IETF Logo Mail Archive

Re: [Curdle] IETF time slot / next step for CURDLE

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 27 June 2017 16:24 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75E4126B7E for <curdle@ietfa.amsl.com>; Tue, 27 Jun 2017 09:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3yTvWJS-3qkt for <curdle@ietfa.amsl.com>; Tue, 27 Jun 2017 09:24:14 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 8F2771271DF for <curdle@ietf.org>; Tue, 27 Jun 2017 09:24:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id DD72F253F5; Tue, 27 Jun 2017 19:24:11 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id d8UtemQCOP5A; Tue, 27 Jun 2017 19:24:11 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 7B929C4; Tue, 27 Jun 2017 19:24:08 +0300 (EEST)
Date: Tue, 27 Jun 2017 19:24:08 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Mark D. Baushke" <mdb@juniper.net>
Cc: Daniel Migault <daniel.migault@ericsson.com>, "curdle@ietf.org" <curdle@ietf.org>
Message-ID: <20170627162408.2nfznul3xhbsnnam@LK-Perkele-VII>
References: <2DD56D786E600F45AC6BDE7DA4E8A8C118C878F5@eusaamb107.ericsson.se> <99335.1498577163@eng-mail01.juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <99335.1498577163@eng-mail01.juniper.net>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/O21G0qcGz0w9oySYTtLK-dwSEzs>
Subject: Re: [Curdle] IETF time slot / next step for CURDLE
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2017 16:24:17 -0000

On Tue, Jun 27, 2017 at 08:26:03AM -0700, Mark D. Baushke wrote:
> Hi Daniel,
> 
> Daniel Migault <daniel.migault@ericsson.com> writes:
> 
> > As we are close to have all our document sent to the IESG, we would
> > like to understand if you see any future work items. Please provide
> > any thoughts on the mailing list.
> 
> There are a number of expired and dead drafts that should probbly be
> finished (ssh-ed25519, dnskey-ed25519, pkix-eddsa, pkix-newcurves).

ssh-ed25519 actually seems dead, and I can't find any repacment
draft. Note, there are existing implementations here that could be
documented.

dnskey-ed25519 was superceded, replacement is RFC 8080.

pkix-eddsa and pkix-newcurves merged into pkix, currently sent to
IESG (what's up with that currently, last log entry is from beginnning
of may?).

> I think some work on a better way to create Diffie-Hellman primes may
> also be good to consider. There should be a way to use provable primes
> that are not backdoored and do not leak bits due to using a generator
> which does not generate a q-ordered subgroup. I would very much like to
> see this used as long term we know that the use of fixed groups makes an
> attractive target for precomputation.

Basically, there are no known bad primes for ECC except the too small
ones. However, the prime choice makes major impact on performance.
Therefore in most cases, the primes should be selected for performance.

The main problems with Edwards curves is cofactor of at least 4. That
may be problematic for some more exotic ECC algorithms (where just
clearing the cofactor doesn't work).  There are some rather clever
tricks for representations that behave like there is no cofactor.

The main advantages of Edwards curves is fast unified arithmetic, which
makes implementation in side-channel silent way reasonably easy.
Complete Edwards curves also map into complete Montgomery curves,
which are handy for implementing ECDH.

Then there is the two-edged sword of having the neutral point be like
other points. It is sure nice for side-channel silent implementations,
but can cause problems with some algorithms, especially in misuse
situations (CryptoNote recently had a security issue due to misuse of
Ed25519).

> To be fair, this group may also want to start looking at
> Post-Qutanum-Cryptographic algorithms as well. Or, perhaps that will be
> a new working group for the future.

For PQC, I think most that should be done in this group is integration
tests (for discovering hidden problems with things like message sizes).
Those are at most experimential with extra warnings that there is very
little evidence that the algorithm is any good, and should not be
implemented except for testing.


-Ilari

v2.23.0 | Report a Bug | By Email