Re: [TLS] Curve25519 in TLS

Bodo Moeller <bmoeller@acm.org> Thu, 12 September 2013 17:41 UTC

Return-Path: <SRS0=BU/0=SY=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B0B21E81F6 for <tls@ietfa.amsl.com>; Thu, 12 Sep 2013 10:41:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cdwvZZrsPQ6U for <tls@ietfa.amsl.com>; Thu, 12 Sep 2013 10:41:45 -0700 (PDT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ietfa.amsl.com (Postfix) with ESMTP id 7B0E421E8151 for <tls@ietf.org>; Thu, 12 Sep 2013 10:41:45 -0700 (PDT)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0M2ndG-1WCPc603mQ-00svBw; Thu, 12 Sep 2013 19:41:44 +0200
Received: by mail-oa0-f44.google.com with SMTP id l17so136429oag.3 for <tls@ietf.org>; Thu, 12 Sep 2013 10:41:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=EGEyqMX43T9RG8mttJHLp5hSgAORn7VTzCuKXqZ7VfE=; b=XkqFxpOFcanZAuSckpCNDphpO/yktVFEc2N2JLa7Q+xpvUQRhcdfUdsAn2y1l1nBVE uXNQwzrhPaUPffyiqWTi8LcN8uN7GE96ozEXZPYTjBrCzDDLUDOoQdpwFOJ4Igc3mDQd CPo2F/cek6RDZsoXDpyHnhQiDAxiIlbRk4y0iXaWbKlbnl/JQpFAHRohYCiMpqId3ZVF kgwNMiKgdzl4nW1kttTe3yqaCVU7q5sY6d5myNKzJcwqbi5LxBn2KK4OTmWaRfJddTC/ 3GTrQMLPMreKZXXdw7PgvjERhwi5PdHvovdfu2VAV2/2KfxuZpHxLe52fDBN8MPODmZf QaOg==
MIME-Version: 1.0
X-Received: by 10.60.43.131 with SMTP id w3mr7937004oel.10.1379007702782; Thu, 12 Sep 2013 10:41:42 -0700 (PDT)
Received: by 10.60.115.72 with HTTP; Thu, 12 Sep 2013 10:41:42 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5BCFD3C@XMB116CNC.rim.net>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <522ED9A7.7080802@comodo.com> <87fvtbi8ow.fsf@latte.josefsson.org> <5231B8ED.7040301@comodo.com> <810C31990B57ED40B2062BA10D43FBF5BCFD3C@XMB116CNC.rim.net>
Date: Thu, 12 Sep 2013 19:41:42 +0200
Message-ID: <CADMpkcKcjc0JVidPPasuQ4H3SAJG7g8w5LS9z-E2-tyeD3RDmA@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=001a113346ce445cf404e633401d
X-Provags-ID: V02:K0:rL8/wvD/gA5A5WbBooM0R3s8u8IqcmqJB/sJoDX+ZU/ Hgg6XHFxJiBVX7Yua++zq2EKiF4ss4yAw/31XGd8lZtFeRhoaj nWP+BKSIdDfX2QqKcplNhXB9ZjKTc71QyJ+/ql13Q/htWOgljd DSW/7AXkjdWdtm5LU83Vp5IJ3bwx9O7t4TpA9Ekc1BhKXJF2Aa Tculb59PUUFc79oHLwPxyJUEle5x1eqvwZ0NW6SwvRvzNApc+H s3rBUawtH53SHXHQP6STXcFbdqliM22aa+TAWxE+tdU83FxSA6 mYgEEeS1uwOUmlLGRinSwwxAozklQwqIlWdWzV7yC+bemzZ96b 8FSb5dxMFyoqmfUc6pcAH+XWm8pJQV4wAY9Q3fqMuESaRp1jQM hVhMpbP8LIHSMeAMi7ENfXavh32Nkp3VNP/aJAIrFKEjDpHd4J yCxb0
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 17:44:33 -0000

> > Unless NIST can prove that their curves aren't backdoored, I think it's
>


> [DB] Five NIST curves are Koblitz curves, which are not backdoored.
>

Personally I don't expect any of the NIST curves to be backdoored, but I
don't agree with the reasoning (which I've seen elsewhere before) that if
you have doubts about the pseudorandom NIST urves due to their unexplained
seeds, the NIST Koblitz curves are less suspect because that degree of
freedom is missing.

I won't repeat here why I'm not actually worried about the pseudorandom
curves (I don't think I could add anything to your and Douglas Stebila's
arguments in the thread "Testing consensus for adding curve25519 to the EC
named curve registry"). Now *if* one assumes that there's a (thin-spread
but non-negligible) class of weak curves among them (so that the seeds
could have been chosen to create backdoors), why would it be more
far-fetched to assume that the class of Koblitz curves is weak *in its
entirety*?  After all, these particular curves are known to have extra
structure by design!

Bodo