Re: [Cfrg] big-endian short-Weierstrass please
Nico Williams <nico@cryptonector.com> Thu, 29 January 2015 17:16 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CCAF1A8742 for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 09:16:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O5P8P37ZZbBK for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 09:16:55 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF751A7023 for <cfrg@irtf.org>; Thu, 29 Jan 2015 09:16:55 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id A55EC20046912; Thu, 29 Jan 2015 09:16:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=zZARoeNKWrTnvCWVQbzf2QTlYOk=; b=QnCYtUlNck1 JG5EEYgkuZ3R+OHBwwIah7XI5UN7QD92y70G+uefRN8Yhsg6tap4m2X+CMJsk7BR MYoOqGAZ7ViArdze/CRR1rPRwpQkaHD29kQHhT3CUZvbyQ0AuxrfiBOUtCwkQbMx yyT3FwiYwyllurJ2ENHxVUi8Wy01g8K0=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPA id 4AC3B2008232B; Thu, 29 Jan 2015 09:16:54 -0800 (PST)
Date: Thu, 29 Jan 2015 11:16:53 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Message-ID: <20150129171649.GR3110@localhost>
References: <810C31990B57ED40B2062BA10D43FBF5D42BDA@XMB116CNC.rim.net> <87386ug2r7.fsf@alice.fifthhorseman.net> <810C31990B57ED40B2062BA10D43FBF5D4413B@XMB116CNC.rim.net> <87r3ueedx7.fsf@alice.fifthhorseman.net> <20150128231006.GJ3110@localhost> <D0EED79E.204B1%uri@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <D0EED79E.204B1%uri@ll.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/rLBehx5YTU3O6S-eQHWKV_a6-mQ>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 17:16:56 -0000
On Wed, Jan 28, 2015 at 11:38:49PM +0000, Blumenthal, Uri - 0558 - MITLL wrote: > On 1/28/15, 18:10 , "Nico Williams" <nico@cryptonector.com> wrote: > >On Wed, Jan 28, 2015 at 05:30:28PM -0500, Daniel Kahn Gillmor wrote: > >> On Wed 2015-01-28 16:23:27 -0500, Dan Brown wrote: > >> > For example, RFC 4492 allows curves to be specified in Weierstrass > >> > form, not just as named form. I don't know if any TLS implementations > >> > support the specified curve option, but if they do, then it would be > >> > nice if the new implementations could talk to them, using the new > >> > curves. > >> > >> Over in the TLS WG, we're working on actively deprecating the custom > >> curve selection mechanism and moving strictly toward pre-named curves > >> (this is true for finite-field DH as well). Custom curve and FFDHE > >> group selection will be gone in TLS 1.3. > >> > >>…… > >> > >> I don't think this is a particularly useful half-measure. I'd rather > >> see implementations pick up new, reasonably-vetted curves than try to > >> muddle through supporting arbitrary curves provided by the peer. > > > >+1 > > The problem is - reasonably-vetted by who? NIST? DJB? Yourself? All of the > above? Besides the answers given already, this question is kinda strange. Why say "by whom"? It's implied in "vetted" that the entities doing the vetting are acceptable to the user. And anyways, the question is not relevant to Daniel K. G.'s point, which was: negotiate from sets of known curves rather than negotiate arbitrary curves whose parameters get sent to you by your peer. If we do this then each curve can have its own point format on the wire, with whatever endianness it wants. (Mind you, point format could be yet another set of parameters to negotiate, but why bother with so much complexity?) Generalization often is nice, but here it would mean having to engage in an expensive effort to write a pile of code that we wouldn't otherwise need only for the sake of generalization. I don't see a win there. Dan B. doesn't need us to use a generic point encoding for all curves in order for his preferred curves to be usable. There is no advantage to be had in using a generic point encoding here, and plenty of disavantages (among them: more code, instant obsolescence of existing implementations of curves we might end up approving of). Please no. > Attractiveness of the ability to select a custom curve is similar to that > of PGP Web of Trust: you can make a choice for yourself, rather than being > forced into what other experts (or “experts” :) decide for you. Yes, you might trust your selection, but if your peers don't then you lose. The flip side is that if you want to talk to a peer that wants you to use their curve, you might have to trust them, and how would you know whether to trust them? In a small network you could manage this, and one generic point encoding will help you, but you could pick one from a set of more than one. And anyways, it'd be a small network -- why should the Internet community bend over backwards to make it easy for you to pick your very own curves for use in your very own small network? There are still no advantages to be found in your proposition for having one generic point format for all curves. Outside your small network only pre-defined curves will work. The vetting is what we're doing now. It doesn't have to happen only here, and we needn't be the only vetters, but we don't need a single generic point encoding to allow multiple vetters. Nico --
- [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please David Gil
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Alyssa Rowan
- Re: [Cfrg] big-endian short-Weierstrass please Tony Arcieri
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Alyssa Rowan
- Re: [Cfrg] big-endian short-Weierstrass please Stephen Farrell
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Hanno Böck
- Re: [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Watson Ladd
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Watson Ladd
- Re: [Cfrg] big-endian short-Weierstrass please Dan Brown
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Yoav Nir
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Paul Hoffman
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] big-endian short-Weierstrass please Daniel Kahn Gillmor
- Re: [Cfrg] big-endian short-Weierstrass please Nico Williams
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker
- Re: [Cfrg] big-endian short-Weierstrass please Andrey Jivsov
- Re: [Cfrg] big-endian short-Weierstrass please Phillip Hallam-Baker