Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document

Andrey Jivsov <crypto@brainhub.org> Fri, 09 January 2015 00:11 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D9191A6FE7 for <cfrg@ietfa.amsl.com>; Thu, 8 Jan 2015 16:11:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D79K5lUScYnM for <cfrg@ietfa.amsl.com>; Thu, 8 Jan 2015 16:11:07 -0800 (PST)
Received: from resqmta-po-06v.sys.comcast.net (resqmta-po-06v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:165]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7E9A1A1B69 for <cfrg@irtf.org>; Thu, 8 Jan 2015 16:11:07 -0800 (PST)
Received: from resomta-po-05v.sys.comcast.net ([96.114.154.229]) by resqmta-po-06v.sys.comcast.net with comcast id dcAB1p0044xDoy801cB7VG; Fri, 09 Jan 2015 00:11:07 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-po-05v.sys.comcast.net with comcast id dcB51p00X4uhcbK01cB60w; Fri, 09 Jan 2015 00:11:06 +0000
Message-ID: <54AF1C99.5070308@brainhub.org>
Date: Thu, 08 Jan 2015 16:11:05 -0800
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <54AAE2CA.1080701@isode.com> <54AEF855.4090100@brainhub.org> <CACsn0cm01o4vhwwzs_WNpLq6vnA_cBchvLNS+Eyg5YZH_hQyMg@mail.gmail.com>
In-Reply-To: <CACsn0cm01o4vhwwzs_WNpLq6vnA_cBchvLNS+Eyg5YZH_hQyMg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1420762267; bh=0kqsJYiKSpP8jBqqM/OjvYrhpKfwIN+xUbgW9NzFjZ4=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=myzcfqNhJHAT4bSBAAuq7zvr4H+c6e5pYnw8LODywGxNVibjr7oKakbkXw/RYt7oP RpPX2DKR0mSo0znGNC5/P9oC3ZrPEWaDiao21bbeawj1snL5PNpmYuM9jrVZhaVrLK 7MPDk7bK6vsUVlbwxqqHNW9fwDi1mp0zvoufB1UuIzhFmqtjSvCEGgT2qRV2ysHKsX BO6Dh1D67HXzxPVEl9D/9vwFbfb1i7pC0pBVZR9cw12Ke8R2EsfjmxTC57y/GMawGU hxUrTW8e/FuuD6QuAZBZkLiZ3K9zAnJgOBKVbQqXtOCvspvN/0tT9zoZvO6Jg1IRPA 99Q1l8zi7i9fQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/rv1m5mUiH4koZlt55UObKU29zTY>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jan 2015 00:11:09 -0000

On 01/08/2015 01:51 PM, Watson Ladd wrote:
> Three points:
>
> 1: There are recurring security issues caused by not sending
> compressed points, as well as additional complexity
> 2: We're not talking about signatures in this draft.
> 3: Options are bad.

Regarding options, this draft is a foundational document of a low-level 
crypto primitive. Protocols above can still pick a single wire format.

The spec should allow, for example, S/MIME to select (x) for space 
saving, while TLS to select (x,y) for performance. (I am not making 
these choices here).

The entire document is an optional primitive. SuiteB and Brainpool 
curves will be around for awhile.

One might say that the proposed tweak retains a single format, which is 
(x,y), with an available (internal) optimization to use x with a 
Montgomery ladder.


Re: security issues, the easiest fix would be to add one paragraph to to 
check that (x,y) is on the curve. The spec already deals with the 
cofactor>1 in section 9.1.