[TLS] Twist security for brainpoolp256r1

Oleg Gryb <oleg_gryb@yahoo.com> Tue, 11 November 2014 04:03 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E50531AD545 for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 20:03:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.807
X-Spam-Level:
X-Spam-Status: No, score=0.807 tagged_above=-999 required=5 tests=[BAYES_60=1.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id miyOGMdK2cEG for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 20:03:03 -0800 (PST)
Received: from nm47-vm7.bullet.mail.bf1.yahoo.com (nm47-vm7.bullet.mail.bf1.yahoo.com [216.109.115.142]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 603531ACD51 for <tls@ietf.org>; Mon, 10 Nov 2014 20:03:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1415678582; bh=V7mMA6LZcFQ1hIMd+5uqVDtjOF2oXxMZC1aKLgDuqGA=; h=Date:From:Reply-To:To:Subject:From:Subject; b=gJMzTAQaNF7/VXwoT5udanEA4BXWKI7igwPshhAQgQ+qXDd3e0clo4UAbiUT2K1qNOdt9vuhsS/EZAqlY7+yr2tEVI8qp0GqIlZMID3ykqcHntiGFfTXWSnqcJueBwjH7TC0UZ1FUA0rQE7r8CwW2V8AwNFJDgpGmOl4UQQM9B10OAjs47kmni2F1znDQtAx3mVkBAbazWn8Z+j5x6id7R37+Y4rjmaGXn33O/tF6NYyUSUzAB16FTo7nlmlHDITdbs8/ncBsyaF4A6g5dtN4aapVJWOlVc92EPuKhBeuZDMxcfKR/wBVeKV6cUmo+aUesZKXDFDESrsLj9V53jVnQ==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=OaAOwVXZ8fsYrDwCx0JWZI0ZQeTALhLWUCQdG1BUQN6lGo5zZ1kty04tBS5ouISyoBLNK3XVP1CMUf/XS+MS87HwwKMIoOIFebKb/yVxLPH0ddH6rAv2e95i+yqk4v3n4sWGv2DdJlwzzt9X8wMurxd525mayZfjpRW+xE0IcXZuiqJ6oypn2EghnJqguqmRN5wd3hFy8GiFOuSYhiODMq1+Ou42xxLKQ16ghrqhuYYTIKEC4YHYv6EdLDj9DFYr4e/GJHaVrnXwI2WAlqZqOPC0Lbg+hrrvNc5iwJURaEQ6MnePhnE4yGnGK6BEM0DcHjmZdVwXnyhAq3wjojaQEA==;
Received: from [98.139.215.143] by nm47.bullet.mail.bf1.yahoo.com with NNFMP; 11 Nov 2014 04:03:02 -0000
Received: from [98.139.212.248] by tm14.bullet.mail.bf1.yahoo.com with NNFMP; 11 Nov 2014 04:03:02 -0000
Received: from [127.0.0.1] by omp1057.mail.bf1.yahoo.com with NNFMP; 11 Nov 2014 04:03:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 429527.83348.bm@omp1057.mail.bf1.yahoo.com
X-YMail-OSG: 7k9u41AVM1lB8xIIcO7iczvqEUn5HuG.e7EMjfAK_b.GVuGji2YCCJr7qWs9BMh IQx9liilvl.FY5RN5C40d0FdTZJRYwcCvxtRzRvFdZuQnRVTuPWpW47WXayzwSaAPl9M9vn8xI1O x8qDEZSkFxVYt3A7OOVASsQm2WQaRYdDqkJLfyv4j1juSPlB1JdNfHqLBmBpwEjwW4xw83sraoaa Lj06CtAa1VlKTl.rSn5NnA0wSNFrNYgZJIMJGPcKLuSSpxKoUKzBljenIQ_LHY85mV4BRFIAipIq PAC4o9jdWXFwxmrftuPmP72wvrWywwLLe_EXFyVzSgBr126m.hNHG_3Nh3jWqFoOxAReRTgVm4Ti 4OSkK1JAkGp1FLBf_Ai570ORzSRfecd8ssse.2Miew5XMFysmGagmSj9fIHQLD8H6CzXRI166uLw HQTzt6aEkrGo0D.qobZHhiq0jsFV5vMcYegdmcX70S_DXMycTA_TkKBO0wFfwChCkLXzn.x0EvaW uVsYcsZJYVo8r.T3NLX9RafvgvFb2n7n0nZoKhFMimJT_Fm8o82EmdUsb
Received: by 76.13.26.143; Tue, 11 Nov 2014 04:03:02 +0000
Date: Tue, 11 Nov 2014 04:02:23 +0000 (UTC)
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: "djb@cr.yp.to" <djb@cr.yp.to>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <2116033100.449850.1415678543902.JavaMail.yahoo@jws106117.mail.bf1.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_449849_43534089.1415678543896"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ndoaTq5I3eNWsHK2N3p1ycTASlY
X-Mailman-Approved-At: Mon, 10 Nov 2014 20:09:35 -0800
Subject: [TLS] Twist security for brainpoolp256r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 04:03:05 -0000

Hi Daniel and TLS community,
I was going through SafeCurves pages recently and wanted to ask a question about brainpoolP256r1's twist security. According to this research http://safecurves.cr.yp.to/twist.html,,  a combined cost of attacks on brainpoolP256t1, which is a P256r1's "twist" is rather low. At the same time it's obvious that small-group-attack is not applicable, because "h=1" is a requirement for all brainpool curves including the one under consideration.
The other two "invalid-curve" attacks should be mitigated by openssl controls, since latter does have a point-on-the-curve validation (e,g. see EC_POINT_is_on_curve function and its usage in the latest openssl stable versions).
Given all that, can I consider the curve as secure? Are there any other attacks that I should consider before adopting the curve as a standard?
Thank you also for the wonderful research related to Curve25519 and Curve41417. They both seem to be perfect. I hope openssl community will adopt them soon.
Oleg