Re: [Cfrg] ECC mod 8^91+5

Hanno Böck <> Sat, 21 October 2017 18:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 980CA1320DC for <>; Sat, 21 Oct 2017 11:03:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.701
X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sDRlClYbnqJE for <>; Sat, 21 Oct 2017 11:03:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3B84A13219B for <>; Sat, 21 Oct 2017 11:03:26 -0700 (PDT)
Received: from pc1 ([2001:2012:127:3e00:b3bf:56a1:a140:6086]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by with ESMTPSA; Sat, 21 Oct 2017 20:03:23 +0200 id 0000000000000010.0000000059EB8BEB.00001419
Date: Sat, 21 Oct 2017 20:03:21 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <>
Message-ID: <20171021200321.38549d9a@pc1>
In-Reply-To: <>
References: <> <>
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Cfrg] ECC mod 8^91+5
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 21 Oct 2017 18:03:29 -0000

On Mon, 16 Oct 2017 15:08:16 +0000
Dan Brown <> wrote:

> The main point of this curve is to use it in a system of
> multiply-applied diverse crypto, where its security features (special
> CM curve, minimal room for trapdoor) could complement those of other
> crypto algorithms (including PQC and other ECC algorithms).  Using
> this variant of ECC as the sole (PK) crypto would be risky (due to
> lack of track-record/aegis/scrutiny/etc.).

People rarely do multi-crypto these days, and if they do they usually
have good reasons.
I don't see those reasons here.

As we all remember we had a very lengthy discussion about new ECC
curves not so long ago. New curves were standardized with what many
people consider desirable security properties.

As you indicate some people want to combine that with pqc. In this case
multi-crypto makes sense, because it can give you something that you
can't have in a single algorithm: well-tested crypto and postquantum

But standardizing yet another new ecc method seems a rather obscure
threat scenario. You'd assume that you use multiple ECC methods and
there's a security flaw that affects all others, but not your new

If you feel you want multiple different standardized ECC methods you can
already use nist ecc + c25519 in combination. I'm not aware that anyone
is doing this.

In general I feel it's not desirable to have as many standardized
algorithms as possible, as it only complicates algorithm choices. A new
algorithm should always have good reasoning for its existence.

Therefore I'm against standardizing this unless further arguments are
brought up why it's advantageous compared to existing standardized ecc

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42