IETF Logo Mail Archive

Re: [Cfrg] big-endian short-Weierstrass please

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 28 January 2015 22:30 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D07461A0AF8 for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 14:30:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBmwmwQ92v4x for <cfrg@ietfa.amsl.com>; Wed, 28 Jan 2015 14:30:35 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id CA29E1A1A34 for <cfrg@irtf.org>; Wed, 28 Jan 2015 14:30:35 -0800 (PST)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id A70A3F984 for <cfrg@irtf.org>; Wed, 28 Jan 2015 17:30:33 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 02FA52039E; Wed, 28 Jan 2015 17:30:31 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: cfrg@irtf.org
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5D4413B@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5D42BDA@XMB116CNC.rim.net> <87386ug2r7.fsf@alice.fifthhorseman.net> <810C31990B57ED40B2062BA10D43FBF5D4413B@XMB116CNC.rim.net>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Wed, 28 Jan 2015 17:30:28 -0500
Message-ID: <87r3ueedx7.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/s1aBvSRRmSXVPsIzBohyUf7CJ0s>
Subject: Re: [Cfrg] big-endian short-Weierstrass please
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 22:30:38 -0000

On Wed 2015-01-28 16:23:27 -0500, Dan Brown wrote:
> For example, RFC 4492 allows curves to be specified in Weierstrass
> form, not just as named form.  I don't know if any TLS implementations
> support the specified curve option, but if they do, then it would be
> nice if the new implementations could talk to them, using the new
> curves.

Over in the TLS WG, we're working on actively deprecating the custom
curve selection mechanism and moving strictly toward pre-named curves
(this is true for finite-field DH as well).  Custom curve and FFDHE
group selection will be gone in TLS 1.3.

oThe over-flexibility in EC group selection isn't widely used, and when
it is used, there is no clear way for a receiving implementation to have
confidence in the structure of the arbitrary curves provided (even
simple primality-testing is probably too expensive for most to do at
runtime), or to have a reasonable (efficient, constant-time)
implementation.

I don't think this is a particularly useful half-measure.  I'd rather
see implementations pick up new, reasonably-vetted curves than try to
muddle through supporting arbitrary curves provided by the peer.

     --dkg

v2.23.0 | Report a Bug | By Email