[curves] Second day NIST workshop notes

Watson Ladd watsonbladd at gmail.com
Mon Jun 15 11:54:00 PDT 2015


On Jun 15, 2015 11:32 AM, "Trevor Perrin" <trevp at trevp.net> wrote:
>
> On Mon, Jun 15, 2015 at 8:10 AM, Watson Ladd <watsonbladd at gmail.com>
wrote:
> >
> > On Jun 15, 2015 4:24 AM, "Johannes Merkle" <johannes.merkle at secunet.com>
> > wrote:
> >>
> >> Watson Ladd schrieb am 12.06.2015 um 22:36:
> >> > The reality is that most people invited don't care about security,
but
> >> > the appearence of security.
>
> I'm sure that's false, and doesn't add anything the discussion.
> Please stay technical and respectful.
>
>
> >> This statement of yours is utterly wrong and comes close to an insult.
How
> >> can you deliver such a judgment when you
> >> haven't even talked to these people?
> >
> > Unfortunately there isn't a transcript of the proceedings that I've
found,
> > so I'll have to rely on my fallible memory.
> >
> > But I distinctly recall complaining about Tanja's article at the second
> > panel. Not complaints about its accuracy, but that its publication put
> > unjustified suspicion on Brainpool.
>
> You're citing the day 1 panel at around 7:44
> https://www.youtube.com/watch?v=yS84gO-sy6k
>
> Lochter's complaint may be more about the tone of BADA55 than its
> contents, but he has a point - BADA55 focuses on
> "nothing-up-my-sleeve" curves, but doesn't do a similarly deep
> analysis of the flexibility of performance-based curve choices like
> 25519 or 448.

That flexibility is far less. Craig Costello could only argue that the
exact choice of security level could be manipulated, at most 521 choices.

Of course this has to be multiplied by the number of order and twist
critera, which seem to apply to all the other proposals.

I've previously suggested he stick BADA55 in the output of a DJB style
curve generation. Hasn't happened yet. Has anyone been able to do this?

>
> Anyways, disliking the tone and the reception of a paper doesn't mean
> you "don't care about security".

There are three reasons to want to replace curves and protocols

-They are inconvenient in ways that lead implementors down the garden path,
with resulting real world problems.
- The NSA backdoored the NIST curves, and we need "unassailable" choices
-Your particular implementation has trouble handling some choices of curve
efficiently.

As far as I can tell, most participants are focused rhetorically on reasons
2 and 3, and  ignoring 1. "Put it on EAL4 certified hardware" is not an
answer for a lot of applications, and is unlikely to ever be an answer for
most systems we interact with on a daily basis.

Sincerely,
Watson Ladd

>
> Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150615/e1f5641b/attachment.html>


More information about the Curves mailing list