Re: [Cfrg] Task looming over the CFRG
Watson Ladd <watsonbladd@gmail.com> Mon, 05 May 2014 23:12 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0BC1A047D for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 16:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0Om6Eret043 for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 16:12:05 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id BEB1C1A03EF for <cfrg@irtf.org>; Mon, 5 May 2014 16:12:05 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id v1so14569yhn.26 for <cfrg@irtf.org>; Mon, 05 May 2014 16:12:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=+uxR3VCSF/bJcht0KzVPUZzr6deuOhAJrP57XP5sieU=; b=EEyZkx+6JG+FXOVJFD2Shf5HoK1rYfM1NJtjRKaNzWyJtLMnhPHIHFdLxlK3MpAvFu s64zjuu9O3/TM0iTnZJa9itfwo5pE6FfdpM1oBesdLbDivR98ornaBtSArV6Drk3IIN5 btm8RjQE1YcjYN+v1QMeVsWLMTv5OZ47dnazqoiyA717a3L84x4O0Ae036QKczUwCrxu SJOr4Ov/jEhL+cqO7gwhDeN0M7B8ZIj9Ne4aIl04rH1cVs0osSQ6nw9on2hiuUnvKmm7 RUP3vMBqC2piVuO90M+2COUXO18HRz5h6zbs3BcNQ34zwLw+f/hW7ikbFBpY59XY36Lj cQxA==
MIME-Version: 1.0
X-Received: by 10.236.90.12 with SMTP id d12mr52766762yhf.120.1399331522159; Mon, 05 May 2014 16:12:02 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 5 May 2014 16:12:02 -0700 (PDT)
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CABAA4022F@MSMR-GH1-UEA03.corp.nsa.gov>
References: <3C4AAD4B5304AB44A6BA85173B4675CABAA4022F@MSMR-GH1-UEA03.corp.nsa.gov>
Date: Mon, 05 May 2014 16:12:02 -0700
Message-ID: <CACsn0ckenF3ps-sUmwD8QAQQVpSdsLc7KZX+FpZWuD8nXnLQTA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Igoe, Kevin M." <kmigoe@nsa.gov>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/mEvUT5rXeEcTGexYgQ21hgsVEa8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Task looming over the CFRG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 23:12:08 -0000
On Mon, May 5, 2014 at 10:58 AM, Igoe, Kevin M. <kmigoe@nsa.gov> wrote: > As most the folks who read this list have noticed, a virtual interim meeting > of the CFRG > was held on Tues 29 April to discuss the way forward for elliptic curve > cryptography > in the IETF. This was driven by an earnest plea from the TLS WG for firm > guidance from > the CGRG on the selection of elliptic curves for use in TLS. They need an > answer before > the Toronto IETF meeting in late July. TLS needs curves for several levels > of security (128, > 192 and 256), suitable for use in both key agreement and in digital > signatures. Digital signatures is a bit hairy because of the issue of certs: you end up needing to support more curves than you would think you would going in. But yes, we should discuss adopting more Schnorr-like mechanisms then ECDSA: the patents that forced ECDSA to look the way it did are long gone. However, that's not what the current TLS draft is about: it's purely addressing key exchange. Certificate changes will be a bit more work. > > > The consensus of the attendees was that it would be best for TLS to have a > single > “mandatory to implement” curve for each of the three security levels. > > > > Though the attendees were reluctant to make a formal commitment, there > was clearly a great deal of support for the Montgomery curve curve25519 > (FYI, the > 25519 refers to the fact that arithmetic is done modulo the prime 2**255 – > 19 ). > > > > curve25519 only fills one of the three required security levels. We still > need > curves of size near 384 bits and 512 bits. My suggestion: we look at the safecurves website and find curves. Right now Curve41417 and Ed448 are both contenders for the 384 size: it will come down to efficiency, which requires some coding to be done. I understand both have implementations, and it comes down to who can optimize the best. For the 512 size M-511 looks good to me. Maybe some prime shapes are more optimized, etc, but 2^384 is in a dry spot for primes: the best I got was 2^384-317, which is a large enough epsilon to cause problems on small radix machines. > > > > NIST curves: I doubt TLS will be willing to revisit the question of elliptic > curves once the > CFRG has made their recommendation. Another option to consider is advising > TLS to > use of the NIST curves in the short term, buying time for the CFRG to do an > unrushed > exploration of the alternatives, drawing academia and other standards bodies > into the > discussion. How much more time do we need? We can hold meetings ad nauseam, but I don't think our alternatives will change that much, or the various factors causing us to lean one way or the other. Put it another way: do you foresee any information in the next 12 months that would change the status of Curve25519? If not, why not make the decision now, or at least plan to end Toronto with the decision made? Sincerely, Watson Ladd > > > P.S. It has been suggested that the CFRG hold a session at the Crypto > conference in > Santa Barbara in an effort to draw in more participation from the academic > community. > No guarantees we can pull this off, but it is worth the attempt. Thoughts? > Volunteers? > > P.P.S. We need to start lining up speakers for the CFRG session at IETF-90 > (Toronto). > > > ----------------+-------------------------------------------------- > Kevin M. Igoe | "We can't solve problems by using the same kind > kmigoe@nsa.gov | of thinking we used when we created them." > | - Albert Einstein - > ----------------+-------------------------------------------------- > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Task looming over the CFRG Igoe, Kevin M.
- Re: [Cfrg] Task looming over the CFRG Michael Hamburg
- Re: [Cfrg] Task looming over the CFRG Rene Struik
- Re: [Cfrg] Task looming over the CFRG Paul Lambert
- Re: [Cfrg] Task looming over the CFRG Rene Struik
- Re: [Cfrg] Task looming over the CFRG David McGrew
- Re: [Cfrg] Task looming over the CFRG Igoe, Kevin M.
- Re: [Cfrg] Task looming over the CFRG Paul Lambert
- Re: [Cfrg] Task looming over the CFRG Michael Hamburg
- Re: [Cfrg] Task looming over the CFRG Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] Task looming over the CFRG Michael Hamburg
- Re: [Cfrg] Task looming over the CFRG Watson Ladd
- Re: [Cfrg] Task looming over the CFRG Johannes Merkle
- Re: [Cfrg] Task looming over the CFRG Igoe, Kevin M.
- Re: [Cfrg] Task looming over the CFRG Johannes Merkle
- Re: [Cfrg] Task looming over the CFRG Paul Lambert
- Re: [Cfrg] Task looming over the CFRG Watson Ladd
- Re: [Cfrg] Task looming over the CFRG Blumenthal, Uri - 0558 - MITLL