Re: [Cfrg] IEEE 1609 requirements (was Re: Curve selection revisited)

Robert Moskowitz <> Tue, 29 July 2014 12:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9DE9C1B2864 for <>; Tue, 29 Jul 2014 05:39:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id heTm2q6DEaJ3 for <>; Tue, 29 Jul 2014 05:39:31 -0700 (PDT)
Received: from ( [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by (Postfix) with ESMTP id 788FB1B283E for <>; Tue, 29 Jul 2014 05:39:31 -0700 (PDT)
Received: from localhost (unknown []) by (Postfix) with ESMTP id CF3A962BA1; Tue, 29 Jul 2014 12:39:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gfbou+2pWQSL; Tue, 29 Jul 2014 08:39:19 -0400 (EDT)
Received: from ( []) (Authenticated sender: by (Postfix) with ESMTPSA id C4AD362B85; Tue, 29 Jul 2014 08:39:17 -0400 (EDT)
Message-ID: <>
Date: Tue, 29 Jul 2014 08:39:17 -0400
From: Robert Moskowitz <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: William Whyte <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [Cfrg] IEEE 1609 requirements (was Re: Curve selection revisited)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Jul 2014 12:39:37 -0000

I failed to be clear in that 8-bit processors were in the sensor 
segment.  DSRC (IEEE 1609) is not so constrained (real electrons and 
such) and 32 bit is the norm.  My bad.

On 07/28/2014 11:59 PM, William Whyte wrote:
> Hi all,
> Some notes on Bob's comments in the context of vehicle-to-vehicle
> communications. He's on point in general but I have a few corrections,
> below.
> One thing to say in general about the V2V safety communications: these
> are devices that, as Bob says, have a very long lifetime and may be
> hard to upgrade in the field. They also need to be produced in
> reasonable volumes and be durable. These all push the groups working
> on V2X communications in the direction of using crypto technology
> that's already widespread, so both the US and the EU groups working on
> this are currently using NIST p256 and it would be difficult to
> persuade them to change at this point (with some exceptions, see
> below).
> Personally, I regret that we're using the NIST curves, given the poor
> quality of their generation process, but I don't see the marketplace
> as yet having picked a winner from the alternatives.
>> 8 bit processors are the norm, and NO, Dr. Moore is NOT going to change
>> that.
> It's not clear that this is the case for V2V safety communications.
> Collision prediction is fairly processor-intensive. All the prototypes
> I know of have been on 32-bit processors. I don't see an ability to
> support 8-bit processors as particularly important.

V2X almost always has the wherewithall for 32bit.  Potentially some 
roadside sensors might be so constrained, but not likely once you factor 
in the cost of an 802.11p radio, you might as well pay the little extra 
for 32 bit processors.

>> Hardware acceleration is acceptable, but that could
>> make in-field corrections impossible.
> One potential bottleneck bottleneck is verification of incoming
> messages. There may be 1000 incoming messages per second. Verifying
> all of these requires hardware acceleration on any realistic
> automotive device and for any choice of curve that I'm aware of.
> Another alternative is to only verify certain messages, for example
> from cars that might potentially cause a hazard. Hardware acceleration
> is possible, but raises costs and risks locking in a particular crypto
> solution. Europe and the US are taking different approaches to this:
> in the European system, the intent is that every message is verified,
> while in the US the emphasis is more on verify on demand.

Imagine a congested roadway with every car screaming out what it is 
encountering and every car trying to validate those signed messages.  
Definitely more validations than signings.

>> 1) Low over-the-air demands.  Every BIT counts.  We have to live with 32
>> bytes; but 64 bytes may be too much.
> Spectrum is another very constrained resource. If we could potentially
> shave 16 bytes off every signature that's something we could be very
> interested in.

Kind of what I was saying without going into the details of needing low 
over-the-air demands.  Spectrum, PHY contention algorithms, LBT (listen 
before transmit, or some such acronym) all add up to needing to be brief 
in what you transmit.  So it is recongnized that 32 byte keys are called 
for; but what of the key is actually sent?  And as William says, how big 
is the signature of the packet.  Is the key sent with every signed 
message or only when a new car is 'heard from'?  There are a number of 
optimizations to conserve the vary limited airway.

>> 3) Performance on an 8 bit  processor.  Performance is measured in time and
>> energy.
> As above, I don't think 8-bit performance is huge for V2V communications.

No.  Elsewhere; and still potentially in cars.

>> 4) preserving ECDSA and ECDHE.  This is what is currently in use, and in
>> some cases written into regulations (urgh), so we have to still keep them
>> working.  But if something 'new' and provably good makes a big difference in
>> one of the previous needs I suspect there will be an attentive audience.
> If the expert judgement of the technical working groups is that a
> different algorithm than ECDSA is better, we don't believe there would
> be a regulatory barrier to using that other algorithm.

It was smartgrid related I saw the regulator reference.  The rule making 
is still a piece of work-in-progress for V2X.  But USDOT could come out 
with rules still this year.

>> But please just don't solve this for TLS on octo-core 64-bit systems.
> Yes! In particular, whatever choice is made by CFRG is likely to be
> more widely supported in hardware than any alternative, so CFRG's
> choice will be the strongest candidate to replace ECDSA if it has
> sufficient advantages.
> Cheers,
> William