Re: [TLS] Safe ECC usage

Watson Ladd <watsonbladd@gmail.com> Thu, 17 October 2013 01:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E1EC11E819B for <tls@ietfa.amsl.com>; Wed, 16 Oct 2013 18:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.27
X-Spam-Level:
X-Spam-Status: No, score=-2.27 tagged_above=-999 required=5 tests=[AWL=-0.270, BAYES_00=-2.599, J_CHICKENPOX_16=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wsfic+2Idh5W for <tls@ietfa.amsl.com>; Wed, 16 Oct 2013 18:05:37 -0700 (PDT)
Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com [IPv6:2a00:1450:4010:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 203FE21F9A05 for <tls@ietf.org>; Wed, 16 Oct 2013 18:05:36 -0700 (PDT)
Received: by mail-la0-f45.google.com with SMTP id eh20so1207194lab.18 for <tls@ietf.org>; Wed, 16 Oct 2013 18:05:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YzC1NHAQGxMKvOT4/ou5E7IIFUsGuhOebu3jRqlawSo=; b=yVWvzTz6+zwG4nQx+24VVMqCwIHdXvCuM/B9k7TPpr0Quh0bVzySW/sp8GEMWTC2oO /C9V3vYnYBh7vI+vJxeo4zcrwnmSlx4xWmgf1TnOchWb4MLfgZtKzPapkVIOV4FoP4j/ phOJDSPofcKTbwrqeDFa76hTQgA4E2LUBnLxIPdZ2782S23GoBJenD5p9aNN4XjAh0e8 AobLYrOSUWgxSrJ7QOiXEVITxyI8fSZiQ/uoCCEUDliatCAooQpWZAregHQsrPmeypS2 ViThRTeGjqb52T8zTSnBOva4ZIOj3/NRkSUeagFIsbyPO/iN6zHmuYkOw+ha2VZ62Gne K+pg==
MIME-Version: 1.0
X-Received: by 10.112.130.138 with SMTP id oe10mr4916211lbb.1.1381971932763; Wed, 16 Oct 2013 18:05:32 -0700 (PDT)
Received: by 10.152.1.66 with HTTP; Wed, 16 Oct 2013 18:05:32 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5BEBAA5@XMB117CNC.rim.net>
References: <523E176F.3050304@gmail.com> <9A043F3CF02CD34C8E74AC1594475C7355674EE0@uxcn10-6.UoA.auckland.ac.nz> <20130926152757.15842.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDB49B@XMB116CNC.rim.net> <20130928223648.1113.qmail@cr.yp.to> <20130929025714.5578895.47771.4422@certicom.com> <20131001143511.11010.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDE21E@XMB116CNC.rim.net> <20131002161944.8125.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDE90F@XMB116CNC.rim.net> <20131003010455.17185.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDECA6@XMB116CNC.rim.net> <20131005192950.27059.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BE4A9D@XMB116CNC.rim.net> <20131012003058.669.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BEBAA5@XMB117CNC.rim.net>
Date: Wed, 16 Oct 2013 18:05:32 -0700
Message-ID: <CACsn0c=bSTMWwuHxD3eE3ABC_AxVRt-BOTybEr7umPQD5NB+cA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset=UTF-8
Cc: "djb@cr.yp.to" <djb@cr.yp.to>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Safe ECC usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 01:05:38 -0000

On Wed, Oct 16, 2013 at 12:36 PM, Dan Brown <dbrown@certicom.com>; wrote:

> Based on this score, if I had to guess what the next attack would be, then I
> would guess special.  An attack on random would be a breakthrough.
> Therefore, trying to choose a random curve is a best guess approach.
>

>> I say that it's a good idea to narrow the distribution even more, in
>> fact down to a single curve, by taking the _smallest_ curve coefficient
>> within the usual massively biased distribution. That's what Curve25519
>> does. This isn't just a performance win; it also prevents the sort of
>> manipulation that's clearly possible for someone who claims to be
>> "randomly" choosing curves from the wider distribution.
>>
>> Now imagine that there's no manipulation. How does this single-curve
>> distribution compare in security to the larger (massively biased)
>> distribution against some unknown attack? The correct answer is that we
>> have no idea---maybe it's more secure, maybe it's less secure, maybe
>> it's the same.
>
> Uncertainty, "no idea", about unknown attacks is a given, but we should
> still try to resist them, even if that means making assumptions and
> guessing.  Provably secure algorithm try to do this.  Previously unknown
> attacks are known pop up, occasionally.   But, we also give weight to the
> effort that people have exerted in trying to find attacks, to infer the
> unlikelihood of new attacks being discovered.
>
So you agree that E(random curve falls to unknown attack)=E(Curve25519
falls to random attacks). (This is is obvious unless
cosmic conspiracy happens, and if it isn't, think about it). But now the
question is whether the author of the random curve really picked it at
random, vs specified a curve. And then the fact that DJB specified at
most 17 bits or so is very important: a new attack would have to work
on 2^{-17} of all curves to work on Curve25519.
Sincerely,
Watson Ladd

-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin