Re: [Cfrg] Progress on curve recommendations for TLS WG

Johannes Merkle <> Fri, 15 August 2014 11:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 199281A8A35 for <>; Fri, 15 Aug 2014 04:12:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.268
X-Spam-Status: No, score=-3.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uw7jM4ecRXgZ for <>; Fri, 15 Aug 2014 04:12:22 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DEF71A09D7 for <>; Fri, 15 Aug 2014 04:12:21 -0700 (PDT)
Received: from localhost (alg1 []) by (Postfix) with ESMTP id 7CF231A0079 for <>; Fri, 15 Aug 2014 13:12:16 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id wwUzs5ARs9rr for <>; Fri, 15 Aug 2014 13:12:11 +0200 (CEST)
Received: from (unknown []) by (Postfix) with ESMTP id 9C6041A0071 for <>; Fri, 15 Aug 2014 13:12:11 +0200 (CEST)
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id; Fri, 15 Aug 2014 13:12:14 +0200
Message-ID: <>
Date: Fri, 15 Aug 2014 13:12:13 +0200
From: Johannes Merkle <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
Subject: Re: [Cfrg] Progress on curve recommendations for TLS WG
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Aug 2014 11:12:25 -0000

D. J. Bernstein wrote on 01.08.2014 03:36:
> However, the following recent analysis shows that the Brainpool curves,
> which were advertised as "generated in a systematic and comprehensive
> way" covering several different security levels, actually gave the curve
> generator the flexibility to secretly choose from among more than
> 1000000 curves for any particular prime:

This statement is so skewed and misleading that I can not refrain from commenting:

- In this analysis, a significant part of this flexibility comes from the choice of the hash function. Specifically, the
BADA55 curves were generated using one of the numerous version of Keccak. However, Keccak wasn't even invented at the
time the Brainpool curves were generated.

 - The method used to generate the coefficients of the Brainpool curves was taken from ANSI X9.62 (including the use of
SHA-1), which was - at least at that time - the only reference for a method for pseudo-random curve generation. There is
only the slight deviation that the second coefficient was computed in exactly the same way as the first one, while ANSI
X9.62 computes the fraction of these, but this straightforward simplification does not introduce significant flexibility.

- Pi and e are by far the most prominent mathematical constants, while cosinus(1) (used in that analysis) is quite
arbitrarily chosen. Expressing Pi as 4*arctan(1) doesn't change this fact.

It is perfectly OK to point out that the Brainpool curves do not allow optimal performance, or that Montgomery and
Edwards curves allow simplified arithmetic. But it is not ok to imply that the Brainpool curves could potentially have
been designed with a backdoor built in. This suggestion is completely unjustified, misleading and gives a false color.