Re: [Cfrg] [CFRG] Safecurves v Brainpool / Rigid v Pseudorandom

Alyssa Rowan <akr@akr.io> Tue, 14 January 2014 00:27 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D9A1ACC83 for <cfrg@ietfa.amsl.com>; Mon, 13 Jan 2014 16:27:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rVzTzQYsyoZB for <cfrg@ietfa.amsl.com>; Mon, 13 Jan 2014 16:27:06 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 1E72E1A8033 for <cfrg@irtf.org>; Mon, 13 Jan 2014 16:27:05 -0800 (PST)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) by entima.net (Postfix) with ESMTPSA id E5B9C60369 for <cfrg@irtf.org>; Tue, 14 Jan 2014 00:26:53 +0000 (GMT)
Message-ID: <52D48450.3070701@akr.io>
Date: Tue, 14 Jan 2014 00:26:56 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: cfrg@irtf.org
References: <20140113230750.6111382.6841.8590@certicom.com>
In-Reply-To: <20140113230750.6111382.6841.8590@certicom.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: Re: [Cfrg] [CFRG] Safecurves v Brainpool / Rigid v Pseudorandom
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 00:27:09 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 13/01/2014 23:07, Dan Brown wrote:

> For a given field, pseudorandom curve better resists secret
> attacks than rigidity.

With respect, I disagree.

With zero knowledge of a hypothetical attack, we have zero knowledge
about what may, or may not, be affected by it.


A point to note here: brainpoolP256r1 has a _very_ weak twist
(ρ @ 2^44) - a practical problem only in a flawed implementation that
doesn't check for invalid points. But here nevertheless, we actually
have a curve generated in a documented pseudorandom manner, yet has at
least one desirable property distinctly less secure than all of its
tested peers.

Why? Bad luck, it seems.


I for one prefer sound, well-explained, reproducibly verifiable curve
design which resists all known attacks, to rolling the dice and hoping
it resists a hypothetical attack that we know nothing about.

Hence my preference for the "Safecurves" approach, and thus the
"Chicago" curves.

That some of them can be (and have been) implemented in an extremely
efficient way, and thus are exceptionally well-suited for the
important task of accelerating wide adoption of forward security in
internet protocols, I also find a highly desirable point in their
favour - as, it seems, do many others.

I can find no remotely compelling argument against them.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS1IRQAAoJEOyEjtkWi2t65NgP/AuNRjkkXic7aB9A+Ybb0fiB
3fy6W5gjuuvV9ggiSRvoOhPPpCjCNulJeQk9xkakxw7RpovFCmk2XA8WmebE0+sn
ITlAssXcsn8iT8jqeBPGUydo21Orqr1IzP8ozpgbcm0XsmDCoEWjyQT1E/Ez2vOg
BSrybbwfFsDR92pBQ6ESP7s+rxojPWzGaBg5EPIekl3I4vZ+guT1H1bOdqVFn0x5
OIIyDe9iLV7p8GwfRIfWaBY1Cpq7qwya7SbfWgzeQNVEkCVQuOOA+ep9CBo0XXsR
86Tc0ncRjwcX+ak6WlAUKofn1teChGrJnb734HGMGY8MB2vyyVJlgaCFCAiUaQMw
K3eS25SwwNw/G2NMIQ5yrzW6VXO2Abw9aYpM+5+JjNdHOcSXyRpAtVFshw7p3du/
0gO/Cv/gpQe1igBA24/lF31cADsPeliyfe0w2n7zXx1yaL9RfzgJpuW/K0LIUEbh
Y8aoCMBVFvtLbIx/nzZlbgORRX6jeTg+Q1IBxU9mxl1OtBB+eLqjaK54L80JDM4k
y7+xMcGq5e0n4RIzRjVTdWh0mmxpvgHxnAqt0bdsRZyXUrsEqSLatgd4mc7n88zY
cIPd71wp/pf6GYKepwRwMdhfEKjtJR0DJve0/OipkA+x87rnquPtE8xkSJNL/T3a
CcaoN5H/vJCsyxwRNZKn
=oemM
-----END PGP SIGNATURE-----