Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id E50531AD545
 for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 20:03:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.807
X-Spam-Level: 
X-Spam-Status: No, score=0.807 tagged_above=-999 required=5
 tests=[BAYES_60=1.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001]
 autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id miyOGMdK2cEG for <tls@ietfa.amsl.com>;
 Mon, 10 Nov 2014 20:03:03 -0800 (PST)
Received: from nm47-vm7.bullet.mail.bf1.yahoo.com
 (nm47-vm7.bullet.mail.bf1.yahoo.com [216.109.115.142])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 603531ACD51
 for <tls@ietf.org>; Mon, 10 Nov 2014 20:03:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1415678582; bh=V7mMA6LZcFQ1hIMd+5uqVDtjOF2oXxMZC1aKLgDuqGA=;
 h=Date:From:Reply-To:To:Subject:From:Subject;
 b=gJMzTAQaNF7/VXwoT5udanEA4BXWKI7igwPshhAQgQ+qXDd3e0clo4UAbiUT2K1qNOdt9vuhsS/EZAqlY7+yr2tEVI8qp0GqIlZMID3ykqcHntiGFfTXWSnqcJueBwjH7TC0UZ1FUA0rQE7r8CwW2V8AwNFJDgpGmOl4UQQM9B10OAjs47kmni2F1znDQtAx3mVkBAbazWn8Z+j5x6id7R37+Y4rjmaGXn33O/tF6NYyUSUzAB16FTo7nlmlHDITdbs8/ncBsyaF4A6g5dtN4aapVJWOlVc92EPuKhBeuZDMxcfKR/wBVeKV6cUmo+aUesZKXDFDESrsLj9V53jVnQ==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com;
 b=OaAOwVXZ8fsYrDwCx0JWZI0ZQeTALhLWUCQdG1BUQN6lGo5zZ1kty04tBS5ouISyoBLNK3XVP1CMUf/XS+MS87HwwKMIoOIFebKb/yVxLPH0ddH6rAv2e95i+yqk4v3n4sWGv2DdJlwzzt9X8wMurxd525mayZfjpRW+xE0IcXZuiqJ6oypn2EghnJqguqmRN5wd3hFy8GiFOuSYhiODMq1+Ou42xxLKQ16ghrqhuYYTIKEC4YHYv6EdLDj9DFYr4e/GJHaVrnXwI2WAlqZqOPC0Lbg+hrrvNc5iwJURaEQ6MnePhnE4yGnGK6BEM0DcHjmZdVwXnyhAq3wjojaQEA==;
Received: from [98.139.215.143] by nm47.bullet.mail.bf1.yahoo.com with NNFMP; 
 11 Nov 2014 04:03:02 -0000
Received: from [98.139.212.248] by tm14.bullet.mail.bf1.yahoo.com with NNFMP; 
 11 Nov 2014 04:03:02 -0000
Received: from [127.0.0.1] by omp1057.mail.bf1.yahoo.com with NNFMP;
 11 Nov 2014 04:03:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 429527.83348.bm@omp1057.mail.bf1.yahoo.com
X-YMail-OSG: 7k9u41AVM1lB8xIIcO7iczvqEUn5HuG.e7EMjfAK_b.GVuGji2YCCJr7qWs9BMh
 IQx9liilvl.FY5RN5C40d0FdTZJRYwcCvxtRzRvFdZuQnRVTuPWpW47WXayzwSaAPl9M9vn8xI1O
 x8qDEZSkFxVYt3A7OOVASsQm2WQaRYdDqkJLfyv4j1juSPlB1JdNfHqLBmBpwEjwW4xw83sraoaa
 Lj06CtAa1VlKTl.rSn5NnA0wSNFrNYgZJIMJGPcKLuSSpxKoUKzBljenIQ_LHY85mV4BRFIAipIq
 PAC4o9jdWXFwxmrftuPmP72wvrWywwLLe_EXFyVzSgBr126m.hNHG_3Nh3jWqFoOxAReRTgVm4Ti
 4OSkK1JAkGp1FLBf_Ai570ORzSRfecd8ssse.2Miew5XMFysmGagmSj9fIHQLD8H6CzXRI166uLw
 HQTzt6aEkrGo0D.qobZHhiq0jsFV5vMcYegdmcX70S_DXMycTA_TkKBO0wFfwChCkLXzn.x0EvaW
 uVsYcsZJYVo8r.T3NLX9RafvgvFb2n7n0nZoKhFMimJT_Fm8o82EmdUsb
Received: by 76.13.26.143; Tue, 11 Nov 2014 04:03:02 +0000 
Date: Tue, 11 Nov 2014 04:02:23 +0000 (UTC)
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: "djb@cr.yp.to" <djb@cr.yp.to>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <2116033100.449850.1415678543902.JavaMail.yahoo@jws106117.mail.bf1.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
 boundary="----=_Part_449849_43534089.1415678543896"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ndoaTq5I3eNWsHK2N3p1ycTASlY
X-Mailman-Approved-At: Mon, 10 Nov 2014 20:09:35 -0800
Subject: [TLS] Twist security for brainpoolp256r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
 <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
 <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 04:03:05 -0000

------=_Part_449849_43534089.1415678543896
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Daniel and TLS community,
I was going through SafeCurves pages recently and wanted to ask a question =
about brainpoolP256r1's twist security. According to this research http://s=
afecurves.cr.yp.to/twist.html,,=C2=A0 a combined cost of attacks on brainpo=
olP256t1, which is a P256r1's "twist" is rather low. At the same time it's =
obvious that small-group-attack is not applicable, because "h=3D1" is a req=
uirement for all brainpool curves including the one under consideration.
The other two "invalid-curve" attacks should be mitigated by openssl contro=
ls, since latter does have a point-on-the-curve validation (e,g. see EC_POI=
NT_is_on_curve function and its usage in the latest openssl stable versions=
).
Given all that, can I consider the curve as secure? Are there any other att=
acks that I should consider before adopting the curve as a standard?
Thank you also for the wonderful research related to Curve25519 and Curve41=
417. They both seem to be perfect. I hope openssl community will adopt them=
 soon.
Oleg
=C2=A0
------=_Part_449849_43534089.1415678543896
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:He=
lveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;fo=
nt-size:12px"><div style=3D"" class=3D"" id=3D"yiv0843426377"><div style=3D=
"" class=3D""><div class=3D"" style=3D"color:#000;background-color:#fff;fon=
t-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sa=
ns-serif;font-size:12px;"><div style=3D"" class=3D"" dir=3D"ltr" id=3D"yiv0=
843426377yui_3_16_0_1_1415677219604_2596">Hi Daniel and TLS community,</div=
><div style=3D"" class=3D"" id=3D"yiv0843426377yui_3_16_0_1_1415677219604_2=
602" dir=3D"ltr"><br style=3D""></div><div style=3D"" class=3D"" id=3D"yiv0=
843426377yui_3_16_0_1_1415677219604_2620" dir=3D"ltr">I was going through S=
afeCurves pages recently and wanted to ask a question about brainpoolP256r1=
's twist security. According to this research <a style=3D"" class=3D"" rel=
=3D"nofollow" id=3D"yiv0843426377yui_3_16_0_1_1415677219604_2623" target=3D=
"_blank" href=3D"http://safecurves.cr.yp.to/twist.html">http://safecurves.c=
r.yp.to/twist.html,,</a>&nbsp; a combined cost of attacks on brainpoolP256t=
1, which is a P256r1's "twist" is rather low. At the same time it's obvious=
 that small-group-attack is not applicable, because "h=3D1" is a requiremen=
t for all brainpool curves including the one under consideration.</div><div=
 style=3D"" class=3D"" id=3D"yiv0843426377yui_3_16_0_1_1415677219604_2676" =
dir=3D"ltr"><br style=3D"" class=3D""></div><div style=3D"" class=3D"" id=
=3D"yiv0843426377yui_3_16_0_1_1415677219604_2671" dir=3D"ltr">The other two=
 "invalid-curve" attacks should be mitigated by openssl controls, since lat=
ter does have a point-on-the-curve validation (e,g. see EC_POINT_is_on_curv=
e function and its usage in the latest openssl stable versions).</div><div =
style=3D"" class=3D"" id=3D"yiv0843426377yui_3_16_0_1_1415677219604_2702" d=
ir=3D"ltr"><br style=3D"" class=3D""></div><div style=3D"" class=3D"" id=3D=
"yiv0843426377yui_3_16_0_1_1415677219604_2701" dir=3D"ltr">Given all that, =
can I consider the curve as secure? Are there any other attacks that I shou=
ld consider before adopting the curve as a standard?</div><div style=3D"" c=
lass=3D"" id=3D"yiv0843426377yui_3_16_0_1_1415677219604_2700" dir=3D"ltr"><=
br style=3D"" class=3D""></div><div style=3D"" class=3D"" id=3D"yiv08434263=
77yui_3_16_0_1_1415677219604_2699" dir=3D"ltr">Thank you also for the wonde=
rful research related to Curve25519 and Curve41417. They both seem to be pe=
rfect. I hope openssl community will adopt them soon.</div><div style=3D"" =
class=3D"" id=3D"yiv0843426377yui_3_16_0_1_1415677219604_2703" dir=3D"ltr">=
<br style=3D"" class=3D""></div><div style=3D"" class=3D"" dir=3D"ltr">Oleg=
<br style=3D"" class=3D""></div><div style=3D"" class=3D"" id=3D"yiv0843426=
377yui_3_16_0_1_1415677219604_2620" dir=3D"ltr">&nbsp;</div></div></div></d=
iv></div></body></html>
------=_Part_449849_43534089.1415678543896--