Re: [Cfrg] Curve selection revisited

Phillip Hallam-Baker <> Thu, 31 July 2014 19:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 138031A000F for <>; Thu, 31 Jul 2014 12:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DlaJ5Va2QvQi for <>; Thu, 31 Jul 2014 12:26:15 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 867D11A000B for <>; Thu, 31 Jul 2014 12:26:15 -0700 (PDT)
Received: by with SMTP id w7so2407843lbi.15 for <>; Thu, 31 Jul 2014 12:26:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=KRFa8g8KAIysJXL4qoSxUTBQ05nm3ircRZao56r/Psg=; b=DYO6J9LaXiHysHNMJlU+oDtSTB+7mKsbT+BcCOCiiM4vug1tN2dQikb1J2SzUFT4kQ WZHcxXBsIkJ43RwGx5f0chwJ/mTONE9FdYZhyxydTIlWInZwxxHMjQgO9OpmJmEIoiJL wt6J4ZXkfMLyq2psStYW7B5LRaPtv2NITBWa5xgV2Em4zWE5IFbcYul2bJga+vydTQ5I 7CJ9J0XPopGo1cfZNRt7xIa9CAVTXFAJZRyAm2dqvOJA6iW3YclmjYAL4xrITiFPwcow fZE7vALu3nFQHZJzOAd1pmqGNabph2edOR25G1qXe1KL4wMiqfQAOcnfPOdcL50ARvO6 13eQ==
MIME-Version: 1.0
X-Received: by with SMTP id xq8mr321956lbb.18.1406834773655; Thu, 31 Jul 2014 12:26:13 -0700 (PDT)
Received: by with HTTP; Thu, 31 Jul 2014 12:26:13 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Date: Thu, 31 Jul 2014 15:26:13 -0400
X-Google-Sender-Auth: Q6dJnItasa-PU8e138uQxDuLnis
Message-ID: <>
From: Phillip Hallam-Baker <>
To: "Salz, Rich" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: IRTF CFRG <>, Russ Housley <>
Subject: Re: [Cfrg] Curve selection revisited
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Jul 2014 19:26:17 -0000

On Thu, Jul 31, 2014 at 1:18 PM, Salz, Rich <> wrote:
>> I would like to see us use of the same curve for digital signature and key
>> agreement.  This provides obvious modularity, and it seems to fit well with
>> the security protocols that already have support for ECC.
> I don't want this requirement because I'd like to use 25519 for DH-style key exchange, without having to give up whatever "standard" curves are being used for signature.  I find the "system" approach to Curve25519 appealing, and the efficiency -- where we might have 100's of hosts on a single IP address with their own PFS requirements -- compelling.

I don't see that there is a need for a WF128 digital signature scheme
that is backwards compatible.

For existing uses of Digital Signatures where I am currently using
RSA2048 I will switch to WF256 curves and those are the ones where
backwards compatibility matters. There isn't a security argument to
switch from RSA2048 to curve25519 and I don't see the performance
argument as being a good one for where we are already using crypto.

It does make sense to do digital signatures for a WF128 curve because
there may well be applications that a higher performance curve will