From gmaxwell@gmail.com Thu Oct 17 14:09:12 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A773A11E8152 for ; Thu, 17 Oct 2013 14:09:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4EyE3zBSmES for ; Thu, 17 Oct 2013 14:09:11 -0700 (PDT) Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 54E0621F9B66 for ; Thu, 17 Oct 2013 14:09:07 -0700 (PDT) Received: by mail-la0-f51.google.com with SMTP id hp15so2367819lab.38 for ; Thu, 17 Oct 2013 14:09:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=YGXJF4EJJzRv9IRBv6kyLwqCq66CSDYlsN5WCz6CHVY=; b=xqRvw++msArGh9cZh/8noJ6q95dJvyS+r9cBurctPQTiwjX2JiByfw/mYnAUDhHO4S bHI6GI0FOTxMJtcMz2KsX0Xlsnmeodd+sJgdrZZzqQRkPTKOLSbPfdaop8Au36GjzZjQ jF/yEFklJ3XY3j2cbzU+MXQi7c6ydKYubdGwM1yuoWbKLhWVEeworMbNhPH6Ll4N+05l 82lwJsSRQHk4/lQ+yaGaTERQbZ6Nx1hBfOciHKGZfMXcndqMeGPH1dGnbLaioL0Le670 rFCtUgm1My/fhzyjN62dSSZGmgqFPy6XP0VMeTvTJV46F05vWIX6vINghMb9N/0Dr7tQ 4Amw== MIME-Version: 1.0 X-Received: by 10.112.57.49 with SMTP id f17mr24747lbq.26.1382044146629; Thu, 17 Oct 2013 14:09:06 -0700 (PDT) Received: by 10.112.89.72 with HTTP; Thu, 17 Oct 2013 14:09:06 -0700 (PDT) Date: Thu, 17 Oct 2013 14:09:06 -0700 Message-ID: From: Gregory Maxwell To: openpgp@ietf.org Content-Type: text/plain; charset=UTF-8 Subject: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Oct 2013 21:09:12 -0000 With the recent concerns about the integrity of the NIST specified ECC curves many protocols are looking to non-NIST alternatives for their EC crypto needs. Is anyone considering using Curve3617 in OpenPGP? The case for the design approach is made at http://safecurves.cr.yp.to/ and is generally pretty compelling. [Arguably for OpenPGP use it would be nice to see a ~1024 bit curve produced with the same engineering methodology: for most uses of OpenPGP performance is not a major limitation (1024 bit ECC could be adequately fast on an embedded device) nor are 128 bytes more of signature data, but long term security is... Index calculus results in security that scales similar to integer factoring, so there is an argument that even unknown breakthroughs that render common ECC insecure would simply be reducing it to RSA like security.] Along those lines, has there been any proposal for supporting a merkle signature scheme for long term master identity keys? For a master identity key that delegates signing a finite (but potentially large) amount of reuse is not problematic at all. Relatively large signatures are not problematic in many applications, and these signatures would have nicely orthogonal security to discrete log based cryptosystems and are strong against quantum computers. (And regardless how much of a threat you personally consider quantum computers on the time scales you consider relevant, FUD related to them "oh but the XYZ has QC's see this dwave hype, no reason to use crypto at all" is harmful to the public.) From jon@callas.org Thu Oct 17 18:38:22 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A098811E80E4 for ; Thu, 17 Oct 2013 18:38:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQX40OKEq8me for ; Thu, 17 Oct 2013 18:38:10 -0700 (PDT) Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id B331711E8203 for ; Thu, 17 Oct 2013 18:38:08 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 9C56A4506D52; Thu, 17 Oct 2013 18:37:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at merrymeet.com Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JmM1dUZeS8oG; Thu, 17 Oct 2013 18:37:45 -0700 (PDT) Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id DC6E94506D3E; Thu, 17 Oct 2013 18:37:45 -0700 (PDT) Received: from [10.0.23.21] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Thu, 17 Oct 2013 18:37:45 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 17 Oct 2013 18:37:45 -0700 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Jon Callas In-Reply-To: Date: Thu, 17 Oct 2013 18:37:58 -0700 Message-Id: References: To: Gregory Maxwell X-Mailer: Apple Mail (2.1510) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Cc: openpgp@ietf.org, Jon Callas Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 01:38:23 -0000 On Oct 17, 2013, at 2:09 PM, Gregory Maxwell wrote: > With the recent concerns about the integrity of the NIST specified ECC > curves many protocols are looking to non-NIST alternatives for their > EC crypto needs. >=20 > Is anyone considering using Curve3617 in OpenPGP? The case for the > design approach is made at http://safecurves.cr.yp.to/ and is > generally pretty compelling. Andrey would know best, but my reading of RFC 6637 leads me to think = that all you need is an OID for the curve and you're golden. We're going to be using Curve3617 for Silent Circle as a replacement for = P-384. >=20 > [Arguably for OpenPGP use it would be nice to see a ~1024 bit curve > produced with the same engineering methodology: for most uses of > OpenPGP performance is not a major limitation (1024 bit ECC could be > adequately fast on an embedded device) nor are 128 bytes more of > signature data, but long term security is... Index calculus results in > security that scales similar to integer factoring, so there is an > argument that even unknown breakthroughs that render common ECC > insecure would simply be reducing it to RSA like security.] Why ever would you want a 1Kbit curve? Sure, arguably, but please make = the argument. As it is, Curve3617 is more than one really needs. I'm = genuinely interested. Jon From gmaxwell@gmail.com Fri Oct 18 00:20:47 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC8D621F958A for ; Fri, 18 Oct 2013 00:20:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbqlXg2WrWrK for ; Fri, 18 Oct 2013 00:20:46 -0700 (PDT) Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 7C63721F83E2 for ; Fri, 18 Oct 2013 00:20:43 -0700 (PDT) Received: by mail-lb0-f171.google.com with SMTP id x18so1302423lbi.2 for ; Fri, 18 Oct 2013 00:20:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=wPgHDAWaqiqa0l3LxPHxi5QxDoIiMk/DN/hMFWykyC8=; b=N2FG0KJ2bXYG0RHjSHmHbCTYspaeyXCJaklQ2ljraLg2tP1n/RmOW3hye4peC0Y1NA 9dK/gpvSOm7ElLfeFGeUVL0wOravln4lb9gRCRHuACTAWL1mxrSCEuDA5V61TQGJ9Gl+ MZ3S70jZ2eoh90V3fCyrpAsfvyKjLtMaYRckfPpX5QJz1LUY9yfCocqO09+pQd5MtJcm 2oNMcKLotEBBEnPmMyGXvTeIUZJSCKMWGfdig/ghxOHNJT6VdW+xUvGbFi+JXbbuYVG0 ugMZ38ng83TMrDuP10kziTNJpjWmDwFu2kFAAJVwPb9/ZA6l+Z2wnkxVVg70cUpU6hzq oMZg== MIME-Version: 1.0 X-Received: by 10.112.14.3 with SMTP id l3mr609538lbc.27.1382080838458; Fri, 18 Oct 2013 00:20:38 -0700 (PDT) Received: by 10.112.89.72 with HTTP; Fri, 18 Oct 2013 00:20:38 -0700 (PDT) In-Reply-To: References: Date: Fri, 18 Oct 2013 00:20:38 -0700 Message-ID: From: Gregory Maxwell To: openpgp@ietf.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 07:20:47 -0000 Jon Callas wrote: > Why ever would you want a 1Kbit curve? Sure, arguably, but please make th= e argument. As it is, Curve3617 is more than one really needs. I'm genuinel= y interested. The fastest method for solving the discrete log problem in finite fields is index calculus. It is not known to be applicable to the elliptic curves we use for cryptography (or obviously we wouldn't be using them), modifications of the technique are applicable to super-singular curves / extension fields and where applicable they have sub-exponential scaling similar to the number field sieve for factoring. While it's not believed that there can exist a straightforward adaptation currently-believed strong curves, if one were to be discovered it would render any of the common sizes practically insecure. It would be terrible indeed to migrate to ECC only to end up with keys no more secure than 512 bit RSA. But by comparison to performance in other groups a of size to around 1024 bits but leave the crypto system secure in practice even if index calculus could be directly applied. (Sorry for delay in responding, but I spent a little while googling around to see if I was the only person thinking like this. I found a number of things, the most amusing an old post of Bruce Schneier's: "Realize, though, that someday -- next year, in ten years, in a century -- someone may figure out how to define smoothness, or something even more useful, in elliptic curves. If that happens, you will have to use the same key lengths as you would with conventional discrete logarithm algorithms, and there will be no reason to ever use elliptic curves. " https://www.schneier.com/crypto-gram-9911.html#EllipticCurvePublic-KeyCrypt= ography ) For many personal communications applications involving end to end encryption=E2=80=94 though certainly not all=E2=80=94 speed is only an issu= e if you're talking about hundreds of milliseconds, bandwidth is an issue only if you're talking about tens of kilobytes. In these applications, when we're talking about long term security for _unspecified applications_ (meaning, we should assume the cryptosystem is life critical and the attacker is state level, because we've not specified an application that excludes these parameters) then it is seem obviously prudent to use more of the available speed and bandwidth budget to increase security. The next question for that should be _how_ to go about increasing the security. One answer would be to pair up an orthogonal asymmetric cryptosystem, but all the abelian hidden subgroup problems seem to share a common fate=E2=80=94 improvements in discrete log tend to result in factoring improvements. For signatures merkle signatures might fit, but for encryption the asymmetric cryptosystems which appear unrelated all have overheads which probably do take us outside of the available budget. But a larger curve would not. Nor would it impose a very large implementation or design complexity overhead. Nor would it be so expensive that it would be unduly burdensome to users who don't want it when they are forced to interact with it (as 250kbyte McEliece + ECDH public key would) And it may well provide additional security against currently unknown risks. As a design principle, if the user has bandwidth and cpu to spare=E2=80=94 = it would be quite sad to see his security fail simply because the software didn't care to offer a maximally conservative option. Failing to have a solid "I don't care about the speed/size, crank my security to 11" option also creates a great market opportunity for non-standard cryptography which turns out to be snake-oil "crank it up to 11 (mod 10)", and increases the risk that users fail to use encryption at all because they are too easily convinced by FUD that the cryptography isn't strong. From wk@gnupg.org Fri Oct 18 00:30:37 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA8B21F9E3B for ; Fri, 18 Oct 2013 00:30:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id keL6WRyRm8ZW for ; Fri, 18 Oct 2013 00:30:32 -0700 (PDT) Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by ietfa.amsl.com (Postfix) with ESMTP id 0C72721F9E36 for ; Fri, 18 Oct 2013 00:30:28 -0700 (PDT) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1VX4Vw-0001GZ-6m for ; Fri, 18 Oct 2013 09:30:28 +0200 Received: from wk by vigenere.g10code.de with local (Exim 4.80 #3 (Debian)) id 1VX4Qa-0006M6-Vd; Fri, 18 Oct 2013 09:24:56 +0200 From: Werner Koch To: Jon Callas References: Organisation: g10 Code GmbH X-message-flag: Mails containing HTML will not be read! Please send only plain text. OpenPGP: id=1E42B367; url=finger:wk@g10code.com Date: Fri, 18 Oct 2013 09:24:56 +0200 In-Reply-To: (Jon Callas's message of "Thu, 17 Oct 2013 18:37:58 -0700") Message-ID: <87iowvghx3.fsf@vigenere.g10code.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Gregory Maxwell , openpgp@ietf.org Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 07:30:37 -0000 On Fri, 18 Oct 2013 03:37, jon@callas.org said: > Andrey would know best, but my reading of RFC 6637 leads me to think that all you need is an OID for the curve and you're golden. Right. I plan to make Ed25519 the default in GnuPG - 256 bit ECC is a good replacement for the current defaults - eventually other curves will be added as well. One drawback with rfc6637 is that we can't yet use compressed points. This is a minor drawback because introducing this latter would still allow to keep on using the same keys. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gmaxwell@gmail.com Fri Oct 18 00:57:31 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDBFC21F9F1B for ; Fri, 18 Oct 2013 00:57:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1e+dvlpDLgA for ; Fri, 18 Oct 2013 00:57:31 -0700 (PDT) Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 148F321F9F5B for ; Fri, 18 Oct 2013 00:57:26 -0700 (PDT) Received: by mail-la0-f51.google.com with SMTP id hp15so366731lab.38 for ; Fri, 18 Oct 2013 00:57:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=H/K1FCk/DTzSYVP6tYYRs3NpkA2Qd8OyuX9syaTei/k=; b=rmPs4OrPfDrN1lfrpGh5SOGK1tBOV+YS2lslo+I8ufVKg3LnQI1GKkIcellx85vaaU 2qqYUOe0VDG/fGv6axGrdrUdHCcf1AgPWGzfFIcY7sdGVrPX6y2ZBVVEUwigEbbUXTmi qeNUztYYrcvSi9N0qPuj+PekgTK4aaAnk0nQxSGhnFbxLfssqNNPDDXulreyhVbx40X+ zIw7HtKitMcHu4ofgElHzGV8aY+KrPl8J3DkvwmOmQ/1sbCBstbtHM8h4El1k6Ainutn HTRV/M55etqpztM3t4MiSJalv4GBZnD/4hkcOqhy4dr3EjeaSrtxcNcCr5UMgpdE/4Yf SsBA== MIME-Version: 1.0 X-Received: by 10.112.138.37 with SMTP id qn5mr123461lbb.52.1382083045788; Fri, 18 Oct 2013 00:57:25 -0700 (PDT) Received: by 10.112.89.72 with HTTP; Fri, 18 Oct 2013 00:57:25 -0700 (PDT) In-Reply-To: <87iowvghx3.fsf@vigenere.g10code.de> References: <87iowvghx3.fsf@vigenere.g10code.de> Date: Fri, 18 Oct 2013 00:57:25 -0700 Message-ID: From: Gregory Maxwell To: Werner Koch Content-Type: text/plain; charset=UTF-8 Cc: openpgp@ietf.org, Jon Callas Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 07:57:32 -0000 On Fri, Oct 18, 2013 at 12:24 AM, Werner Koch wrote: > This is a minor drawback because introducing this > latter would still allow to keep on using the same keys. Beyond the obvious doubling the size of the keys for no increase in security (and that implementers often make mistakes and do things like fail to validate the points, which I guess isn't an issue for ed25519 as it is twist secure), it would make it gratuitously incompatible all the existing (esp fast constant time code) implementations which work on the X coordinate alone. Thats unfortunate, if not the end of the world. From wk@gnupg.org Fri Oct 18 01:35:37 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C12E911E8163 for ; Fri, 18 Oct 2013 01:35:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-sTovTWlNf7 for ; Fri, 18 Oct 2013 01:35:32 -0700 (PDT) Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA8321F9FAC for ; Fri, 18 Oct 2013 01:35:30 -0700 (PDT) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1VX5Wq-0001SQ-IO for ; Fri, 18 Oct 2013 10:35:28 +0200 Received: from wk by vigenere.g10code.de with local (Exim 4.80 #3 (Debian)) id 1VX5Qw-0001IE-Tt; Fri, 18 Oct 2013 10:29:22 +0200 From: Werner Koch To: Gregory Maxwell References: <87iowvghx3.fsf@vigenere.g10code.de> Organisation: g10 Code GmbH X-message-flag: Mails containing HTML will not be read! Please send only plain text. OpenPGP: id=1E42B367; url=finger:wk@g10code.com Date: Fri, 18 Oct 2013 10:29:22 +0200 In-Reply-To: (Gregory Maxwell's message of "Fri, 18 Oct 2013 00:57:25 -0700") Message-ID: <87vc0vf0d9.fsf@vigenere.g10code.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: openpgp@ietf.org, Jon Callas Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 08:35:37 -0000 On Fri, 18 Oct 2013 09:57, gmaxwell@gmail.com said: > as it is twist secure), it would make it gratuitously incompatible all > the existing (esp fast constant time code) implementations which work > on the X coordinate alone. Nope. First, there is no released OpenPGP implementation with ECC yet. Second, there is no incompatibiliy because it is still the same point and actually it is faster to use because there is no need for uncompressing. Note also that compressing is an old technique which is is simply not used because in the Weierstrass form it is patented (till next year). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gmaxwell@gmail.com Fri Oct 18 01:42:13 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD73C21F9B08 for ; Fri, 18 Oct 2013 01:42:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AofmxhNT0cJu for ; Fri, 18 Oct 2013 01:42:13 -0700 (PDT) Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com [IPv6:2a00:1450:4010:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 7D5E621F9AF8 for ; Fri, 18 Oct 2013 01:42:12 -0700 (PDT) Received: by mail-la0-f45.google.com with SMTP id eh20so417678lab.4 for ; Fri, 18 Oct 2013 01:42:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lkIbWqQYzVk3Co4xoGZN+5V1BbAuRGw163b95vjH1Mo=; b=ydZ6VmwRzFl3K2R8r/g8W3yszkoN6NOsq8UStxvk7QJwpKEJElUd6cIFyXSqAmG/23 0XE2xA/MQPdzk8mKVmMUF5nUrmttoi7aPRYO7pZKbsZSgtQB78LWyfAycDfs0atyL0CR ogQuY+TuxtfvfJvj37Ci6AF4t6T9uV6diZIb4ydWol0vH1kYYowJBHNTgXNmqykvc1jW 0B+tqcI2L/xVZ5LBxHCAOCcUT9xSfzLWjpcslF/lRIrlb742reiFCWdH3Q9ScenWqLFP 5h6OC6A64dLU56hYTnWi14u6Vagk7IqmBzBl9xYGo4xyfkxSkQ618odatgTWqi1xmwkP GKaw== MIME-Version: 1.0 X-Received: by 10.152.18.131 with SMTP id w3mr309135lad.47.1382085731247; Fri, 18 Oct 2013 01:42:11 -0700 (PDT) Received: by 10.112.89.72 with HTTP; Fri, 18 Oct 2013 01:42:11 -0700 (PDT) In-Reply-To: <87vc0vf0d9.fsf@vigenere.g10code.de> References: <87iowvghx3.fsf@vigenere.g10code.de> <87vc0vf0d9.fsf@vigenere.g10code.de> Date: Fri, 18 Oct 2013 01:42:11 -0700 Message-ID: From: Gregory Maxwell To: Werner Koch Content-Type: text/plain; charset=UTF-8 Cc: openpgp@ietf.org, Jon Callas Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 08:42:13 -0000 On Fri, Oct 18, 2013 at 1:29 AM, Werner Koch wrote: > and actually it is faster to use because there is no need for > uncompressing. Not so at least for ECDH, e.g. the implementation in curve25519 uses a multiplier that really does work on the X coordinate alone. For other curves (which are not twist secure), generally time spent uncompressing is not to much slower than the sqrt needed to check that the point is on the curve. From iang@iang.org Fri Oct 18 01:50:32 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB0FD11E8108 for ; Fri, 18 Oct 2013 01:50:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DsrMpNJuRVm for ; Fri, 18 Oct 2013 01:50:25 -0700 (PDT) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) by ietfa.amsl.com (Postfix) with ESMTP id E64BA21F9FB4 for ; Fri, 18 Oct 2013 01:50:21 -0700 (PDT) Received: from tormenta.local (skaro.afraid.org [212.169.1.61]) by virulha.pair.com (Postfix) with ESMTPSA id 951716D49F; Fri, 18 Oct 2013 04:50:14 -0400 (EDT) Message-ID: <5260F643.6030701@iang.org> Date: Fri, 18 Oct 2013 11:50:11 +0300 From: ianG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.0.1 MIME-Version: 1.0 To: openpgp@ietf.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 08:50:32 -0000 On 18/10/13 10:20 AM, Gregory Maxwell wrote: > .... In these applications, when > we're talking about long term security for _unspecified applications_ > (meaning, we should assume the cryptosystem is life critical and the > attacker is state level, because we've not specified an application > that excludes these parameters) then it is seem obviously prudent to > use more of the available speed and bandwidth budget to increase > security. Excellent and complete argumentation. I don't necessarily agree with the statements, but I applaud the full presentation! iang From openpgp@brainhub.org Fri Oct 18 10:11:56 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FEF011E8322 for ; Fri, 18 Oct 2013 10:11:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.437 X-Spam-Level: X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SLSrhZxoOFYI for ; Fri, 18 Oct 2013 10:11:52 -0700 (PDT) Received: from qmta07.emeryville.ca.mail.comcast.net (qmta07.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:64]) by ietfa.amsl.com (Postfix) with ESMTP id 63FDE11E8320 for ; Fri, 18 Oct 2013 10:11:48 -0700 (PDT) Received: from omta13.emeryville.ca.mail.comcast.net ([76.96.30.52]) by qmta07.emeryville.ca.mail.comcast.net with comcast id edyt1m00817UAYkA7hBokf; Fri, 18 Oct 2013 17:11:48 +0000 Received: from [127.0.0.1] ([69.181.162.123]) by omta13.emeryville.ca.mail.comcast.net with comcast id ehBm1m00Q2g33ZR8ZhBn1h; Fri, 18 Oct 2013 17:11:47 +0000 Message-ID: <52616ACB.2070108@brainhub.org> Date: Fri, 18 Oct 2013 10:07:23 -0700 From: Andrey Jivsov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: openpgp@ietf.org References: <87iowvghx3.fsf@vigenere.g10code.de> <87vc0vf0d9.fsf@vigenere.g10code.de> In-Reply-To: <87vc0vf0d9.fsf@vigenere.g10code.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1382116308; bh=mJ2AvNnVK1f06Ng2DL0MgL4i/uHi0l4AdeytTbVBkEw=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=B3yqjOqanQw1LT95cpitTb6Bj3aMBBY3h9u3ymNRAnaod72YmNVbvMI2EGkzk+k1z TOmP7NiCGC2/8+zUtUfnly0K4jEdGSUp4os7duinZGcx1xBJZCG52P4DoRc4EGGJMj Y/Um4q4YP0abJZYrdgyDSdweYi9L1dk7es4kmdxUpNitylRl9qW3oqBKr3RuOnmWvK hD9tg/SC2GYA1I7aooK6y6o5GALyUutOQ4iCUE6JV6Y9KrBeWDTsGeqjTB4XHJCHAb X6kgfE0A0APHxrlkFEZP8nAmgYoBYvQVT9ICIvjtBIj7udetcELFTRFxXcUyO1yGzE +JAQjxe040dHA== Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 17:11:56 -0000 On 10/18/2013 01:29 AM, Werner Koch wrote: > On Fri, 18 Oct 2013 09:57, gmaxwell@gmail.com said: > >> as it is twist secure), it would make it gratuitously incompatible all >> the existing (esp fast constant time code) implementations which work >> on the X coordinate alone. > > Nope. First, there is no released OpenPGP implementation with ECC yet. One could google for "pgp command line with ecc support" and see a few hits. I clearly recall working on one product that was released. > Second, there is no incompatibiliy because it is still the same point > and actually it is faster to use because there is no need for > uncompressing. Note also that compressing is an old technique which is > is simply not used because in the Weierstrass form it is patented (till > next year). http://tools.ietf.org/html/draft-jivsov-ecc-compact-00 is based on a year 1986 method. You need an unambiguous definition for the DSA (not ECDH). From wk@gnupg.org Mon Oct 21 04:20:42 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A62711E8378 for ; Mon, 21 Oct 2013 04:20:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.669 X-Spam-Level: X-Spam-Status: No, score=-9.669 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZohmjZbdUo-k for ; Mon, 21 Oct 2013 04:20:36 -0700 (PDT) Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE9611E819B for ; Mon, 21 Oct 2013 04:20:30 -0700 (PDT) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1VYDXB-0005Zc-C3 for ; Mon, 21 Oct 2013 13:20:29 +0200 Received: from wk by vigenere.g10code.de with local (Exim 4.80 #3 (Debian)) id 1VYDR8-0000gV-OI; Mon, 21 Oct 2013 13:14:14 +0200 From: Werner Koch To: Andrey Jivsov References: <87iowvghx3.fsf@vigenere.g10code.de> <87vc0vf0d9.fsf@vigenere.g10code.de> <52616ACB.2070108@brainhub.org> Organisation: g10 Code GmbH X-message-flag: Mails containing HTML will not be read! Please send only plain text. OpenPGP: id=1E42B367; url=finger:wk@g10code.com Date: Mon, 21 Oct 2013 13:14:14 +0200 In-Reply-To: <52616ACB.2070108@brainhub.org> (Andrey Jivsov's message of "Fri, 18 Oct 2013 10:07:23 -0700") Message-ID: <87ob6iev09.fsf@vigenere.g10code.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: openpgp@ietf.org Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637. X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Oct 2013 11:20:42 -0000 On Fri, 18 Oct 2013 19:07, openpgp@brainhub.org said: >> Nope. First, there is no released OpenPGP implementation with ECC yet. > > One could google for "pgp command line with ecc support" and see a few > hits. I clearly recall working on one product that was released. I would not count beta versions as "released" ;-). In any case, it does not matter because the used curve does not matter RFC-wise. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.