Re: [Cfrg] Safecurves draft

Dan Brown <dbrown@certicom.com> Thu, 09 January 2014 03:12 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FEC91AE051 for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 19:12:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hykycuL4XhuX for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 19:11:59 -0800 (PST)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id AD6501ADD9D for <cfrg@irtf.org>; Wed, 8 Jan 2014 19:11:59 -0800 (PST)
Received: from xct108cnc.rim.net ([10.65.161.208]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 08 Jan 2014 22:11:47 -0500
Received: from XCT109CNC.rim.net (10.65.161.209) by XCT108CNC.rim.net (10.65.161.208) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 8 Jan 2014 22:11:46 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT109CNC.rim.net ([::1]) with mapi id 14.03.0123.003; Wed, 8 Jan 2014 22:11:46 -0500
From: Dan Brown <dbrown@certicom.com>
To: Watson Ladd <watsonbladd@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Safecurves draft
Thread-Index: Ac8M6Ibt48XsiGAM+kqRNk65o+wAjw==
Date: Thu, 9 Jan 2014 03:11:45 +0000
Message-ID: <20140109031144.6111382.52184.8264@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <BD51F2A6702EBB438F40BBF35BB5967E@rim.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Cfrg] Safecurves draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 03:12:01 -0000

I don't object to these curves.

Still, could we please call these curves something more specific and neutral than just "safe"?

Aren't many other curves safe so far as we know?

For example, take the Brainpool curves, use a Montgomery (Brier-Joye?) ladder, and an extra careful implementation, and do ECDHE, with some other kind of safe auth. Is that not safe?

Indeed, what about the NIST curves?

Implying them to be unsafe in the sense of a weak DLP implies a hypotheses that mildly reduces the conventional notion of security for all ECC.

Anyway, I debated all this already with Bernstein over at the TLS list, with virtually no  agreement confirmed. For now, I'll try to focus on the naming issue.

Is it that "safe" means something less than "secure" in the conventional sense above? And safe is the best that can be hoped for in ECC, and maybe all PKC? That's just too strong to say.

To be constructive, I suggest a name: "minimal - coefficient Montgomery" curves. Implicit in this name is that minimality is subject avoiding known DLP attacks, though the Monty should tip one of the crypto app. The short name could be "mini Monty".

From: Watson Ladd
Sent: Wednesday, January 8, 2014 12:11 PM
To: cfrg@irtf.org
Subject: [Cfrg] Safecurves draft


Dear all,
draft-ladd-safecurves contains the Safecurves with orders
2^255+\epsilon and higher.
I forgot to update the TOC, but that shouldn't stop the substantive
conversation.

Does anyone object to these curves being approved for IETF standard
body use/typos/general nastiness?
Sincerely,
Watson Ladd
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.