Re: [Cfrg] Safecurves draft

Dan Brown <> Thu, 09 January 2014 03:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7FEC91AE051 for <>; Wed, 8 Jan 2014 19:12:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hykycuL4XhuX for <>; Wed, 8 Jan 2014 19:11:59 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AD6501ADD9D for <>; Wed, 8 Jan 2014 19:11:59 -0800 (PST)
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 08 Jan 2014 22:11:47 -0500
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 8 Jan 2014 22:11:46 -0500
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([::1]) with mapi id 14.03.0123.003; Wed, 8 Jan 2014 22:11:46 -0500
From: Dan Brown <>
To: Watson Ladd <>, "" <>
Thread-Topic: [Cfrg] Safecurves draft
Thread-Index: Ac8M6Ibt48XsiGAM+kqRNk65o+wAjw==
Date: Thu, 09 Jan 2014 03:11:45 +0000
Message-ID: <>
Accept-Language: en-CA, en-US
Content-Language: en-CA
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Cfrg] Safecurves draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Jan 2014 03:12:01 -0000

I don't object to these curves.

Still, could we please call these curves something more specific and neutral than just "safe"?

Aren't many other curves safe so far as we know?

For example, take the Brainpool curves, use a Montgomery (Brier-Joye?) ladder, and an extra careful implementation, and do ECDHE, with some other kind of safe auth. Is that not safe?

Indeed, what about the NIST curves?

Implying them to be unsafe in the sense of a weak DLP implies a hypotheses that mildly reduces the conventional notion of security for all ECC.

Anyway, I debated all this already with Bernstein over at the TLS list, with virtually no  agreement confirmed. For now, I'll try to focus on the naming issue.

Is it that "safe" means something less than "secure" in the conventional sense above? And safe is the best that can be hoped for in ECC, and maybe all PKC? That's just too strong to say.

To be constructive, I suggest a name: "minimal - coefficient Montgomery" curves. Implicit in this name is that minimality is subject avoiding known DLP attacks, though the Monty should tip one of the crypto app. The short name could be "mini Monty".

From: Watson Ladd
Sent: Wednesday, January 8, 2014 12:11 PM
Subject: [Cfrg] Safecurves draft

Dear all,
draft-ladd-safecurves contains the Safecurves with orders
2^255+\epsilon and higher.
I forgot to update the TOC, but that shouldn't stop the substantive

Does anyone object to these curves being approved for IETF standard
body use/typos/general nastiness?
Watson Ladd
Cfrg mailing list
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.