Re: [Cfrg] On "non-NIST"

Watson Ladd <> Sat, 28 February 2015 17:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D9CF71A6FFF for <>; Sat, 28 Feb 2015 09:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id byGKK5DGjp2Y for <>; Sat, 28 Feb 2015 09:17:36 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EE5CB1A6FFB for <>; Sat, 28 Feb 2015 09:17:35 -0800 (PST)
Received: by yhot59 with SMTP id t59so10910814yho.7 for <>; Sat, 28 Feb 2015 09:17:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=4WXnK+CIhZvoR1Y4O9yQmdsSLi9w+OQwGOnYRK8n1BM=; b=reievmwxEsa0mZbBlP5WDJTDEZY9axTJdKji4h+vbtP3XksmjCMhDrEUjPypizLu8y UFu4pIP1K0eOsbLswQh2wXu+vJrF52AVSN3LqFVDula2mTG0ntaF/SOAjrHawWhLtG1y baeJRHlK5YMxZUBWddAaQiI5LV9O1fI+XAONhJ/d4ccPghgitjzd/MCQvccWECSh7+9x kcR31BXFrSUmYz1kHVRIxw5sqm5u+DqfHRhtcy+x7ga4Azm4r7W/r9mTdPXxTxK5Gcb1 oROPmu2crsRXm66LrDU+iz1cHVwGBNAGvMXj/9r9E1DCXtsQ77QOTrU31QHPMoVHtMBQ zquQ==
MIME-Version: 1.0
X-Received: by with SMTP id l42mr18730769yhl.172.1425143855231; Sat, 28 Feb 2015 09:17:35 -0800 (PST)
Received: by with HTTP; Sat, 28 Feb 2015 09:17:35 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Sat, 28 Feb 2015 09:17:35 -0800
Message-ID: <>
From: Watson Ladd <>
To: Paul Hoffman <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>, Peter Gutmann <>
Subject: Re: [Cfrg] On "non-NIST"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Feb 2015 17:17:38 -0000

On Sat, Feb 28, 2015 at 7:41 AM, Paul Hoffman <> wrote:
> On Feb 28, 2015, at 12:59 AM, Peter Gutmann <> wrote:
>> Paul Hoffman <> writes:
>>> The term "non-NIST" is predictive, and the crypto community kinda sucks at
>>> predictions. We have no idea what NIST will do in the future if a bunch of
>>> IETF WGs adopt specific elliptic curves that are not P256/P384.
>> Why is NIST seen as the ultimate arbiter of what's appropriate though?
> Not "the", but "an". The reason is that NIST controls what can and cannot be given a FIPS-140 certification, and that certification is considered important both by companies who want to sell to the US Govt and companies that use their certification as a statement that "we did it right". If you make an HSM that uses an algorithm not allowed by NIST, you cannot get it certified in the CMVP regime. Thus, when NIST is slow to keep up with the best practices adopted by the community, it becomes a roadblock to deploying better crypto.

This is factually untrue: CMVP certified modules are permitted to
implement other algorithms: they just can't be in FIPS mode when those
are used. I also don't see how NIST approval or lack thereof slowed
down RC4 deployment or accelerated SHA1 replacing MD5.

The reality is lots of new designs are using Curve25519 and Ed25519.
That's because of factors like simple design of APIs, high
performance, and very good security. Standards body acceptance is not
a concern here. Just as the reality is that E-521 was picked by
Brazil, while the new GOST is still being worked on, and the upper
size limit is just a random number. But never mind reality: we've got
to expose "signs of strength". We need big numbers for marketing:
never mind attackers can't break authentication in the future, while
mobile devices already struggle to validate certificates. We need to
vote on endianness: nothing more needs to be said.

Is anyone surprised we've become a punchline?

Watson Ladd

> This is why we hope that, when this RG finally moves on both the the curve and the signing algorithm, NIST adds those to its list of acceptable crypto for the FIPS 140 testing. If they don't, people can still deploy it, but deployment will be hampered.
> --Paul Hoffman
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin