Re: [Cfrg] On "non-NIST"

Phillip Hallam-Baker <> Sat, 28 February 2015 16:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2C1B21A1F70 for <>; Sat, 28 Feb 2015 08:02:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b2vxb8jzj0Qm for <>; Sat, 28 Feb 2015 08:02:19 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6C8AD1A1F04 for <>; Sat, 28 Feb 2015 08:02:19 -0800 (PST)
Received: by labgd6 with SMTP id gd6so22917247lab.7 for <>; Sat, 28 Feb 2015 08:02:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=GIBMEs3gxgkSsTB1eBJnOG+JKildhp+cqQbG1LR+fzs=; b=UJ8td2UB6QDmNNeB9XebSP07WAC7hqbVrervsd9oOt3AUvHuTw75mGgv5KPdxv4tZb ROPjFLU2TOVutSv6hmaINxqAwxF0p0Sn8nZ+LEYjcw+1WeFGNfpAGkhVi809wMajgB22 nPqWtTRn5Mj7UYMX/l89hRECby5Qupl4j+Wye7caql+NsgDgVCkVQCg1EoAZzcxShAxr yBuuf5v9Jjfg6zLqrRk/uOFIjg3VFe/YiLTCVYNWzEArzXjv500rncch1RFWrsSx2kNW Q2BbrsCH98zXQ1ezuIIvKlRVQRUb2cTLTVz/NKCLfHYUBaMmIVTqmOG8zYAExcpqzmpc 5g7g==
MIME-Version: 1.0
X-Received: by with SMTP id gy7mr16980099lac.91.1425139337860; Sat, 28 Feb 2015 08:02:17 -0800 (PST)
Received: by with HTTP; Sat, 28 Feb 2015 08:02:17 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Sat, 28 Feb 2015 11:02:17 -0500
X-Google-Sender-Auth: xOCN2pQpZ3bPfDwd-TEdgGtJFTs
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Paul Hoffman <>
Content-Type: multipart/alternative; boundary=001a1134303afd1e600510281b5e
Archived-At: <>
Cc: "" <>, Peter Gutmann <>
Subject: Re: [Cfrg] On "non-NIST"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Feb 2015 16:02:21 -0000

On Sat, Feb 28, 2015 at 10:41 AM, Paul Hoffman <>

> On Feb 28, 2015, at 12:59 AM, Peter Gutmann <>
> wrote:
> >
> > Paul Hoffman <> writes:
> >
> >> The term "non-NIST" is predictive, and the crypto community kinda sucks
> at
> >> predictions. We have no idea what NIST will do in the future if a bunch
> of
> >> IETF WGs adopt specific elliptic curves that are not P256/P384.
> >
> > Why is NIST seen as the ultimate arbiter of what's appropriate though?
> Not "the", but "an". The reason is that NIST controls what can and cannot
> be given a FIPS-140 certification, and that certification is considered
> important both by companies who want to sell to the US Govt and companies
> that use their certification as a statement that "we did it right". If you
> make an HSM that uses an algorithm not allowed by NIST, you cannot get it
> certified in the CMVP regime. Thus, when NIST is slow to keep up with the
> best practices adopted by the community, it becomes a roadblock to
> deploying better crypto.

That overstates it.

I need my HSMs validated by some independent party. NIST has an existing,
widely respected infrastructure. The fact that NIST certification is
necessary for US govt use is not the issue here.

We need someone to do the work, there is a limited number of parties with
the resources, skills and authority to do the job. If NIST is not going to
do the job then we would need to find someone else. That is not impossible
but NIST is the default.

So the practical upshot here is that NIST is a stakeholder because we would
like their help. They are also a standards body in their own right (though
not a multi-stakeholder one). So it would be even more helpful if they gave
an indication that the new curves are at least equally acceptable as the
old for US govt. work.

NIST is a stakeholder here. They are not the only one but they are one of
the few stakeholders that is likely to have a strong opinion.

If NIST or Microsoft or Google was to say that they cared a really great
deal about P448 or P521 then that should in my view carry rather more
weight than a bunch of folk with either a mild preference for one or the