Re: [TLS] sect571r1

Dan Brown <> Thu, 16 July 2015 02:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 649191B2D72 for <>; Wed, 15 Jul 2015 19:02:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wKIfP1XiiNe0 for <>; Wed, 15 Jul 2015 19:02:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D12D71B2D0B for <>; Wed, 15 Jul 2015 19:02:28 -0700 (PDT)
Received: from (HELO ([]) by with ESMTP/TLS/AES128-SHA; 15 Jul 2015 22:02:27 -0400
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([::1]) with mapi id 14.03.0210.002; Wed, 15 Jul 2015 22:02:27 -0400
From: Dan Brown <>
To: Tony Arcieri <>
Thread-Topic: [TLS] sect571r1
Thread-Index: AQHQv0IwQsvdAJpzLEuyOkTGR5u8jJ3dUfsAgAAHmICAACWHAP//09VmgABENAD//8FFvA==
Date: Thu, 16 Jul 2015 02:02:26 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_201507160202235333071634554405certicomcom_"
MIME-Version: 1.0
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] sect571r1
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 16 Jul 2015 02:02:30 -0000

FFDHE with prime field is one big step away from FFDHE with binary field, which has quasipoly time DLP, so that's quite a large risk.
ECDHE with binary field is also one big step away from binary FFDHE, but it's a different type of step: hence diversity.
I agree that diversity risks weakest link. Ideally, the rainy day backups should be disabled by default, but possible to quickly enable, by administrator configuration or patch.
From: Tony Arcieri
Sent: Wednesday, July 15, 2015 9:47 PM
To: Dan Brown
Cc: Martin Rex; <>
Subject: Re: [TLS] sect571r1

On Wed, Jul 15, 2015 at 6:42 PM, Dan Brown <<>> wrote:
Even so, there's an argument from Koblitz and Menezes that special curves (e.g. binary curves) may survive some wider collapse. I think it's a weak argument, but for those for whom supporting more curves is easy, it could justify supporting a diversity of curves.

Others are pushing FFDHE in the event of some ECC disaster. I'm not really a fan of that either (all these things add attack surface in addition to being "backups"), but if we're going to keep a little used thing around in our pocket just in case of an ECC disaster, why do we need backup curves in addition to FFDHE?

Tony Arcieri