Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

[Viktor Dukhovni <viktor1dane@dukhovni.org>]

On Thu, Jun 26, 2014 at 03:10:12PM -0700, Eric Rescorla wrote:

> I'm cutting here because I would like to encourage WG members to
> focus on the general merits of this suggestion (or lack thereof, depending
> on your perspective) rather than on the specific details of the procedure
> Mike has proposed. I think it's clear that we could develop a procedure
> for producing verifiably random seeds, but let's try to figure out first
> whether that's a good idea before we worry about how to do it.

Note, that RedHat and (probably some others) truncate the curve
support in OpenSSL to just P-256, P-384 and P-521 for IPR reasons.
I see little reason to expect that they would include implementations
of any of the new proposed curves.

The new curves would also suffer from all the ECDSA defects noted
by DJB and would not have the performance advantages of Edwards
curves.

So I see little value in a new batch of essentially the same type
of curves.  Just more bloat in the client HELLO listing curves
nobody has or is willing to use.

If we have an opportunity to advance the state of the art, and use
(subject to CFRG review, ...) new EC techniques based on lessons
learned after ECDSA, that are more performant and less prone to
implementation errors, then there is a good reason to add new
curves.  They might still not get adopted until all the EC patents
expire, but at least eventually they move things forward, not
sideways.

Just adding more of the same old stuff, but with a different proof
of randomness does not seem compelling.

-- 
	Viktor.