Re: [TLS] Using ECC Brainpool curves with TLS
Johannes Merkle <johannes.merkle@secunet.com> Mon, 09 July 2012 17:20 UTC
Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8455C11E816C for <tls@ietfa.amsl.com>; Mon, 9 Jul 2012 10:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZy8NtqWdSlc for <tls@ietfa.amsl.com>; Mon, 9 Jul 2012 10:20:34 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 75EEE11E816D for <tls@ietf.org>; Mon, 9 Jul 2012 10:20:34 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id A80731A0079; Mon, 9 Jul 2012 19:20:59 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id 316211A0075; Mon, 9 Jul 2012 19:20:56 +0200 (CEST)
Received: from [10.208.1.73] ([10.208.1.73]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Mon, 9 Jul 2012 19:20:55 +0200
Message-ID: <4FFB12F6.1020609@secunet.com>
Date: Mon, 09 Jul 2012 19:20:54 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Douglas Stebila <douglas@stebila.ca>
References: <4FF6A52F.1030308@secunet.com> <F5AF1F4A-7BF1-4A67-9D94-42A819E0E3BA@stebila.ca>
In-Reply-To: <F5AF1F4A-7BF1-4A67-9D94-42A819E0E3BA@stebila.ca>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 09 Jul 2012 17:20:55.0126 (UTC) FILETIME=[329FEF60:01CD5DF7]
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Using ECC Brainpool curves with TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 17:20:35 -0000
Douglas, >> [Question 4] In RFC 5639, for each of the bit lengths 160, 192, 224, 256, 320, 384, 512 two curves are defined, one >> being the "quadratic twist" of the other having the same algebraic structure (and hence, security level), but one of >> them allows particular efficient arithmetic. In order to leave the choice of the curve for a given bit length to the >> implementation we propose to register IANA values (for EC Named Curve) for both curves for each bit length. Of course, >> this doubles the number of number assignments. Does anyone consider this a problem? > > One alternative would be to use an extension, similar to the Supported Points Format Extension, to indicate whether to use the twisted form or the original form. Or in fact define the twisted form as just another ECPointFormat. > An extension would work, but although these curves are isomorphic (mathematically equivalent), there parameters and arithmetic are different. So my feeling is that they should not be assigned to the same curve values. A point format is even less suitable as this has nothing to do with EC point representation. We have approx 65000 assignments left. So the question is if saving 7 numbers is worth defining extra syntax and semantics. My personal opinion is that it is not. > But you could also ask the question: if the quadratic twist is more efficient, will anyone ever use the untwisted version? If not, then perhaps you could just standardize the twisted version alone, reducing the number of combinations to be tested and supported. The reason why some people might prefer the "normal" curves is that for these it is easier to avoid patents. This is always a big issue with ECC. While the Brainpool curves avoid special primes to facilitate patent-free implementations, we still wanted to leave the implementors a choice between "fast" and "slower but more patent-safe" by introducing the quadratic twist. Johannes -- Johannes Merkle secunet Security Networks AG johannes.merkle@secunet.com www.secunet.com
- [TLS] Using ECC Brainpool curves with TLS Johannes Merkle
- Re: [TLS] Using ECC Brainpool curves with TLS Douglas Stebila
- Re: [TLS] Using ECC Brainpool curves with TLS Johannes Merkle
- Re: [TLS] Using ECC Brainpool curves with TLS Michael Staubermann
- Re: [TLS] Using ECC Brainpool curves with TLS Johannes Merkle