Re: [TLS] Using Brainpool curves in TLS

Nico Williams <> Wed, 16 October 2013 16:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 856FC11E8313 for <>; Wed, 16 Oct 2013 09:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.981
X-Spam-Status: No, score=-1.981 tagged_above=-999 required=5 tests=[AWL=-0.004, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YQWI9O-5C8kg for <>; Wed, 16 Oct 2013 09:29:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D436511E8304 for <>; Wed, 16 Oct 2013 09:29:26 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 4DF61508072 for <>; Wed, 16 Oct 2013 09:29:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=gM0ta3DkWJ67gqm4dhA6 B1KAeUQ=; b=eh4rR4OXiCBy8xTEET/hakLKfRUZ6HTf+MlH1qdrcubNHgDVu8nQ AZ1G1ziqgAWvQDN/l8baOaG9qP27L850KQenWzcmJc/MWMNygfvqG1ZRe0Ecw4a3 nwuXHAIJJSdggVVeWxmMuc3uCvNrfNPUmjTKOdnvjd/QRu3LuF/dZ1Q=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 26950508084 for <>; Wed, 16 Oct 2013 09:29:26 -0700 (PDT)
Received: by with SMTP id e14so1763987iej.11 for <>; Wed, 16 Oct 2013 09:29:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WmrdsK+j1JSmYakR6zA45R+oKvvaCgG5Rk4L+irzodw=; b=JhlfzL4JCzMsAQWOy7IJI1+qNfw2dzlqx2CI/6/mIQOVmuwnMjng1k8tJVi1laMi6J dusCICTEXdT0+8FL15lYdPMHR5zuwxdyk1hZUnpXcKOcXSn0KK04tBnRSQhDHjPndAjF JFbiKT5PWnPptauz+SEQ4+PnrnAFtKTJbii7xjk5GpMy9lJyPENjaKLrQb32YKdmNNvj QoGSNt9yc+4fKvnMYN4heHdHAutaOgjkkv6mWb297Ptv3QLYYk+l2Wrzj31i+Ac+G+LH dE1fGPLbKyC8tQu3iqoy8376SGzM4qogCt3/WUEpg8Ls1RGCBqBjO36bnPkSsc/Oh2r9 XB0g==
MIME-Version: 1.0
X-Received: by with SMTP id e4mr1607107icl.58.1381940965242; Wed, 16 Oct 2013 09:29:25 -0700 (PDT)
Received: by with HTTP; Wed, 16 Oct 2013 09:29:25 -0700 (PDT)
In-Reply-To: <>
References: <> <> <01b901cec9a0$004e12b0$00ea3810$> <> <> <> <> <> <>
Date: Wed, 16 Oct 2013 11:29:25 -0500
Message-ID: <>
From: Nico Williams <>
To: Johannes Merkle <>
Content-Type: text/plain; charset=UTF-8
Cc: Patrick Pelletier <>, "" <>
Subject: Re: [TLS] Using Brainpool curves in TLS
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Oct 2013 16:29:31 -0000

On Wed, Oct 16, 2013 at 10:53 AM, Johannes Merkle
<> wrote:
>> Curve25519 picks the smallest value of A that meets the parameters.
> Why the smallest, not the largest negative? Why using little /big endian (don't know which was used) instead of the
> other? Why choosing exactly these conditions (you phrase it "parameters").

Endianness has no impact on the mathematics involved.

Smallest because there is such a thing (as opposed to largest, which
is unbound).  It could have been smallest absolute value, allowing one
more degree of freedom.  Perhaps there's a class of attacks that works
with positive As and not with negative As (or vice-versa)?  But that
seems unlikely.

> Don't get me wrong. I admit that the construction of Curve25519 is extremely rigid, and even more rigid than that of the
> Brainpool curves. I only point to the fact that there is no perfect rigidity.

Agreed.  I like DJB's curve constructions because as much as possible
is explained verifiably.

>> is deterministic. Brainpool is close enough that I would say "quite
>> rigid" as opposed to "deterministic construction". Basically, the
> I think we can agree on that statement.


But the SafeCurves site doesn't focus only on construction rigidity,
and it doesn't discount Brainpool on account of rigidity in its
construction.  SafeCurves also covers other issues.  SafeCurves
declares Brainpool curves not safe according to the following

 - feasibility of efficient constant-time implementation

 - twist security

   IIUC this means that when using non-twist secure curves one has to
validate that peers' public keys are on the curve being used, which in
turn would require exchanging not just public keys but also Schnorr
signatures (and, of course, verifying those signatures before using
peers' public keys for any other purpose).

 - completeness

   This is an argument that's purely about implementation complexity
and performance.  I'm not sure how concerned to be about this -- less
than about the previous two concerns above, no doubt.

 - indistinguishability of public key values from random

   No EC curve has this.  But for some curves one can construct a
mapping between any point and some small set of non-points all of
which can then be mapped right back into the original.  And such a
mappings can be made constant-time in the case of the three given safe
curves.  But no such mappings are known for the other curves
(including Brainpool).

   This is primarily a problem for protocols aiming for privacy
protection and for some ZKPPs (e.g., EKE) (but not for, say, J-PAKE,
which, incidentally, uses Schnorr signatures to verify public key