Re: [TLS] Safe ECC usage

"D. J. Bernstein" <djb@cr.yp.to> Wed, 23 October 2013 09:47 UTC

Return-Path: <57756671618275-ietf-tls@sublist.cr.yp.to>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B675D11E8184 for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 02:47:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.991
X-Spam-Level:
X-Spam-Status: No, score=-0.991 tagged_above=-999 required=5 tests=[AWL=-0.993, BAYES_50=0.001, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fzjfOreD5CB0 for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 02:47:27 -0700 (PDT)
Received: from mace.cs.uic.edu (mace.cs.uic.edu [131.193.32.224]) by ietfa.amsl.com (Postfix) with SMTP id 2E64821F9FF2 for <tls@ietf.org>; Wed, 23 Oct 2013 02:47:26 -0700 (PDT)
Received: (qmail 11710 invoked by uid 1011); 23 Oct 2013 09:47:25 -0000
Received: from unknown (unknown) by unknown with QMTP; 23 Oct 2013 09:47:25 -0000
Received: (qmail 32764 invoked by uid 1001); 23 Oct 2013 09:47:10 -0000
Date: 23 Oct 2013 09:47:10 -0000
Message-ID: <20131023094710.32763.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
References: <523E176F.3050304@gmail.com> <52616365.1080108@nthpermutation.com>
Subject: Re: [TLS] Safe ECC usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 09:47:31 -0000

Michael StJohns writes:
> The existence of this document, created in 1997 would tend to suggest
> that at least a few curves were created in X9 and not by NIST

If you look at

   http://csrc.nist.gov/csrc/fedstandards.html

you'll see NIST stating "These curves have been generated and reviewed
by the government." Offhand I can't think of a NIST document admitting
that the curves were created by NSA, but everyone in the community knows
Jerry Solinas as the NSA point man on this. NSA's earlier contribution
of the same curves to X9 is what led to X9 demanding seeds for curves
(and incorrectly labeling seeded curves as "verifiably random").

---D. J. Bernstein
   Research Professor, Computer Science, University of Illinois at Chicago