Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

Watson Ladd <watsonbladd@gmail.com> Fri, 04 July 2014 15:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FA11B2A6F for <tls@ietfa.amsl.com>; Fri, 4 Jul 2014 08:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cttJOYUI0XhK for <tls@ietfa.amsl.com>; Fri, 4 Jul 2014 08:15:33 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 935301B29F8 for <tls@ietf.org>; Fri, 4 Jul 2014 08:15:33 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id x13so795026wgg.9 for <tls@ietf.org>; Fri, 04 Jul 2014 08:15:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=51skg31XKp+UcgGpgArbdy1MdKr59LCoIh64D/od0LU=; b=eed67uR26YiFhZKki6kV7A6zAsFCx1sFfL/S8rBg9XN0X5ZU9Abwi1Uo9AeJ+ALKFx tE1EAMh7ddrHl0BmAiXEA38gKq5eU2UDCO2MsAD3jGM7Gp46ziGBbRorSeyd+ZV4+iqa ZfRqgDLvWKAQtzm98UPIczLhScdvH9MW8ccvPf97VMmmUd0i3iyZ/NyMyJUxmKNHCKYC DZEB+T1FTDMuIxVsVNKhudsqC2PknCuv0rNNMnoHqblt0mj7+mujXM2GCt/l+3jz+Ubu jCqQKWcBJY0TargQUQ7AUPqxQKv5tOXSsNOMp1nJmrp/YrKI/YiSwCYP26hYf3ztdTic BKsw==
MIME-Version: 1.0
X-Received: by 10.194.48.103 with SMTP id k7mr12879787wjn.68.1404486932203; Fri, 04 Jul 2014 08:15:32 -0700 (PDT)
Received: by 10.194.21.69 with HTTP; Fri, 4 Jul 2014 08:15:32 -0700 (PDT)
In-Reply-To: <53B6C159.7010002@secunet.com>
References: <53AC97B8.2080909@nthpermutation.com> <53AD134E.9010903@akr.io> <53B6C159.7010002@secunet.com>
Date: Fri, 4 Jul 2014 08:15:32 -0700
Message-ID: <CACsn0cnYk+MoGfGnH=cad0_sSw4WCdKehVTMBO1b4EO---PC6A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3yPLsVVwmed7StYilEWPrZYEDIk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 15:15:35 -0000

On Fri, Jul 4, 2014 at 7:59 AM, Johannes Merkle
<johannes.merkle@secunet.com> wrote:
> Alyssa Rowan wrote on 27.06.2014 08:46:
>> Brainpool has already generated a set of 'random' primes, but random primes are extremely slow to implement - and
>> in the case of Brainpool, the 256-bit curve has extremely unfortunate lack of twist security, so any implementation
>> that tries to skip validation is in really big trouble.
>
> Why should anyone try to skip validation? In order to improve performance by less than 1%?

Implementations frequently expose an API where validation is separate
from group operations, and people
just forget to make the call sometimes.

Furthermore, with anything other than a compressed format it's not
just twist security, but any security that failure of point validation
harms.
I send point on a curve with smooth order, and extract the key. I send
point on curve with small order, and dictate the key, etc.

Twist security matters for Joyce-Briers ladders only, as far as I know
on Weierstrass curves. Other formulas use the y coordinates.

Sincerely,
Watson Ladd
>
>
> --
> Johannes
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin