Re: [Cfrg] Curve manipulation, revisited

Yoav Nir <ynir.ietf@gmail.com> Mon, 29 December 2014 13:36 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF2621A1AF9 for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 05:36:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GD7lEyEFIVu2 for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 05:36:33 -0800 (PST)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866941A1AE8 for <cfrg@irtf.org>; Mon, 29 Dec 2014 05:36:33 -0800 (PST)
Received: by mail-wi0-f169.google.com with SMTP id r20so23716644wiv.2 for <cfrg@irtf.org>; Mon, 29 Dec 2014 05:36:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bqLXTJuno8i72iWIoFYfdhO4VSDD4KPaMp58vRsqkes=; b=TDendZA4ByIo4wThzzXB7+dhUf0ImBIU3lJ9jk7ujX74erzIT2DbY0Cm0uelvAYR5v NFseFtHKbnKc+rXmP+/HUwlS8FqasQglidn/ti2nRSVI/KA0gRVKLuO8ym3c8Q/rFo6d GGAEI7h+2OcDuI5k8LhsUT6cWKQyZHi4D+QFG/VF2Ul9Xx15oy8cG6hJPSjd2jQREuHo BlfD1rQsEkDJlgDRVGT2OWDQ30rXix+lD9jS8zBG7Uhbs42trSor67mGov7eG8G0C2kX 8O7Vl/hw9f/Q+512a+sDsGtCYzq8xUVl2NYaT2yEtAHlJsHrbJY52j2S/b9zB8BdiVEz Mnsw==
X-Received: by 10.180.21.133 with SMTP id v5mr89129470wie.44.1419860192289; Mon, 29 Dec 2014 05:36:32 -0800 (PST)
Received: from yoavs-mbp.mshome.net ([176.12.151.121]) by mx.google.com with ESMTPSA id ei5sm39555961wid.2.2014.12.29.05.36.30 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Dec 2014 05:36:31 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D55236DA1@USMBX1.msg.corp.akamai.com>
Date: Mon, 29 Dec 2014 15:36:27 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <68DF78C2-9F4D-457C-A32E-88A58E74A371@gmail.com>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D55236DA1@USMBX1.msg.corp.akamai.com>
To: Rich Salz <rsalz@akamai.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/u3x0AL8j9Pk5qWC0NvJpixAGdss
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 13:36:35 -0000

> On Dec 29, 2014, at 3:12 PM, Salz, Rich <rsalz@akamai.com>; wrote:
> 
>> Similarly, suggesting that TLS-WG could be given only X25519 without Ed25519 being pulled in is either naive or an attempt to sneak them both in the back door.
> 
> Without commenting on the rest of your points (which I don't feel qualified), I strongly disagree with this.  But maybe my naivete is showing.
> 
> As a member of the TLS WG, the OpenSSL development team, and security-focused employee of Akamai, I just want X25519.  (I'm also a co-author of the Turner I-D and have resisted multiple requests to merge Ed25519 into it.)

Hi, Rich

May I ask why?  If we can make key agreement faster by using X25519 instead of P-256, it stands to reason that we can make signatures faster by using Ed25519 instead of P-256.

Obviously we can’t abandon P-256 signatures for the same reasons it will take a long time to abandon RSA signatures. But what is the rationale for not including Ed25519?

Thanks,

Yoav