Re: [Cfrg] Progress on curve recommendations for TLS WG

Watson Ladd <watsonbladd@gmail.com> Fri, 15 August 2014 18:24 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B621A014B for <cfrg@ietfa.amsl.com>; Fri, 15 Aug 2014 11:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5gD-7cd469CP for <cfrg@ietfa.amsl.com>; Fri, 15 Aug 2014 11:23:59 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E06BE1A01F2 for <cfrg@irtf.org>; Fri, 15 Aug 2014 11:23:58 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id f73so2537384yha.31 for <cfrg@irtf.org>; Fri, 15 Aug 2014 11:23:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rmboYtj7MXDY0d2XdgjgV87oi5uZaKPmBDmSWElCYwE=; b=B49V68SznwAxE/AUlIv/7xeKI+ZWoqqPZjSZ79mtaO5TF3pQeK4vGSWYg5D/Kl19tz 2guqK0Fi0jp8acrhQKmdt5DmJnUdKGp0hLN9VNIrBnzYifSRIaGQRpn3GyfNch84f4gk G6QwhOhcuVAvqMu3WqnO3Ype/FDRsQCTJaXRiwVJXQRbBUMxU962fVh+4YfuX+Im1oTK 8DUb6FmZui74MXEN1CNQVHRw8wt+ombtPKj5F4PZZFE+xRu19KxSpph6oyUr99ycGdqD suxZPOu3FSaGjNn55RIEcNMMNcDBumPTGpK1+vAuArmfihGfLKZefjbCOsohACLXyVRh EN0Q==
MIME-Version: 1.0
X-Received: by 10.236.172.161 with SMTP id t21mr29610523yhl.65.1408127038137; Fri, 15 Aug 2014 11:23:58 -0700 (PDT)
Received: by 10.170.202.86 with HTTP; Fri, 15 Aug 2014 11:23:58 -0700 (PDT)
Received: by 10.170.202.86 with HTTP; Fri, 15 Aug 2014 11:23:58 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5CCD0ED@XMB116CNC.rim.net>
References: <20140801013659.11640.qmail@cr.yp.to> <53EDEB0D.9040304@secunet.com> <925e123f-d396-443f-9fc7-b1f6601bcd4c@email.android.com> <53EE17A9.7080408@secunet.com> <CACsn0c=eS-=6dapjrw07uEbxW0MHqn6=3caftfA6geZNOUcu9w@mail.gmail.com> <53EE3839.7010009@secunet.com> <CACsn0c=hEwPPL_zrXnoXnWfQ6oQPE-U8P3mGCA3a7=djfXAAqw@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5CCD0ED@XMB116CNC.rim.net>
Date: Fri, 15 Aug 2014 11:23:58 -0700
Message-ID: <CACsn0cndH3hF-hvFFYnik2Bxs3+sm7ALHLTxSPCZNzJ1bLJMjg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: multipart/alternative; boundary=20cf304273e0e82dda0500af1fc0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/tRMcdC5pqwkVEdxtb235RgF1fZA
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Progress on curve recommendations for TLS WG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 18:24:01 -0000

On Aug 15, 2014 10:59 AM, "Dan Brown" <dbrown@certicom.com>; wrote:
>
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd
> > The reason Dan Brown's example isn't convincing is that having only
prime
> > factors of not that small size is common.
>
> Right about it being common: Dickman's function says the chance of the
largest
> prime factor of that size is about 15%.
>
> Wrong about it being unconvincing: the severity of the attack is what
matters,
> not how common it is.  Why would anybody care whether it took six or
> one-million trials to a find a weak 56-bit curve?

What is it convincing of? If it takes 6 trials all randomly generated
curves are likely to fail. If it's 1 in a million, then rigidity or lack
thereof is more important to prevent underhandedness.

>
> Also, I assume that you are not referring to my BARC example, in which the
> largest prime factor is two.   Maybe BARC is unconvincing for another
reason,
> which is?

The endomorphism ring was shockingly large, NUMS isn't a property of a
curve but a generation method, etc. Really the only argument was
supersingular curves, which I admit being mildly convinced by.

Sincerely,
Watson Ladd
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>