Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

Peter Gutmann <> Fri, 27 June 2014 03:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B1BA91B313B for <>; Thu, 26 Jun 2014 20:49:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id giqrGrCCWHQZ for <>; Thu, 26 Jun 2014 20:49:41 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CBFFD1B2F20 for <>; Thu, 26 Jun 2014 20:49:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1403840981; x=1435376981; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=ECx4s2C46s4rZj81OtYjsSqVwfr56ICB4zV+M64QX1M=; b=a+o5XYRUDtgKXzyt4vpWO56ED1bNmlHCc8ZRXHBiNlGhHMVSskB5bn7N 1BNeUnVnA0gL++kLJSBpQTVdSmFzGpgZG8QTwnSJSSDgyxixN8KM+Qun4 R+hDDln9UvvTRb6SnaA63EzsYbNRNANyJQmY+tj7Kkm3mrgIs4WnyxmgD I=;
X-IronPort-AV: E=Sophos;i="5.01,558,1399982400"; d="scan'208";a="260844410"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 27 Jun 2014 15:49:12 +1200
Received: from ([]) by ([]) with mapi id 14.03.0174.001; Fri, 27 Jun 2014 15:49:10 +1200
From: Peter Gutmann <>
To: "<>" <>
Thread-Topic: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
Thread-Index: Ac+RusBx+WXT/cCqSCixQ+dbotOa5Q==
Date: Fri, 27 Jun 2014 03:49:09 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Jun 2014 03:49:42 -0000

Viktor Dukhovni <> writes:

>If we have an opportunity to advance the state of the art, and use (subject
>to CFRG review, ...) new EC techniques based on lessons learned after ECDSA,
>that are more performant and less prone to implementation errors, then there
>is a good reason to add new curves.

If we're going to do that then we need to have something like the
AES/SHA-3/PHC competition to decide on a suitable curve (and whatever other
deckchairs are going to be rearranged in TLS 1.3), not just take the first
trendy thing that pops up.  I have a great deal of respect for djb and he
designs some really good stuff, but with the thought of having to implement
huge amounts of new material for TLS 1.3 (after already having had to do it
for 1.2) I really, really don't want to have to start again from scratch if,
in two years' time, someone finds some issue in 25519 and/or the other bits
that are being thrown in.  Using the oldest SSL algorithms that come to mind,
3DES, DHE, and HMAC-SHA1, I'm pretty confident that I'm, as I quoted a
cryptographer earlier, "unlikely to be surprised".  Introducing several trendy
new algorithms all at once gives me nothing like that level of confidence.