Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

Dan Brown <dbrown@certicom.com> Sun, 29 June 2014 11:47 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DA031A0467 for <tls@ietfa.amsl.com>; Sun, 29 Jun 2014 04:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.899
X-Spam-Level:
X-Spam-Status: No, score=-3.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QhZClNfqYW7Z for <tls@ietfa.amsl.com>; Sun, 29 Jun 2014 04:47:24 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 1605B1A0347 for <tls@ietf.org>; Sun, 29 Jun 2014 04:47:23 -0700 (PDT)
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 29 Jun 2014 07:47:23 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT102CNC.rim.net ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0174.001; Sun, 29 Jun 2014 07:47:22 -0400
From: Dan Brown <dbrown@certicom.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
Thread-Index: Ac+Tj+NMpz9/fRpLQkOEH6a3FPqHJw==
Date: Sun, 29 Jun 2014 11:47:22 +0000
Message-ID: <20140629114721.22319253.31253.15976@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="===============0206733533=="
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LPpWfUqql9GyHbH9BPUPZMRDD_Y
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jun 2014 11:47:27 -0000

Not sure but Weierstrass version of Curve25519 may‎ be a MAY in FIPS 186-4, ANSI X9.62/63, IEEE 1363, SEC1. I can check next week. Because major security properties like hard DLP are preserved between the two versions, those SDOs effectively have no major security concerns with Curve25519 . Only the Suite B and NIST/CSEC FIPS 140-* CAVP might narrow the curve set allowed enough to exclude the Weierstrass equivalent of Curve25519. 

Didn't IETF, maybe PKIX, opt for a MUST on named curves only? That was for interoperability reasons, right? Again, I can check next week.

The reason I'm offering this info now even though I'm not 100% sure, is that I see some arguments here contrasting ANSI and IETF, so I'm advising those arguers to be sure to know what those specs do or have done.

My personal view is that Curve25519 security should be good overall, actually  better than P256 in a few aspects, but slightly worse in others, so not theoretically optimal security. 

Certicom has a variety of‎ IPR, and has made several declarations and letters of assurance to IETF and to other SDOs. My guess is that any IPR that might possibly pertain to Curve25519, has already been declared to IETF, at least to the TLS WG. Certicom is reviewing this, but since Matt Campagna left, we've lagged a little on IPR stuff, sorry.

Best regards, 

-- Dan
From: Watson Ladd
Sent: Saturday, June 28, 2014 7:05 PM
To: tls@ietf.org
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,


On Jun 28, 2014 3:55 PM, "Michael StJohns" <msj@nthpermutation.com> wrote:
>
> On 6/28/2014 6:24 PM, Salz, Rich wrote:
>>>
>>> *sigh* If the IETF is really going to get into the business of standardizing
>>> > crypto, we need to get the process for doing so right the first time rather
>>> > than just plugging it in to TLS and hoping we don't have to redo it over and
>>> > over again.
>>
>> Agree.  But again, it's "back into the business"  Because we did it before with TLS1, IPsec, and ECC curves therein.
>
>
> Um... huh?  Can you provide specifics about which cryptographic algorithms  we standardized?  This is news to me.

Camellia, RC4, HMAC. Of course we still screwed up TLS 1.0 by ignoring lessons from IPSEC.

>
> And I'm not talking about "here's how you use ECDSA for TLS or ECDH for  for IPSEC" documents, but something comparable to SP800-56A or FIPS186-4 or X9.63.

What's magical about ANSI? Furthermore,  we aren't developing an algorithm, but documenting one that already exists, the way RFC 6090 claimed to.

There is nothing magical that makes using AES secure. You always have to know what you are doing.

So I don't see picking curve25519 as inherently riskier then decisions we make every day in this WG.
>
> Mike
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>