[TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
Michael StJohns <msj@nthpermutation.com> Thu, 26 June 2014 21:59 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617BB1B2FA1 for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 14:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wG0LGoWJW7sq for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 14:59:05 -0700 (PDT)
Received: from mail-qg0-f48.google.com (mail-qg0-f48.google.com [209.85.192.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F04F11B2FA0 for <tls@ietf.org>; Thu, 26 Jun 2014 14:59:04 -0700 (PDT)
Received: by mail-qg0-f48.google.com with SMTP id q108so3591665qgd.21 for <tls@ietf.org>; Thu, 26 Jun 2014 14:59:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=6Y4DsZDhDZOdGVEzRbnJEY+YG66YiFixxUQMKkwl47Q=; b=GdgH+AvSmgK0MVTxRjyYGpqc2XCPEZzOghZg/oWa999fROZXRNm+1rNGurLmmG+Y8L VfkX0qWcpm6zdzGUd+BSx+2KXEauPF3vIDNeS/Uroi+9S7D5Tv6z+qvCufYyV7t66wVh pJAdAskhHK8IfUz4Qyze9caFv1TdKYm4vX2dlgZVpewCvMR7YzqDqYzzm1DmufiYicIR KDtyVHm7H/m/YmZcx37XiqC+o5F2dxAJ0nlayil8y0uwhygkHpGK/nD2u6H1hXYsxVkr Pu5FghI7LOBBB60+GyPs9J40X8CJkOvXx1YF9+z9fPBdSVFSr0gUaQxyWZcLt4O5qjMC SiKQ==
X-Gm-Message-State: ALoCoQnW+6nL3j1LycYZsoQjNfJLYv4ItZ2Ls4XKk7GQooRablwXvJ1vbcZl/vepqVSjYK9N0ZR5
X-Received: by 10.140.92.144 with SMTP id b16mr2680742qge.41.1403819944111; Thu, 26 Jun 2014 14:59:04 -0700 (PDT)
Received: from [10.90.129.164] (edge-gw-rwc.silverspringnet.com. [74.121.22.10]) by mx.google.com with ESMTPSA id l33sm5010663qgd.6.2014.06.26.14.59.03 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 26 Jun 2014 14:59:03 -0700 (PDT)
Message-ID: <53AC97B8.2080909@nthpermutation.com>
Date: Thu, 26 Jun 2014 17:59:20 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/DML_1443EVBJTd1VL-o6-ODHkT8
Subject: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2014 21:59:06 -0000
There's been a small but vocal minority agitating for the adoption of Curve25519 for use in TLS (and other IETF protocols). As the discussion has gone on, what I haven't seen is compelling evidence that this technology has been vetted sufficiently that it would meet the "Best Commercial Practices" threshold for safe harbor status for encryption. It may eventually get there, but for at least the next few (5-10??) years, I would expect businesses to avoid the use in privacy sensitive, or financially sensitive operations. There are also possible IPR issues, definite infrastructure issues (e.g. no off the shelf, commercial hardware or software AFAIK), documentation issues (not the base curve, but how to incorporate curve data into certificates and other protocol messages, and the fact it's key agreement only (vs the current EC curves which can be used for both signature and agreement). A long list of items that probably, but not definitely, can be resolved. AFACT, one of the main reasons for looking at Curve25519 (possibly more important than performance or security) is that there is a fear that the US Government has placed trapdoors in the current set of curves (NIST P256, P384, P521 etc). The argument against the "provably random" creation claim with respect to those curves appears to be that many "seed" values could have been generated to generate curve parameters and those curves tested to find "weak" curves of a particular flavor and the seeds for weak curves retained. In other words, we don't know how the seed values were generated and it could be nefarious. I haven't as yet found any argument against the generation process, nor specifically against the elliptic curve math. Given that the EC math in FIPS186, X9.62, X9.63, SP800-56A, SEC1, and the various ISO documents is pretty much identical, instead of throwing away all that implementation and standardization, how about we just generate new curves: 1) 20 organizations publicly contribute random/pseudo-random strings of 1kbits - they get to decide exactly which bits to send. 1a) discard any of these with detectable bias. 2) Randomly select 10 sets of contributed bits from those remaining (using public randomness sources to select those to be retained). 3) Concatenate the bits in a random order (using public randomness sources such as stock prices etc to select the order). 4) Run the concatenated data through an entropy extraction process (e.g. hash, hmac, other PRF) to produce a seed value of sufficient length. (or seed values if all the curves come from this one pass). 5) Generate the curve data and generator points from the seed. 6) Assign IETF OIDs to each curve generated this way. 7) Permanently record ALL the data used to generate the curves so we don't have future conspiracy theories. For most of libraries and hardware devices with which I work, the curve data is pretty much static configuration (external table referenced by OID) or compilation (ditto but compiled in), or provided as a library argument and most libraries have a mechanism to insert or use new curves fairly easily - at least within the same family. I'd recommend that we generate curves equivalent in strength to the current NIST curves in all of prime, binary and koblitz flavors. Mike
- [TLS] On Curve25519 and other possibilities (e.g.… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Hanno Böck
- Re: [TLS] On Curve25519 and other possibilities (… Martin Thomson
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] On Curve25519 and other possibilities (… Adam Langley
- Re: [TLS] On Curve25519 and other possibilities (… Viktor Dukhovni
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Peter Gutmann
- Re: [TLS] On Curve25519 and other possibilities (… Peter Gutmann
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Viktor Dukhovni
- Re: [TLS] On Curve25519 and other possibilities (… Alyssa Rowan
- [TLS] Hardware Implementations .. Re: On Curve255… Hannes Tschofenig
- Re: [TLS] Hardware Implementations .. Re: On Curv… Joachim Strömbergson
- Re: [TLS] On Curve25519 and other possibilities (… Paul Hoffman
- Re: [TLS] Hardware Implementations .. Re: On Curv… Hannes Tschofenig
- Re: [TLS] On Curve25519 and other possibilities (… Stephen Farrell
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Nigel Smart
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Alyssa Rowan
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Dan Brown
- Re: [TLS] On Curve25519 and other possibilities (… Stephen Farrell
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] Off-topic: RC4 Peter Yee
- [TLS] On counting Paul Hoffman
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On counting Adam Caudill
- [TLS] Off-topic: RC4 Paul Hoffman
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Nigel Smart
- Re: [TLS] On Curve25519 standardization Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Fedor Brunner
- Re: [TLS] On Curve25519 and other possibilities (… Peter Gutmann
- Re: [TLS] On Curve25519 and other possibilities (… Johannes Merkle
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Johannes Merkle
- Re: [TLS] On Curve25519 and other possibilities (… Alyssa Rowan
- Re: [TLS] On Curve25519 and other possibilities (… Johannes Merkle
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0668 - MITLL