Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?

[Ilari Liusvaara <ilariliusvaara@welho.com>]

On Tue, Jul 17, 2018 at 12:39:31PM +0000, Bruckert, Leonie wrote:
> Dear WG members,
> 
> I am quite astonished that the brainpool curves are eventually
> prohibited in TLS 1.3. Based on an earlier comment
> (https://www.ietf.org/mail-archive/web/tls/current/msg17204.html),
> I would have thought that the brainpool curves will be allowed in
> any future version, especially since they have been deployed
> successfully to date.

That comment was three years ago. TLS 1.3 was quite different
back then. And dropping Brainpool came later. But that discussion
already touched reasons why Brainpool was dropped.

> I am not aware of any weaknesses of the brainpool curves, so I
> consider this banishment unjustified. As I did not at all
> understand this decision and furthermore, could not find any
> explanations in the mailing list archive, I would like to ask
> how all this happened.

Altough brainpool curves are not in any known class of weak curves
(base field degree >2, l == p, or small k where l | p^k-1), and as
such, finding these to be weak would be a cryptographic breakthrough
(highly likely taking out lots of other curves with them):

- These curves are pretty much national.
- These curves are slow compared to other curves.

There was also other pieces of national crypto that were dropped,
like the non-AES GCM modes, even if porting these across would
have been trivial, and AFAIK there is no known cryptographic
trouble with those algorithms.


I took look when Brainpool was finally actually dropped. It was
draft-12 in March 2016 (the previous one from December 2015 still
had them). At the same time, signature negotiation was revamped,
which may be related, given that the revamped signature negotiation
does not have room for ECDSA with Brainpool curves.


-Ilari