Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Alex Elsayed <eternaleye@gmail.com> Tue, 24 September 2013 13:37 UTC

Return-Path: <ietf-ietf-tls@m.gmane.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A25811E8120 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 06:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f2Y2DAJEWReI for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 06:37:46 -0700 (PDT)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by ietfa.amsl.com (Postfix) with ESMTP id A419221F8EB5 for <tls@ietf.org>; Tue, 24 Sep 2013 06:37:45 -0700 (PDT)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <ietf-ietf-tls@m.gmane.org>) id 1VOSo6-0003xv-Qc for tls@ietf.org; Tue, 24 Sep 2013 15:37:38 +0200
Received: from c-50-132-41-203.hsd1.wa.comcast.net ([50.132.41.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Tue, 24 Sep 2013 15:37:38 +0200
Received: from eternaleye by c-50-132-41-203.hsd1.wa.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Tue, 24 Sep 2013 15:37:38 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: tls@ietf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Tue, 24 Sep 2013 06:37:25 -0700
Lines: 25
Message-ID: <l1s4if$od1$1@ger.gmane.org>
References: <9A043F3CF02CD34C8E74AC1594475C7355676085@uxcn10-6.UoA.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: c-50-132-41-203.hsd1.wa.comcast.net
User-Agent: KNode/4.11.1
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 13:37:51 -0000

Peter Gutmann wrote:

<snip>
> If you do want to generate your own ECDH parameters (i.e. curves), that's
> another huge mess to deal with.  For DH you just use Lim-Lee and you're
> done (although the fact that TLS doesn't communicate the 'q' value is
> something I'd really like to see corrected), while for ECC you need to get
> an awful lot of special-case checks and conditions just right.

Bernstein and Lange have some interesting stuff regarding that in-progress; 
this presentation[1] points out that those very same special-case checks and 
conditions are made necessary by the types of curves chosen, and that by 
choosing complete, twist-secure Edwards curves those can largely be avoided.

However, neither of the NIST curves nor the Brainpool curves are Edwards 
curves at all due to not having an order 4 point.

> Then, once you've done that, you get to find out how many implementations
> support the arbitrary_explicit_prime_curves format, which I suspect is
> pretty close to zero.

Of course, this remains an issue.


[1] http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf