcL50ARvO6 13eQ==
MIME-Version: 1.0
X-Received: by 10.112.161.72 with SMTP id xq8mr321956lbb.18.1406834773655; Thu, 31 Jul 2014 12:26:13 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Thu, 31 Jul 2014 12:26:13 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C718599EE43A@USMBX1.msg.corp.akamai.com>
References: <CA+Vbu7xroa68=HOZtbf=oz7kK2EeUv_z1okpnjxHPR0ZtHD5cA@mail.gmail.com> <CFF7E184.28E9F%kenny.paterson@rhul.ac.uk> <53D2781B.8030605@sbcglobal.net> <CACsn0ckqFigWoH2+OOEHSd2VWPp8y6=m8H5OsFRyjXmjK7+m4w@mail.gmail.com> <CABqy+srxMNuG0AaQd0SaegHvZWgbW762EQq+iAHL_fbu6sOJJQ@mail.gmail.com> <53D420B3.10707@brainhub.org> <CABqy+so6JcL3drjXuiQfLhm-LPMOJuS9ES5Hyb1UQRhi-gV2jA@mail.gmail.com> <620BB268-735C-4204-9788-88E1D244CABB@vigilsec.com> <2A0EFB9C05D0164E98F19BB0AF3708C718599EE43A@USMBX1.msg.corp.akamai.com>
Date: Thu, 31 Jul 2014 15:26:13 -0400
X-Google-Sender-Auth: Q6dJnItasa-PU8e138uQxDuLnis
Message-ID: <CAMm+LwgYWP5KkM4bPNbArEFwWNB=52XZA2ckQxvYLB0tRTcKNA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/kiu_OexL4PhEBJxYDfkQP2Fi1IE
Cc: IRTF CFRG <cfrg@irtf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [Cfrg] Curve selection revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 19:26:17 -0000

On Thu, Jul 31, 2014 at 1:18 PM, Salz, Rich <rsalz@akamai.com> wrote:
>> I would like to see us use of the same curve for digital signature and key
>> agreement.  This provides obvious modularity, and it seems to fit well with
>> the security protocols that already have support for ECC.
>
> I don't want this requirement because I'd like to use 25519 for DH-style key exchange, without having to give up whatever "standard" curves are being used for signature.  I find the "system" approach to Curve25519 appealing, and the efficiency -- where we might have 100's of hosts on a single IP address with their own PFS requirements -- compelling.

I don't see that there is a need for a WF128 digital signature scheme
that is backwards compatible.

For existing uses of Digital Signatures where I am currently using
RSA2048 I will switch to WF256 curves and those are the ones where
backwards compatibility matters. There isn't a security argument to
switch from RSA2048 to curve25519 and I don't see the performance
argument as being a good one for where we are already using crypto.

It does make sense to do digital signatures for a WF128 curve because
there may well be applications that a higher performance curve will
enable.