Re: [TLS] Safe ECC usage

Nico Williams <> Thu, 17 October 2013 16:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6AE7B11E82A4 for <>; Thu, 17 Oct 2013 09:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[AWL=-0.123, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t-jsjkbVgslB for <>; Thu, 17 Oct 2013 09:38:56 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 84DA911E829C for <>; Thu, 17 Oct 2013 09:38:56 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 24E1C1E07C for <>; Thu, 17 Oct 2013 09:38:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=AdK/jnUQL3BgWuQCLvpS WpXVNWo=; b=J2dZs15x+M7B5mTQSWcn+I1/Du5/KVkBOdSmoJIUxgM6aK9xehGJ SVj31DDYs3mQyE16WKUHaVG+ZHedC6G6ntpHMbUokFH4JVLMy4KbuyRaJk6hSOTv 04+YuoBslCNEfWhWIKhZkB+WhuGHAxJemjIjRRwLj2uvhoOFAE3DHak=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 9D5D01E071 for <>; Thu, 17 Oct 2013 09:38:55 -0700 (PDT)
Received: by with SMTP id w62so2569712wes.35 for <>; Thu, 17 Oct 2013 09:38:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=a6cX49TGEKt6GvFTSyanN96WkMv6ZgLopzw9rJFU9Hs=; b=nISvGURvpTu6lsvQGd2xcmBHA/fIHCFWfzbTkptE+b5Xpc0n+hvxKJ6nYk1LLMw8hY sseUvzL6YnhoK6u2ekHDXM44C8kc1g2fh7z3Zpc5MGUQ2FIwuaG/ivYGp/LH466Sk2gH 3xD9ZHDvho3AvvZE/0Nx6aT06dkkh6hIZmdNKgzB4IdaRVk0IutIaX9keCfphzy37/zc E5pDhTxK+RHYeQJVpItcjR77+cBeh1ybEn1Ul66Fw0dwncJ30byNmMeFMPmq9s4l1RF7 1NM92hS0TvDEgKGqjVoIkv0KeFPX7vNq/aFdVo3Xfm/hSqcYhUSsCsTa2Sr/eMcpuIvN POIA==
MIME-Version: 1.0
X-Received: by with SMTP id ja15mr7683382wic.36.1382027933955; Thu, 17 Oct 2013 09:38:53 -0700 (PDT)
Received: by with HTTP; Thu, 17 Oct 2013 09:38:53 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Thu, 17 Oct 2013 11:38:53 -0500
Message-ID: <>
From: Nico Williams <>
To: Dan Brown <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>, "" <>
Subject: Re: [TLS] Safe ECC usage
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Oct 2013 16:39:01 -0000

On Thu, Oct 17, 2013 at 10:46 AM, Dan Brown <> wrote:
> Why couldn't a new attack just work on one curve, namely Curve25519?  If I
> understand correctly, DJB has argued that the ECC theory and experience would
> be evidence for a claim similar, but perhaps not as strong, as your claim.

Let's say that there are single-curve attacks.  We don't know how many
curves have such attacks, nor how hard it is to find such attacks for
specific curves, or specific curves with such attacks.  Perhaps DJB
does know, but either he got spectacularly lucky (if such attack/curve
pairs are rare) or such attack/curve pairs are very common.  The
latter would imply that all ECC is busted, in which case we needn't
worry about whether Curve25519 is weak because we have bigger
problems, so we must ignore this possibility when comparing curves to
one another.  That leaves the former, and now we need some estimate of
frequency of such attack/curve pairs in order to decide if any one
curve is weak.

We don't have such an estimate, but surely whatever that frequency is,
it's the same for all cryptographers.  That means that for any one
standard curve, the likelihood of it being weak this way is about the
same if the possible attacks for each curve were not known at the time
they were discovered.  Now we just need to know whether the curves in
question were selected with or without such knowledge, but we can't
know this [yet], so instead we must estimate the likelihood that the
authors selected a weak curve on purpose.  An estimate of weak curve
distribution/frequency would allow us to estimate the likelihood that
a curve was selected because it was weak.

If some curve required specifying N bits of information, then it must
have been picked from a range of 1..2^2N or so curves (the 2^2N upper
bound is an estimate), *roughly*.  The larger the N, the larger the
freedom the author has/had in selecting a weak curve.  Whatever the
frequency of weak curves, the smaller the N, the more luck an author
needs to pick a weak curve.

That, I think, is the argument for why DJB curves' selection criteria
are more rigid (i.e., less subject to manipulation) than Brainpool

Now, if one out of every 5 curves are weak, then clearly there's a
great chance that DJB curves are weak.  If, for small Ns, one out of
every 5 curves are weak, while for large Ns one out of every trillion
curves are weak, then Brainpool curves are stronger than DJB curves.
I.e., the distribution of weak curves matters.  We know nothing about
the distribution of such weak curves -- the associated attacks are not
known, they are merely conjectured for the sake of argument after all.

It seems unlikely that there's a class of attacks on curves where the
distribution of weak curves tails off as curve complexity (size of
constants) increases.  But we can't really know anything about this
conjectured class of attacks each limited to one or few curves.

I'm not sure what we should assume, but all else being equal my
conclusion is that we should prefer curves whose selection criteria
left very little freedom to those doing the selection.  This might
include Brainpool-like (i.e., with large constants) curves, but I'd
want the selection to work as follows: one small group of people
publicly select a hash function, another disjoint set of people
independently, publicly (videotaped), and concurrently select a short,
simple, and *meaningful* English language string ("hello world"), then
pick the largest constants smaller than bounds computed from that hash
applied to that string.  In the meantime DJB curves were clearly
selected with very little freedom to select for rare weak curves,
therefore I believe we can trust them.