Re: [Cfrg] Progress on curve recommendations for TLS WG

[Dan Brown <dbrown@certicom.com>]

> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Johannes Merkle
> Sent: Friday, August 15, 2014 12:41 PM
> To: Watson Ladd
> Cc: cfrg@irtf.org
> Subject: Re: [Cfrg] Progress on curve recommendations for TLS WG
> 
> >>
> >> curve25519, but this would only introduce more unjustified discredit
> >> and
> > FUD.
> >>
> >
> 
> being straightforward. So we would arrive at an example that does not
really
> show anything but could be easily mistaken by someone with less insight
(e.g.
> the press) to wrongly conclude that the seed-less approach is generally
> suspicious.
> This FUD effect would be bad.
> 
> For this reason, I tried to appeal to stop this unfortunate discussion in
which
> contrived examples are used to discredit much more straightforward
> approaches, but unfortunately, my post seem to have stimulated it.
> 

I disagree with some of the points above.  So: 

Contrived examples are useful when abstractions get too numerous and
difficult and hard to compare. They can more efficient at conveying an idea,
in using fewer words.  I hope that the CFRG will not misunderstand the
contrivances, but rather try to see the points they demonstrate.  I agree
that contrivances may not be interesting to be engineering and the general
public, who are more concerned with the end results, but researchers should
be able to consider them if it is for the purposes of clarity.

Nobody will ever be able to fully resolve the possibility of secret attacks.
So rather than dismissing the possibility as FUD, we should try to do what
we can to minimize this threat.  That's the whole reason for being of the
disciplines of public cryptanalysis and of provable security.  If any time
somebody proposes an algorithm with no published attacks, then they should
not be able dismiss any criticisms by crying FUD, right?

CFRG are neither the press nor the end user. I expect CFRG to be able to
engage in technical discussions, without censuring itself because of
possible misunderstanding by non-technical.

My BARC example was merely meant to demonstrate that rigidity alone does not
support the security of Curve25519 against secret attacks.  Rather, if the
maturity of cryptanalysis suggests that all known attacks are public, then
Curve25519 is secure.  Or, perhaps maturity of public cryptanalysis only
suggests that any weak curve classes differ from the Pohlig--Hellman and MOV
weak classes in the sense that the secret class is only reachable by trying
multiple curves and we heuristically expect it to apply to all curves with
equal probability.  In fact, I already tried make this abstract argument
long ago on the TLS and CFRG lists: that one needs to assume that some
secret attack which Curve25519 can resists is an attack that affects all
curves with equally likelihood, which sounds like a plausible assumption,
and indeed is a weaker assumption than assuming no secret attacks. That
said, it is not true for the some of the known attacks, at least the PH and
MOV attacks.  I'm not sure if this abstract argument sounded believable, so
I provided the BARC example as a demonstration.  

The 56-bit secure y^2 = x^3 + x^2 + x variant of Curve25519 may perhaps only
demonstrate something vastly weaker abstract idea: that a rigid curve can be
weaker than expected curve just by a fluke, in other words, that bad luck is
possible.  I don't know enough to be completely sure whether this particular
example is much worse than average, or if it qualifies as a one-in-a-million
type of fluke.  Of course, once a random curve is selected, it can suffer
from bad luck too.  In the case of a fixed random curve, at least we can
form an argument about a priori probabilities.  So, that's why I'm saying
that this is a much weak abstract idea, because it hinges on the notion of a
priori probabilities.  Selecting random curves more often would be costly,
but would improve this particular aspect.

Best regards,

Dan