IETF Logo Mail Archive

Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

Andrey Jivsov <crypto@brainhub.org> Sat, 28 June 2014 20:52 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4121A0085 for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 13:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5TZoGpCEmsj for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 13:52:27 -0700 (PDT)
Received: from qmta13.emeryville.ca.mail.comcast.net (qmta13.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:44:76:96:27:243]) by ietfa.amsl.com (Postfix) with ESMTP id 86B081A0084 for <tls@ietf.org>; Sat, 28 Jun 2014 13:52:27 -0700 (PDT)
Received: from omta12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by qmta13.emeryville.ca.mail.comcast.net with comcast id Kwg21o0010x6nqcADwsTsg; Sat, 28 Jun 2014 20:52:27 +0000
Received: from [192.168.1.145] ([71.202.164.227]) by omta12.emeryville.ca.mail.comcast.net with comcast id KwsS1o00G4uhcbK8YwsSYJ; Sat, 28 Jun 2014 20:52:26 +0000
Message-ID: <53AF2B0A.7030205@brainhub.org>
Date: Sat, 28 Jun 2014 13:52:26 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tls@ietf.org
References: <53AC97B8.2080909@nthpermutation.com> <CABcZeBN5uY4bteXW=OFC1z3ANoSC8AqxG6E6artdOKPF=VxdJg@mail.gmail.com> <53AD56D2.7060200@cs.tcd.ie> <53AF1E98.2080906@nthpermutation.com> <53AF2633.9000207@brainhub.org> <53AF2804.5080204@nthpermutation.com>
In-Reply-To: <53AF2804.5080204@nthpermutation.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1403988747; bh=1t0neS9ojaunSCoUySj+ldRj4JFNqgKgN/TCzzNEh2o=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=qeEb7l94gsp7OVo5sAsxaZEgJNZ17HYKVp4EkaWQIhwxD0lTXwZZ2qdL8xq3e5BfI SOk4nCLyyh9AJCIMygn4o9EvrTbyc5Oy48rZnFarNsXWBlB+MfrqwwLNzVgVjHU/HD 1mTE8cnERmbEFPhxJ+hn1YpAiPO2WIL9Um13c3cq9DEWe8WyCLCYkUA2CSmf4iRsa/ mcvw+dw8OYVEkOdEJlaoVbbD7eHe/D2goMXNQUjwGAilNeNsWgWLAmzGl15K7DfBei g0TjgfYyR9RQak+RuBCIpehUtWqqYkMhCRkgLn3TD3bIuh1YJrX53ZUMaPgkSIT3XR D5aIFFHBhuoEw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/EooQoYjEj141xHAPHYPgE_fOPQQ
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jun 2014 20:52:29 -0000

On 06/28/2014 01:39 PM, Michael StJohns wrote:
> On 6/28/2014 4:31 PM, Andrey Jivsov wrote:
>> On 06/28/2014 12:59 PM, Michael StJohns wrote:
>>>
>>> >>>>  "IPR Issues":
>>>
>>> The specific set of IPR issues that concern me are the license and 
>>> copyright with respect to DJB's basic work.    Unless there is a 
>>> "perpetual, paid up, world-wide, irrevocable" license for anything 
>>> that he's done (or could do in this space) there are possible future 
>>> issues.  Something as simple as invoking the already existing 
>>> copyright on the curve data could be problematic.
>>>
>>> Note that I'm not saying this will happen, or that its even 
>>> contemplated,  but it's a potential problem that should be resolved 
>>> formally and legally.
>>>
>>> (It's possible there is such a document, but I went looking and 
>>> didn't find it.  Some of this is tagged "public domain" but that's 
>>> probably insufficient for most lawyers).
>>>
>>> If DJB et al is willing to transfer change control/copyright/patent 
>>> rights/moral rights to the IETF (via appropriate documentation), and 
>>> the IETF is willing to publish an actual standard then this 
>>> objection goes away. 
>>
>> BTW, focusing on F(p) (which is not really an ECC) also helps with 
>> the above concerns. p = 2^n-C is free due to the following expired 
>> patent : https://www.google.com/patents/US5159632 .
>>
>> IMO it would appear "safer" for hardware vendors to only 
>> implement/provide optimization primitives for F(p), for a couple of 
>> specific p's.
>
> If I generated parameters for F(p) and published them under normal 
> copyright, AFAIK you couldn't use them absent a copyright license 
> regardless of patent rights.   For the existing curves, those grants 
> of license exist in some form or another.   To avoid IPR issues, you 
> need a set of both technology (patent) rights and parameter 
> (copyright) rights.
>
> As I said, I just want the documentation to avoid future issues.

Staying within F(p), we know that 2^n - C is now free as an idea (ref. 
above). (There is a speculation is that P-521 was not made a part of 
Suite B due to that now expired patent )

It makes sense to have C smallest. C=189 for n=256 . ( As I wrote 
earlier, I don't see why it should be 2^255-19, but that p is selected 
using the same criteria )

It should be possible to find prior work by people who experimented with 
such primes. ( Starting from 
http://www.iacr.org/archive/ches2010/62250075/62250075.pdf, regarding 
2^256-189, and walking back in time... )

v2.23.0 | Report a Bug | By Email