Re: [TLS] On Curve25519 and other possibilities (e.g., ietf256p, ietf384p, ietf521p,
Nigel Smart <nigel@cs.bris.ac.uk> Fri, 27 June 2014 08:52 UTC
Return-Path: <csnps@bristol.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB8B1B3177 for <tls@ietfa.amsl.com>; Fri, 27 Jun 2014 01:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6M6iwU9YO9Y for <tls@ietfa.amsl.com>; Fri, 27 Jun 2014 01:52:11 -0700 (PDT)
Received: from eu1sys200aog102.obsmtp.com (eu1sys200aog102.obsmtp.com [207.126.144.113]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC9531B2F33 for <tls@ietf.org>; Fri, 27 Jun 2014 01:52:10 -0700 (PDT)
Received: from mail-wg0-f48.google.com ([74.125.82.48]) (using TLSv1) by eu1sys200aob102.postini.com ([207.126.147.11]) with SMTP ID DSNKU60wttwxVBPD5HscWniPM5SBNvjw3A6v@postini.com; Fri, 27 Jun 2014 08:52:10 UTC
Received: by mail-wg0-f48.google.com with SMTP id n12so4853820wgh.31 for <tls@ietf.org>; Fri, 27 Jun 2014 01:52:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:message-id:date:from:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=CI+21M3ZWdSO53S3OSVXlTW6wE8wz9PAgh+D3VQOoAA=; b=e9kIUSb8CJ0SahfNycS3fxYvlWFLPjJna+225bwaIQefCunKVsldA8O+uEl02zOFHI AFhP75vTc8aH6sGwUKXeOt2Nqht0+oA14PUZc5kiOmO5Ab9HaRaG26SQetGaOb9+8eMy N+u8xbn0PCB01I5kTVJkRMn3lSagaxar6q70gUvvW0l+ZBmpajoKT+T+C7lD0sW9QM3f rZsNrNuBPEWSl9By8L4629zbluStVlhjrXI1zF22VjxCctg6WjJph+n9FflhcYdQtcqZ nk0qtabBBdWa9IO8tkI5e3uuOjS7vht26sOigDDAx9NR40qsB465xaeWnPlPGjO4pF7/ D1lw==
X-Gm-Message-State: ALoCoQksHeklrqKNzp9MTOQ6uT8dv22njLzwBPaf56YY+m/y8X0JT0QuDC3HgqstMoDSfpnpLSSCiqHHAyuN4eccmE1PaI8ceSQdX/OJIwyhxfz7eIiPM44KdIn/2Lbm1MAxjxQ9c4pK
X-Received: by 10.194.62.110 with SMTP id x14mr23919945wjr.15.1403859125866; Fri, 27 Jun 2014 01:52:05 -0700 (PDT)
X-Received: by 10.194.62.110 with SMTP id x14mr23919933wjr.15.1403859125769; Fri, 27 Jun 2014 01:52:05 -0700 (PDT)
Received: from [192.168.1.242] ([95.144.51.46]) by mx.google.com with ESMTPSA id fb15sm34061777wid.23.2014.06.27.01.52.04 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 27 Jun 2014 01:52:05 -0700 (PDT)
Sender: Nigel Smart <csnps@bristol.ac.uk>
Message-ID: <53AD30B6.6000509@cs.bris.ac.uk>
Date: Fri, 27 Jun 2014 09:52:06 +0100
From: Nigel Smart <nigel@cs.bris.ac.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0p9w7HB7lLcBIR_U1o5ymgg6KsE
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g., ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jun 2014 08:52:13 -0000
I think the "hype" around the possible issue re random
number choice in the NIST curves is just scare mongering
etc.
The argument against the NIST curves that they are easy
to poorly implement is also I think slightly a bit of
scare mongering. For Curve25519 you use a non-standard
DH exchange (to some extent), it is not of prime order
(bringing in more issues), cannot be directly used for
standard signatures (modifications do exist), and the code
to use it is not the same as for other curves (thus
creating code bloat, issues for programming error etc).
Thus in my view using Curve25519 would create the same
problems which the proponants are trying to solve.
Saying people can just use NaCl is also a bit of an
issue. I doubt everyone should base there security on
a single library (no matter who wrote it). We have
seen the issue with OpenSSL that just because something
is open source does not mean many eyes have looked at
it. And I suspect more eyes have looked at OpenSSL
than have looked at NaCl (of course the eyes looking
at OpenSSL have probably mainly rolled).
My recommendation would be to stick to
i) Prime field curves in Weierstrass form with A=-3
ii) Pick curves with prime order groups (no subgroups)
iii) Pick curves used in other standards so as to aid
interoperability/code re-use)
Now the NIST curves meet this spec, as will others.
Nigel
--
Prof. Nigel P. Smart | Tel +44 (0)117 9545163
Computer Science Department, | Fax +44 (0)117 9545208
Woodland Road, | Email nigel@cs.bris.ac.uk
Bristol, BS8 1UB, UK | http://www.cs.bris.ac.uk~nigel