Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Mon, 07 July 2014 16:08 UTC

Return-Path: <prvs=22656ad468=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44EF41A035A for <tls@ietfa.amsl.com>; Mon, 7 Jul 2014 09:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.85
X-Spam-Level:
X-Spam-Status: No, score=-4.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GNlN9Cfyrda for <tls@ietfa.amsl.com>; Mon, 7 Jul 2014 09:08:36 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 7025E1A0357 for <tls@ietf.org>; Mon, 7 Jul 2014 09:08:36 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s67G8L51027064; Mon, 7 Jul 2014 12:08:33 -0400
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
In-Reply-To: <53BAC405.1000000@secunet.com>
Date: Mon, 7 Jul 2014 12:08:12 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <E48C216E-32BC-400C-8A4B-208EC243D398@ll.mit.edu>
References: <53AC97B8.2080909@nthpermutation.com> <53AD134E.9010903@akr.io> <53B6C159.7010002@secunet.com> <3ba0acce-d784-423b-9d6f-fccda1f183aa@email.android.com> <53BAC405.1000000@secunet.com>
To: Johannes Merkle <johannes.merkle@secunet.com>
X-Mailer: Apple Mail (2.1510)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.14, 0.0.0000 definitions=2014-07-07_02:2014-07-07,2014-07-07,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1407070182
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/GbolVVgw3bVeW3u4ot21ShyL5Bg
Cc: tls@ietf.org
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2014 16:08:38 -0000

On Jul 7, 2014, at 12:00 , Johannes Merkle <johannes.merkle@secunet.com> wrote:
> Alyssa Rowan wrote on 07.07.2014 15:14:
>> ......I appreciate there's not much we can do about implementers screwing up badly - but if we do have two primitives of about equal value and one fails catastrophically to a simple mistake that another does not, then as a matter of defense in depth, I'd generally prefer the more resilient one?.....
> In this discussion, it is important to focus on the most essential arguments. "Twist security" is not among them, as it only applies to very special cases and poor implementations. Montgomery and Edwards curves have other potential problems due the non-trivial co-factor, so there is always something a sloppy implementor can screw up.
> 
> Computational performance is a valid argument, and where performance is your main criteria, your may go for special primes and non-Weierstrass curves; but there are sufficient circumstances, where performance is not the principal criteria. IMHO, it is wise to maintain curves with different properties to accommodate different demands.

+1