Re: [TLS] Curve25519 in TLS
Bodo Moeller <bmoeller@acm.org> Thu, 12 September 2013 17:41 UTC
Return-Path: <SRS0=BU/0=SY=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B0B21E81F6 for <tls@ietfa.amsl.com>; Thu, 12 Sep 2013 10:41:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cdwvZZrsPQ6U for <tls@ietfa.amsl.com>; Thu, 12 Sep 2013 10:41:45 -0700 (PDT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ietfa.amsl.com (Postfix) with ESMTP id 7B0E421E8151 for <tls@ietf.org>; Thu, 12 Sep 2013 10:41:45 -0700 (PDT)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0M2ndG-1WCPc603mQ-00svBw; Thu, 12 Sep 2013 19:41:44 +0200
Received: by mail-oa0-f44.google.com with SMTP id l17so136429oag.3 for <tls@ietf.org>; Thu, 12 Sep 2013 10:41:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=EGEyqMX43T9RG8mttJHLp5hSgAORn7VTzCuKXqZ7VfE=; b=XkqFxpOFcanZAuSckpCNDphpO/yktVFEc2N2JLa7Q+xpvUQRhcdfUdsAn2y1l1nBVE uXNQwzrhPaUPffyiqWTi8LcN8uN7GE96ozEXZPYTjBrCzDDLUDOoQdpwFOJ4Igc3mDQd CPo2F/cek6RDZsoXDpyHnhQiDAxiIlbRk4y0iXaWbKlbnl/JQpFAHRohYCiMpqId3ZVF kgwNMiKgdzl4nW1kttTe3yqaCVU7q5sY6d5myNKzJcwqbi5LxBn2KK4OTmWaRfJddTC/ 3GTrQMLPMreKZXXdw7PgvjERhwi5PdHvovdfu2VAV2/2KfxuZpHxLe52fDBN8MPODmZf QaOg==
MIME-Version: 1.0
X-Received: by 10.60.43.131 with SMTP id w3mr7937004oel.10.1379007702782; Thu, 12 Sep 2013 10:41:42 -0700 (PDT)
Received: by 10.60.115.72 with HTTP; Thu, 12 Sep 2013 10:41:42 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5BCFD3C@XMB116CNC.rim.net>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <522ED9A7.7080802@comodo.com> <87fvtbi8ow.fsf@latte.josefsson.org> <5231B8ED.7040301@comodo.com> <810C31990B57ED40B2062BA10D43FBF5BCFD3C@XMB116CNC.rim.net>
Date: Thu, 12 Sep 2013 19:41:42 +0200
Message-ID: <CADMpkcKcjc0JVidPPasuQ4H3SAJG7g8w5LS9z-E2-tyeD3RDmA@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113346ce445cf404e633401d"
X-Provags-ID: V02:K0:rL8/wvD/gA5A5WbBooM0R3s8u8IqcmqJB/sJoDX+ZU/ Hgg6XHFxJiBVX7Yua++zq2EKiF4ss4yAw/31XGd8lZtFeRhoaj nWP+BKSIdDfX2QqKcplNhXB9ZjKTc71QyJ+/ql13Q/htWOgljd DSW/7AXkjdWdtm5LU83Vp5IJ3bwx9O7t4TpA9Ekc1BhKXJF2Aa Tculb59PUUFc79oHLwPxyJUEle5x1eqvwZ0NW6SwvRvzNApc+H s3rBUawtH53SHXHQP6STXcFbdqliM22aa+TAWxE+tdU83FxSA6 mYgEEeS1uwOUmlLGRinSwwxAozklQwqIlWdWzV7yC+bemzZ96b 8FSb5dxMFyoqmfUc6pcAH+XWm8pJQV4wAY9Q3fqMuESaRp1jQM hVhMpbP8LIHSMeAMi7ENfXavh32Nkp3VNP/aJAIrFKEjDpHd4J yCxb0
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 17:44:33 -0000
> > Unless NIST can prove that their curves aren't backdoored, I think it's > > [DB] Five NIST curves are Koblitz curves, which are not backdoored. > Personally I don't expect any of the NIST curves to be backdoored, but I don't agree with the reasoning (which I've seen elsewhere before) that if you have doubts about the pseudorandom NIST urves due to their unexplained seeds, the NIST Koblitz curves are less suspect because that degree of freedom is missing. I won't repeat here why I'm not actually worried about the pseudorandom curves (I don't think I could add anything to your and Douglas Stebila's arguments in the thread "Testing consensus for adding curve25519 to the EC named curve registry"). Now *if* one assumes that there's a (thin-spread but non-negligible) class of weak curves among them (so that the seeds could have been chosen to create backdoors), why would it be more far-fetched to assume that the class of Koblitz curves is weak *in its entirety*? After all, these particular curves are known to have extra structure by design! Bodo
- [TLS] Testing consensus for adding curve25519 to … Adam Langley
- Re: [TLS] Testing consensus for adding curve25519… Russ Housley
- Re: [TLS] Testing consensus for adding curve25519… Rob P Williams
- Re: [TLS] Testing consensus for adding curve25519… Patrick Pelletier
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Nico Williams
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Curve25519 in TLS Kyle Hamilton
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Dan Brown
- Re: [TLS] Curve25519 in TLS Bodo Moeller
- [TLS] Koblitz curves [was RE: Curve25519 in TLS] Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Nico Williams
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Paul Bakker
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Rob Stradling
- [TLS] Curve25519 in TLS Simon Josefsson
- [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Ed25519 for PKIX Adam Langley
- Re: [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Juho Vähä-Herttua
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Watson Ladd
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Nico Williams