Re: [Cfrg] Progress on curve recommendations for TLS WG

Johannes Merkle <> Fri, 15 August 2014 16:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D751B1A0021 for <>; Fri, 15 Aug 2014 09:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.268
X-Spam-Status: No, score=-3.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iYPCqnGaOVin for <>; Fri, 15 Aug 2014 09:41:42 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CDD2F1A000E for <>; Fri, 15 Aug 2014 09:41:41 -0700 (PDT)
Received: from localhost (alg1 []) by (Postfix) with ESMTP id 4D0351A007A; Fri, 15 Aug 2014 18:41:36 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id OYnJXDb5SGNO; Fri, 15 Aug 2014 18:41:27 +0200 (CEST)
Received: from (unknown []) by (Postfix) with ESMTP id 9D26E1A0079; Fri, 15 Aug 2014 18:41:27 +0200 (CEST)
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id; Fri, 15 Aug 2014 18:41:30 +0200
Message-ID: <>
Date: Fri, 15 Aug 2014 18:41:29 +0200
From: Johannes Merkle <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Watson Ladd <>
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
Subject: Re: [Cfrg] Progress on curve recommendations for TLS WG
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Aug 2014 16:41:45 -0000

Watson Ladd wrote on 15.08.2014 16:29:
>> It is important that, whatever curves CFRG selects, anyone can feel
> comfortable with their rigidity and that there
>> will be no doubts about their security and the lack of back-doors. The
> BADA55 paper and the post I was responding to,
>> though intended to be provocative and entertaining, introduce FUD in that
> respect and are contra-productive. I am
>> quite sure that one could also construct a "one in a million curve" using
> a seed-less approach very similar to
>> curve25519, but this would only introduce more unjustified discredit and
> FUD.
> Hic rhodes, hic saltus.

Consider Dan Brown's construction as an example. You may consider his construction artificial as he considers attacks
that are already known. However, this is exactly my point: You can find such examples if you stretch the boundaries of
the scope in order to increase the degrees of freedom. In order to create sufficient flexibility, the BADA55 paper has
generalized the method(s) of ANSI and Brainpool in many aspects, but these generalizations are much less natural and
straightforward as the original approaches. In the same vein, one could slightly modify the rules for selecting the
curve parameters used in a seed-less approach, and this generalization would certainly provoke your criticism as not
being straightforward. So we would arrive at an example that does not really show anything but could be easily mistaken
by someone with less insight (e.g. the press) to wrongly conclude that the seed-less approach is generally suspicious.
This FUD effect would be bad.

For this reason, I tried to appeal to stop this unfortunate discussion in which contrived examples are used to discredit
much more straightforward approaches, but unfortunately, my post seem to have stimulated it.