Re: [Cfrg] Curve selection revisited

David Jacobson <> Fri, 25 July 2014 15:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1BFBE1B2948 for <>; Fri, 25 Jul 2014 08:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0GpwitLBCaOj for <>; Fri, 25 Jul 2014 08:30:37 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 02B8D1B2936 for <>; Fri, 25 Jul 2014 08:30:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1406302236; bh=L3YIWnrEdhkh6ttl9XEXUZ2Pb1izdu2H1kFr6FmEl0s=; h=Received:Received:Received:DKIM-Signature:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=LgBegOeUTEcgnCEcHqeORZ2u4CIVbae+vbQEyBv+/C4uGwBpGnGUaBHsni7/NVdQAWvZot4jrVUId5yRpSPX4JBf0fnUBWdf1y8VB2x/uaRjxNyhAE+Q2iTDxaV6CIGraT/i8a+2E+J2zCgrpa4/xAxI5VwAA/ysxVCxqqlxP1IF7AXXYdT/KDb9DBG3cZvHlylOyBQ/HrdBLWE+oD26fYBg77GHbnkA8t6ZqMQW/S+SuUDMV720QNbl8mE0bBMSNEEoQe/OPDThLB+z94vjSBwCbGoHeqZVYD6LezsRgpnsc3Lts59a/33R9kCtWl44QzfbS6zaSPn5felDWYlibA==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048;; b=IVNiWQNfwflWkowefckj7iCZhO6RTSaGFtZ8gZQsk1j8TlsR0UsSL/httyrBhk9j/LLvI9FrRO3AkAc450POcE+1gS1kKd+YAZvnherpembORTx8EXeeNyjAiNBziU1NxkkWTLhvL5YoeNrDu8hxz0Gve39iw8deK4pVdv5Wr4rr1JLHPA2XlSZ23gOwdH4ItLWLlxll2NVZWNE8rdsgvjm35FTM7A6698UkA8Ur2Va42ctB04RxclnFSg6a8pj3vCXNANEm7HzIReuFPfjuA63WVJBLQtFbcSkvWbzeZNp+pv6KbaiwHxZmJekHawVzp0REOrJUUqFY4RUl6TWEkA==;
Received: from [] by with NNFMP; 25 Jul 2014 15:30:36 -0000
Received: from [] by with NNFMP; 25 Jul 2014 15:30:36 -0000
Received: from [] by with NNFMP; 25 Jul 2014 15:30:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1406302236; bh=L3YIWnrEdhkh6ttl9XEXUZ2Pb1izdu2H1kFr6FmEl0s=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=TowpbCNVtJ3HVcaMlMdIsI3rQVmERGK8Tyk1cbBsii15JPQ+tfvrF2PWqCsPXaSa6spFBaBONSDUZRZToiNdp+iJZt/m8OUGEn0AgD83R7w2fk1EsavHyZmjLWO571v8Z2V9gDRGwy87T4tichGlcpUSTBjBAA717R4ZK+a3Z40=
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: _NfjhqYVM1lyvadhSGNtBNUa6L_e9SKGY6QsjEtYMxtR_cw 8pb10tugOBSJrTuXrLCZWxSOY5EteV2QP32U_xJvgeETjvIc5qCPXcUSFlw7 tfLFctt_cEPhLZ3eun5p9h08KBvQqVROMFcYLPsxI_5lkUF4V9F8ixzt9k0U 5GI9Mh3ok3nk8Jpt0VH4XiNOw6DyflMS.F.p_laCb8q3K_jOME3o4ehccfHk kAFmdHwe8.uObo6vq8dxQrJyiUwKXEyDmiRHzsWTR76sIc0ZaQz7cY_cDL4c s6gHLoN7z0zNqwV2ThCb0uti9alQsM207RFTghtUspbNWd5QxgrQsW2IhyBF 1sjEj_pgXWFd28LRZq8oJ.22BKAJMNxnQbjo231nK0DD_jRraO6aidRrCxcU Ql2goYqqLKUaxp3gJ.g9mlR.WrSYhKEwyOUiDtKtIE3y3mOqd150RIzEdePR f8mYGW.jD3ukNw2qpYJM5vqS1YUxJqLpOnNG8EYsLywzzT3TpAXkDdV7wSOm CW52KYy0gF1XdBIy1IcOxPyeS4N8JAbM291ogPPUyb7SiAAxfV11nBPdyOLO euppbz8lzrLN3g4_azzEQHEsanlFEhXUwqulodrhQ6qj3cVIr_tl8fNrWXY7 kq86AdnSmlzPp7pC7_AHqh7fYTRWHm.nXKckAevPt1mw-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <>
Date: Fri, 25 Jul 2014 08:30:35 -0700
From: David Jacobson <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Paterson, Kenny" <>, Benjamin Black <>, "" <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] Curve selection revisited
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Jul 2014 15:30:39 -0000

On 7/25/14 7:48 AM, Paterson, Kenny wrote:
> Ben
> Thanks for this helpful message. I've responded in-line below,
> representing the chairs and based on what I've heard on the list and at
> the IETF meeting this week. People on the list should still feel free, of
> course, to argue for other points of view.
> On 25/07/2014 01:10, "Benjamin Black" <> wrote:
> [snip]
>> 2) Performance must be measured using "production-quality"
>> implementations. By this I mean implementations which employ the sort of
>> techniques/optimizations appropriate for large scale deployment. This is
>> specifically intended to exclude discussion of
>> how simple or fast an implementation _could_ be, in favor of what they
>> actually are in practice. However, the goal is to select curves which
>> strike the best balance between various requirements, not simply the
>> fastest.
> I don't think it's very easy to be concrete about what
> "production-quality" means. I tend to agree with Yoav's comments here
> (

I believe that we need to decide what to do about side channel leakage 
resistance.  Performance needs to be measured with the defenses 
deployed.  Of course, the problem is that nobody knows what defenses 
should be deployed and when we have reached "good enough". One common 
defense is no branches on secret data.  Almost certainly we would want 
the benchmarks to be coded this way.  But if the threat model includes 
malicious processes that share a cache with the crypto process, then it 
is  good practice to code so that the stream of memory addresses 
accessed does not depend on secret data.    And then there are various 
blinding techniques with widely varying costs.

This issue is more important if different curves/protocols have 
different sensitivities to leakage or require different leakage 
mitigations.  I don't know whether this is the case.

    --David Jacobson