Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
Andy Lutomirski <luto@amacapital.net> Fri, 21 November 2014 17:27 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6658A1AD590 for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 09:27:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fxf2DoHxHTh for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 09:27:19 -0800 (PST)
Received: from mail-lb0-f171.google.com (mail-lb0-f171.google.com [209.85.217.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A38A1AD585 for <cfrg@irtf.org>; Fri, 21 Nov 2014 09:27:19 -0800 (PST)
Received: by mail-lb0-f171.google.com with SMTP id b6so4455484lbj.2 for <cfrg@irtf.org>; Fri, 21 Nov 2014 09:27:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=vUfgG+nWP1i/Mm+bR2g9Dhc+sDJ/PA1uf9ULR+DymSU=; b=DZcavwZ4fUZWoHaZohxPCJIiXPBV/2CDudEBJw8JWargvs64hyixmLF/UgS/QtBFU6 3uySxPDbCnnQWWaKcuQQcxIZWALoB5RJDuSDtGmIoV3U/35PXjM6/c9KRSuxMBprFPi0 DbxRv9iBoCaYivZCSzkg6YtBMTicdRBr0kJJJCr8OAEMDelwOFzlpdCZhcnEQix7UGZM QaSZZWHFYbHqXS0vg1E+PpNdEe4wNHNvF328weVAl7widktKYop1ns+ApkyRqjGwTKxv DTJ50jrfmAwHfMgzWYC7mEqOgc+Jgx1ZIoTgkcFD7NqPdzgc2ljiCKi7VhjTQQ6ya/52 ZhMg==
X-Gm-Message-State: ALoCoQm6N4249MVKlUuuq8rK7y9qA93/Gm4VGhAfzMPqw92OxshlutrNA2+OARZoEO85kAAd7THe
X-Received: by 10.112.219.3 with SMTP id pk3mr6593994lbc.18.1416590829109; Fri, 21 Nov 2014 09:27:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.152.7.170 with HTTP; Fri, 21 Nov 2014 09:26:48 -0800 (PST)
In-Reply-To: <CACsn0ckUoijv-uD3yksOQpRW9E-smF1wg9=+L2BVrN1+wRv0tw@mail.gmail.com>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <201411200901.53517.manfred.lochter@bsi.bund.de> <CACsn0cmV6aOMx+eiLa0iP7rYiU4ZVmeDbNPhTSz_a6oU1=kWjA@mail.gmail.com> <201411211351.04473.manfred.lochter@bsi.bund.de> <CACsn0ckUoijv-uD3yksOQpRW9E-smF1wg9=+L2BVrN1+wRv0tw@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 21 Nov 2014 09:26:48 -0800
Message-ID: <CALCETrWMd53RyX=2aVRxzX-4x9oe=WmiCv91beK7KCXiXMOhkA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/q9AZyjjwvyDyacTGFzQqR3xIGzQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 17:27:24 -0000
On Fri, Nov 21, 2014 at 8:58 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Fri, Nov 21, 2014 at 4:51 AM, Lochter, Manfred > <manfred.lochter@bsi.bund.de> wrote: >> >> >> >> >> >> __________ ursprüngliche Nachricht __________ >> >> Von: Watson Ladd <watsonbladd@gmail.com> >> Datum: Donnerstag, 20. November 2014, 16:21:50 >> An: "Lochter, Manfred" <manfred.lochter@bsi.bund.de> >> Kopie: "cfrg@irtf.org" <cfrg@irtf.org> >> Betr.: Re: [Cfrg] Requirements for elliptic curves with a view towards >> constrained devices >> >>> On Thu, Nov 20, 2014 at 12:01 AM, Lochter, Manfred >>> >>> <manfred.lochter@bsi.bund.de> wrote: >>> >> Of course, you don't need to take my word for it: Cloudflare was very >>> >> clear that widespread ECDSA support was essential to making TLS free. >>> >> Mobile devices are having issues with verification times for NIST >>> >> P384. V2V proposals involves a staggering number of verifications a >>> >> second, but oddly enough don't use batching or efficient signatures, >>> >> thus forcing larger, more expensive hardware. >>> > >>> > Is there really a requirement for mobile devices to use a 384 bit curve? >>> > Why is 256 not sufficient? In which scenarios do you see the neccessity >>> > to use P-384? Which specific mobile devices are having issues with >>> > verification times? Are they having these problems only in connection >>> > with the proposed protocols you mention? >>> >>> When my mobile phone's browser connects to a website whose certificate >>> is signed by P384, a P384 verification better take place. Not >>> supporting P384 introduces an interoperability problem. >> >> I'm glad that you agree with my previously stated position that 384-bit curves >> are needed. Following your reasoning 256/384/512(521) bit curves have to be >> supported. In this case I would rather see performance problems on the >> 512/521 end. >> I would very much appreciate if you could also answer my other questions >> above. >> You seem to say that car-to-car communication will use the curves proposed by >> the cfrg. This supports the inital position we took in the Brainpool position >> paper (eprint 832/2014). I'm glad that we seem to agree on that. > > The V2V projects aren't. Despite high performance constraints they are > not making optimal choices. Batch signatures would seem a natural fit, > and yet ECDSA is still being used. P256 seems to be selected, despite > Koblitz curves existing. But blinding won't be used: the performance > hit is too much, and the security model doesn't require it. It doesn't > seem like they will switch to Curve25519 if the CFRG recommends it. Don't the V2V things need high *real-time* performance contraints? To me, that would seem to rule out batch signatures entirely, unless there's a magic verifier that can retain good performance even in the presence of an invalid signature. --Andy
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley