Re: [TLS] Safe ECC usage

Johannes Merkle <johannes.merkle@secunet.com> Thu, 17 October 2013 16:32 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDBE111E827C for <tls@ietfa.amsl.com>; Thu, 17 Oct 2013 09:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.513
X-Spam-Level:
X-Spam-Status: No, score=-3.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BV9FTl9jGWPE for <tls@ietfa.amsl.com>; Thu, 17 Oct 2013 09:32:49 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 09D3111E8273 for <tls@ietf.org>; Thu, 17 Oct 2013 09:32:32 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 2609D1A0071; Thu, 17 Oct 2013 18:32:31 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Tw9qTi-0TdKU; Thu, 17 Oct 2013 18:32:29 +0200 (CEST)
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id D11161A006F; Thu, 17 Oct 2013 18:32:29 +0200 (CEST)
Received: from [172.16.40.201] ([172.16.40.201]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Thu, 17 Oct 2013 18:32:29 +0200
Message-ID: <5260111D.6030907@secunet.com>
Date: Thu, 17 Oct 2013 18:32:29 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Dan Brown <dbrown@certicom.com>
References: <523E176F.3050304@gmail.com> <9A043F3CF02CD34C8E74AC1594475C7355674EE0@uxcn10-6.UoA.auckland.ac.nz> <20130926152757.15842.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDB49B@XMB116CNC.rim.net> <20130928223648.1113.qmail@cr.yp.to> <20130929025714.5578895.47771.4422@certicom.com> <20131001143511.11010.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDE21E@XMB116CNC.rim.net> <20131002161944.8125.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDE90F@XMB116CNC.rim.net> <20131003010455.17185.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDECA6@XMB116CNC.rim.net> <20131005192950.27059.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BE4A9D@XMB116CNC.rim.net> <20131012003058.669.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BEBAA5@XMB117CNC.rim.net> <CACsn0c=bSTMWwuHxD3eE3ABC_AxVRt-BOTybEr7umPQD5NB+cA@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5BEC2EC@XMB117CNC.rim.net>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5BEC2EC@XMB117CNC.rim.net>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 17 Oct 2013 16:32:29.0714 (UTC) FILETIME=[78F2FF20:01CECB56]
Cc: "'djb@cr.yp.to'" <djb@cr.yp.to>, "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] Safe ECC usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 16:32:54 -0000

Dan Brown schrieb am 17.10.2013 17:46:
> Why couldn't a new attack just work on one curve, namely Curve25519?  If I 
> understand correctly, DJB has argued that the ECC theory and experience would 
> be evidence for a claim similar, but perhaps not as strong, as your claim.
> 

There is really no use in speculating about future attacks as long as there are not some clear indications about their
presence and potential. An example of the latter case is the anticipation (or is is merely a feeling in the guts?) by
some researchers of an attack potential for certain curves having small class group orders, and even the validity of
this educated guess is controversially disputed.

Nobody knows which curves unforeseen attacks (I mean to exclude the latter example by this term) will affect. IMO any
speculation about this (including the present discussion) is metaphysics.

BTW, my understanding of DJB posts was that he only meant to contradict your hypothesis on certain curves being more
likely being affected by future attacks than others, but as far as I understood, he never made any claim about the
impact to be expected by future attacks.
-- 
Johannes