Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

["Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>]

IMHO verifiably random generation of curves is desirable.

--
Regards,
Uri Blumenthal Voice: (781) 981-1638
Cyber Systems and Technology Fax: (781) 981-0186
MIT Lincoln Laboratory Cell: (339) 223-5363
244 Wood Street Email: <uri@ll.mit.edu>
Lexington, MA 02420-9185

Web: http://www.ll.mit.edu/CST/



MIT LL Root CA:

<https://www.ll.mit.edu/labcertificateauthority.html>


DSN: 478-5980 ask Lincoln ext.1638

From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: Thursday, June 26, 2014 06:10 PM
To: Michael StJohns <msj@nthpermutation.com>
Cc: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,




On Thu, Jun 26, 2014 at 2:59 PM, Michael StJohns <msj@nthpermutation.com<mailto:msj@nthpermutation.com>> wrote:
There's been a small but vocal minority agitating for the adoption of Curve25519 for use in TLS (and other IETF protocols).  As the discussion has gone on, what I haven't seen is compelling evidence that this technology has been vetted sufficiently that it would meet the "Best Commercial Practices" threshold for safe harbor status for encryption.  It may eventually get there, but for at least the next few (5-10??) years, I would expect businesses to avoid the use in privacy sensitive, or financially sensitive operations.

There are also possible IPR issues, definite infrastructure issues (e.g. no off the shelf, commercial hardware or software AFAIK), documentation issues (not the base curve, but how to incorporate curve data into certificates and other protocol messages, and the fact it's key agreement only (vs the current EC curves which can be used for both signature and agreement).  A long list of items that probably, but not definitely, can be resolved.

AFACT, one of the main reasons for looking at Curve25519 (possibly more important than performance or security) is that there is a fear that the US Government has placed trapdoors in the current set of curves (NIST P256, P384, P521 etc).   The argument against the "provably random" creation claim with respect to those curves appears to be that many "seed" values could have been generated to generate curve parameters and those curves tested to find "weak" curves of a particular flavor and the seeds for weak curves retained.  In other words, we don't know how the seed values were generated and it could be nefarious.  I haven't as yet found any argument against the generation process, nor specifically against the elliptic curve math.

Given that the EC math in FIPS186, X9.62, X9.63, SP800-56A, SEC1, and the various ISO documents is pretty much identical, instead of throwing away all that implementation and standardization, how about we just generate new curves:

[Snip]
I'm cutting here because I would like to encourage WG members to
focus on the general merits of this suggestion (or lack thereof, depending
on your perspective) rather than on the specific details of the procedure
Mike has proposed. I think it's clear that we could develop a procedure
for producing verifiably random seeds, but let's try to figure out first
whether that's a good idea before we worry about how to do it.

Also, this seems like a bigger topic than TLS. Perhaps the
AD should sponsor a discussion in SAAG?

-Ekr