Re: [Cfrg] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?
Tao Effect <contact@taoeffect.com> Fri, 23 October 2015 04:17 UTC
Return-Path: <contact@taoeffect.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD121B2B65 for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 21:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.734
X-Spam-Level:
X-Spam-Status: No, score=-1.734 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51rB_7Z55ElI for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 21:17:53 -0700 (PDT)
Received: from homiemail-a14.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) by ietfa.amsl.com (Postfix) with ESMTP id D005D1B2B58 for <cfrg@irtf.org>; Thu, 22 Oct 2015 21:17:53 -0700 (PDT)
Received: from homiemail-a14.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTP id DB589392070; Thu, 22 Oct 2015 21:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=1tf6Yto64aNvFCx0Q LXc2NHmePU=; b=iThpVIvu2DP7mGjfB5w4cSY4SzvQ2MOKHhyayeLHTfRvqk566 MvZJV2ogLEiJ0N2wf18CRoKxLHEvcm+YxntNLzg2PcLDe56BWcL2ZRk5kr6Es4tk DHzgGlw/F6a6FBeuLKYJrXz6/s3e3BddfktOqLfIkyD2C0Xxt3+4uhLdjo=
Received: from [192.168.42.65] (50-0-163-57.dsl.dynamic.fusionbroadband.com [50.0.163.57]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTPSA id 9DEC139206D; Thu, 22 Oct 2015 21:17:52 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_468881BB-1585-4FF8-8011-6F89FB821897"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
X-Pgp-Agent: GPGMail 2.6b2
From: Tao Effect <contact@taoeffect.com>
In-Reply-To: <CAHOTMVJ2hoq5=Hh2tjGUWe3FGn-xX-gr5Gvn2h_RW8TwC3d8jA@mail.gmail.com>
Date: Thu, 22 Oct 2015 21:17:51 -0700
X-Mao-Original-Outgoing-Id: 467266671.230486-589805c488ef56d5280c57d25ea43f15
Message-Id: <2A7031F3-0C0A-4C5F-A893-B63021CCAD16@taoeffect.com>
References: <95750F19-2233-4CE9-BD91-6B1AA0C91F16@taoeffect.com> <CAHOTMVJ2hoq5=Hh2tjGUWe3FGn-xX-gr5Gvn2h_RW8TwC3d8jA@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lT7930KVdF-86O3w0MqSoF_dB2U>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] "Abandoning ECC" — Any replies to "A riddle wrapped in a curve"?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 04:17:55 -0000
Hey Tony, Thanks very much, that was very well written. > I am not sure why you are quoting the phrase "Abandoning ECC" in the subject line of your email as it appears in neither the Matt Green blog post or the Koblitz paper I didn’t mean it as a direct quote, but rather I quoted it to … quote the idea, the concept. To indicate, in other words, that I was not personally advocating that such a thing be done. Cheers, Greg > On Oct 22, 2015, at 9:06 PM, Tony Arcieri <bascule@gmail.com> wrote: > > Hi Greg, > > I think some context and basic fact-checking is in order. > > I read the Koblitz paper[1] before Matt Green blogged about it and have been discussing it with several people found it rather interesting, however much of what it describes is about the early history of ECC (particularly in the 1990s) and the "verifiably random" process used by NIST for generating their curves. I'd say Brainpool used a similar process, but it turns out if you actually tried to verify their curves they screwed up[2]. > > I am not sure why you are quoting the phrase "Abandoning ECC" in the subject line of your email as it appears in neither the Matt Green blog post or the Koblitz paper, and if you actually read the Koblitz paper, hypothetical claims we should "abandon ECC altogether" (actually in the paper) are countered by phrasing like "This scenario is highly implausible for several reasons" and claims that it is "preferable to use other curves (either the Edwards curves recommended by Bernstein-Lange [5, 6], or the curves being promoted by the Microsoft group [10], or perhaps some others)" which is exactly what the CFRG is doing. The "rigid" curve generation guidelines described in draft-irtf-cfrg-curves were the subject of a painful, rather long bikeshedding debate, however I think the result is a foundation for trust in next-generation ECC standards which are not susceptible to the sorts of attacks discussed in the Koblitz paper, and in fact the paper specifically calls out curves generated in this fashion as being such. > > The larger concern cited by both the Koblitz paper and Matt Green's blog post is that the NSA feels it is urgent to move to post-quantum cryptography. I'll quote Matt Green: > > "despite the fact that quantum computers seem to be a long ways off and reasonable quantum-resistant replacement algorithms are nowhere to be seen, NSA decided to make this announcement publicly and not quietly behind the scenes. Weirder still, if you haven’t yet upgraded to Suite B, you are now being urged not to. In practice, that means some firms will stay with algorithms like RSA rather than transitioning to ECC at all. And RSA is also vulnerable to quantum attacks." > > This is a legitimate concern, and perhaps ECC is not long for this world, but if the threat is large quantum computers which can break the ECC algorithms we use today, RSA and all other "pre-quantum" algorithms will be affected too. And per Matt Green: the post-quantum algorithms are not only slow but we are still not certain of their security properties. > > If anything, I hope the takeaway for the CFRG is after the current ECC standardization work is done, perhaps it would be prudent to move onto evaluating post-quantum algorithms and standardizing them for use in e.g. TLS. I suspect this is probably already on the chairs' roadmap. > > [1]: https://eprint.iacr.org/2015/1018.pdf <https://eprint.iacr.org/2015/1018.pdf> > [2]: http://bada55.cr.yp.to/brainpool.html <http://bada55.cr.yp.to/brainpool.html>
- [Cfrg] "Abandoning ECC" — Any replies to "A riddl… Tao Effect
- Re: [Cfrg] "Abandoning ECC" — Any replies to "A r… Tony Arcieri
- Re: [Cfrg] "Abandoning ECC" — Any replies to "A r… Tao Effect
- Re: [Cfrg] "Abandoning ECC" — Any replies to "A r… Phillip Hallam-Baker
- Re: [Cfrg] "Abandoning ECC" — Any replies to "A r… Peter Gutmann
- Re: [Cfrg] "Abandoning ECC" ‹ Any replies to "A r… Paterson, Kenny