[curves] CFRG's 25519 proposal
Trevor Perrin
trevp at trevp.net
Thu Nov 27 06:40:11 PST 2014
So the latest "new curves" idea from IETF's CFRG (which is considering
curves to recommend for TLS) is to use the 25519 field prime with a
minor tweak to a different "A" value.
http://www.ietf.org/mail-archive/web/cfrg/current/msg05600.html
Of course, this breaks compatibility with existing 25519 uses: Tor,
iOS,OpenSSH, GnuPG, TextSecure, WhatsApp, NaCl and its many users:
(Pond, Threema, CryptoCat, CurveZMQ), and so on.
I imagine most of these projects won't change. (I work on TextSecure,
and we won't replace keys and code for a meaningless tweak like this).
So this would fragment the 25519 landscape into 2 curves, both of
which require support indefinitely.
It's hard for me to understand this proposal. My guess is Microsoft
has invested a bunch of time in proposing new curves and is insistent
that they get to put some stamp on the result. And I guess Google's
gotten tired of IETF's curve dithering, and only cares about TLS, so
is willing to concede.
But given the larger context of 25519 adoption, which includes a lot
more protocols than just TLS, and where DJB's existing 25519 curve has
significant traction, this seems like a terrible idea.
Anyone disagree?
Trevor
More information about the Curves
mailing list