Re: [TLS] Using Brainpool curves in TLS

Tom Ritter <> Wed, 16 October 2013 13:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8CF3E11E81D1 for <>; Wed, 16 Oct 2013 06:33:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ej6mZkiAUVGb for <>; Wed, 16 Oct 2013 06:33:17 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c03::230]) by (Postfix) with ESMTP id B583111E81D3 for <>; Wed, 16 Oct 2013 06:33:15 -0700 (PDT)
Received: by with SMTP id u16so1220612iet.7 for <>; Wed, 16 Oct 2013 06:33:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=iZzkzglO90lbDwBzkKOgQvc5i4umiB6XE27BrI6hfoQ=; b=bagPFbipcPAtPiTCioA2qyMAHZCWfSNy/A3vNZIcPnHuuKSGkag+q+aRMP7a7ZLBBj rencdkDhRRW5+2FqwzvDq5xuTkflzmMAUAGRlJ1SlAt8KcU9D2JrodHpWJ2z0FWKOcmP fHsW7JBXCAGAbI9L26kX3sX6/LQxSWadpt0Fc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=iZzkzglO90lbDwBzkKOgQvc5i4umiB6XE27BrI6hfoQ=; b=dnmDBP+aGKQeXKB2dn0iWHmRzsUP6bJTT+Hgj6HJWnX0zkYFZzpRFEICTPj8i6oDYj g8TAHMFNy/oT+6zRIpF49Ll+cET/N0dH87AW0JE+lLqhT1o+1yfGH8wFt6wVyACvHeFr H0XYk6EnMtpFmJoSgTtqmg+aC5RCzy/Iy7EDwTwnKgHa8XkPPDg/Fu5G2KiI6+NQnKvT +JZaDqExk0vI5a7jJNwPXe4cuzKeV0ZVjccnyxGjKpBEAQelJ0qhpI5gjF95owo2V8zE iGbQPefcTSzLExIW4cQyOjeV2uXJ4XNtTW2TXEp49jKR9jnqCLzLgV47qbF92+dsn35u AWpw==
X-Gm-Message-State: ALoCoQkhNSEcw+2fkDiyK8i0xqjo7xN+SMwyJ9Kcu8X2CN6jTkA4iR7pkcxFTLUK7JIk8knXDdac
X-Received: by with SMTP id r10mr451386icv.80.1381930394444; Wed, 16 Oct 2013 06:33:14 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 16 Oct 2013 06:32:53 -0700 (PDT)
In-Reply-To: <>
References: <> <> <01b901cec9a0$004e12b0$00ea3810$> <> <>
From: Tom Ritter <>
Date: Wed, 16 Oct 2013 09:32:53 -0400
Message-ID: <>
To: Johannes Merkle <>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Patrick Pelletier <>, "" <>
Subject: Re: [TLS] Using Brainpool curves in TLS
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Oct 2013 13:33:18 -0000

On 16 October 2013 03:21, Johannes Merkle <> wrote:
>> What problems does this solve? The Brainpool curves still have
>> unverifiable construction,
> This is plain wrong. Obviously, you have not read RFC 5639. The construction of the Brainppol curves is completely
> verifiable, only based on the fundamental constants Pi and e.

Repeating others arguments:

"Several unexplained decisions: Why SHA-1 instead of, e.g., RIPEMD-160
or SHA-256? Why use 160 bits of hash input independently of the curve
size? Why pi and e instead of, e.g., sqrt(2) and sqrt(3)? Why handle
separate key sizes by more digits of pi and e instead of hash
derivation? Why counter mode instead of, e.g., OFB? Why use
overlapping counters for A and B (producing the repeated
26DC5C6CE94A4B44F330B5D9)? Why not derive separate seeds for A and B?"

I'm not sure I agree with them fully, but I also don't have very much
context. (My thoughts when reading that is "Why sqrt(2) and sqrt(3)
instead of pi and e - what makes those constants more trustworthy?")