Re: [Cfrg] FourQ draft now available
Watson Ladd <watsonbladd@gmail.com> Fri, 23 September 2016 16:46 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F72C12BBF1 for <cfrg@ietfa.amsl.com>; Fri, 23 Sep 2016 09:46:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EoQCCh2-vwzJ for <cfrg@ietfa.amsl.com>; Fri, 23 Sep 2016 09:46:29 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10BD12BC4E for <cfrg@irtf.org>; Fri, 23 Sep 2016 09:46:27 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id 15so48597665uai.3 for <cfrg@irtf.org>; Fri, 23 Sep 2016 09:46:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9u2dFLmAW2Vh+e9CKi8RWhHsiwFsTEwKTtiH8ySd2ns=; b=ZN9LeYC3CDIxzaeSuPLEK5ctvG8tLJAPOUA8SK+sz9ByAd7dcaq3MowiBmy7u0t+x+ M/p2jR+dDFZSCFrD0MjhsavLsxz4BVUvFxZQw+md++PvGgCaro2vl3cHF39hE1cIkMGa pISMRfrJBXPq8+23z5JbST0xYeSS24JRuWDfyP8zBrDOTF3yN91k8xFJDkr/dd6C5juQ MHafG9oYMhNZ1/fEO6dhD1ZrcQrQ5vr7y3ohGGwJ6392ipZEcGfqTV4D0C741de9c1qw fiyd3hMcbPcDaSyvovdV+T/p2oAYQ45YpKNq6XMh5eBPcr9AZzEJgE3Hqvj8AUzKTPRO JBzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9u2dFLmAW2Vh+e9CKi8RWhHsiwFsTEwKTtiH8ySd2ns=; b=TaPo2846ib7gSHVu6IYXOIgvhFMZv3oluh0er4NaSZZXd6Fw6fA+hwocg6bdmXkvFz bbtKRRMA3amNwlf2NU7KEwMdE4ehykKo/S7PfKL1hGvRnELdk+MiMmaX8jC0q3EOQnxL bp4nq+wtwg+eKcODhYxYNbYqHEQw2jIvPnMVIytsFcwWZco97NH4Xx+VQKE70psLApYi NwrkIcjX8Wy0s6xNjdqjFwa2dDxtDhvzCHXBg5fCn2KVrMjrYq2WGenQduLLUQlPl7nD lLygzBDjOEMICzTlJiI/poghy6q+lHD7HBqI5x7PdiXh3p98Wo96lRC+NOAb6moFJ3KG IrGw==
X-Gm-Message-State: AA6/9RmatEdUIbi1YJC1/TnOUCikSpGarpsURQn6WGUdK6e7Imy9l00maujQKEysRmrO0S9JrFnpind9wCmIrA==
X-Received: by 10.159.35.120 with SMTP id 111mr5381926uae.81.1474649187068; Fri, 23 Sep 2016 09:46:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.4.102 with HTTP; Fri, 23 Sep 2016 09:46:25 -0700 (PDT)
Received: by 10.176.4.102 with HTTP; Fri, 23 Sep 2016 09:46:25 -0700 (PDT)
In-Reply-To: <20160923084927.2fdaf023@hboeck.de>
References: <CACsn0cnhf2MBm2uBB=-LgwJYM7_tB_3B9DHdAhvU9sZkwD4MGA@mail.gmail.com> <20160923084927.2fdaf023@hboeck.de>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 23 Sep 2016 09:46:25 -0700
Message-ID: <CACsn0cmL3Zsww2=SZs9SVdrKx5A8k6o4dObah+4h0NX1NZfoaA@mail.gmail.com>
To: Hanno Böck <hanno@hboeck.de>
Content-Type: multipart/alternative; boundary="001a1136e204f6b2b9053d2f84be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mCqb-dCm9cr8R6zk_BhNEbaNQHc>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] FourQ draft now available
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2016 16:46:31 -0000
On Thu, Sep 22, 2016 at 11:49 PM, Hanno Böck <hanno@hboeck.de> wrote: > Hi, > > On Thu, 22 Sep 2016 07:05:31 -0700 > Watson Ladd <watsonbladd@gmail.com> wrote: > >> We would like to announce draft-ladd-cfrg-4q-00, which presents a >> high-speed Diffie-Hellman key agreement based on the elliptic curve >> FourQ. > [...] >> We hope this draft sees its way to an RFC soon. > > I wonder if this is something that should really happen. > > Having more choices of cryptographic constructions is imho not always > good. It has a cost: More code, more complexity, more stuff to analyze. > Therefore each new cryptographic primitive that gets introduced needs a > good justification. I'm not sure I see this here. If you don't want to support it, don't do so. > > We just introduced curve25519/448 and many people are moving to them. > In the more or less far future we'll probably see movements to some kind > post quantum cryptography. So I only see a relatively small time window > where this curve will be used, therefore I'd like to see more > justification why we should standardize it. > > From what I see the major advantage is that FourQ is supposed to be > faster than curve25519. On the flipside I see this: > > Implementations MUST check that input points properly decompress to > points on the curve. Removing such checks may result in extremely > effective attacks. The curve is not twist-secure: implementations > using single coordinate ladders MUST validate points before operating > on them. > > From my limited understanding of ecc security this means we introduce a > new elliptic curve which is faster than curve25519, but much more prone > to implementation security flaws. > > I'm not saying I'm strictly against standardizing this, but if it's > going to happen I'd like to see better justifications. Where do you see > that curve being used? Are there scenarios where the performance > improvements matter, as in "we would like to add crypto to X, but > curve25519-based crypto just isn't fast enough"? Do you see this > realistically to be used in TLS or other major protocols? Are there > other people on this list that have concrete plans to implement this in > their product/protocol? One of the high-profile uses of Curve25519 is in locking the disk of an iPhone (do we have a flash compatible term for that yet). This requires a public key operation on the receipt of any push message, which directly impacts battery life. With IoT many more devices will have quiescent states, until an event happens which they need to quickly process. Realistically it could be used in TLS. Plenty of little known national curves are. But I think a lot of applications are more demanding then TLS on crypto performance. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: hanno@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Cfrg] FourQ draft now available Watson Ladd
- Re: [Cfrg] FourQ draft now available Michael StJohns
- Re: [Cfrg] FourQ draft now available Alyssa Rowan
- Re: [Cfrg] FourQ draft now available Hanno Böck
- Re: [Cfrg] FourQ draft now available Salz, Rich
- Re: [Cfrg] (SPAM) Re: FourQ draft now available Erwann Abalea
- Re: [Cfrg] (SPAM) Re: FourQ draft now available Hanno Böck
- Re: [Cfrg] FourQ draft now available Watson Ladd
- Re: [Cfrg] FourQ draft now available Hanno Böck
- Re: [Cfrg] FourQ draft now available David Jacobson
- Re: [Cfrg] FourQ draft now available Watson Ladd
- Re: [Cfrg] FourQ draft now available William Whyte