[Ach] choosing safe curves for elliptic-curve cryptography

Joe St Sauver joe at oregon.uoregon.edu
Mon May 12 16:53:30 CEST 2014


Aaron commented:

#Reference to their project has been in our Paper since almost from the
#beginning (see theory sections - ECC).
#Discussion here on this list hasn't shifted to that topic for a whole

I actually did a talk on "Cryptographic Best Practices in the Post-Snowden
Era" just last week at the Educause Security Professionals 2014 meeting, 
see http://pages.uoregon.edu/joe/crypto-bcp/crypto-bcp.pdf

After thinking about ECC for a bit, here are my observations/concerns:

-- Suite B crypto from the NSA uses elliptic curve, and specifies curve
   P-256 and curve P-384 for SECRET and TOP SECRET respectively. See
   https://www.cnss.gov/CNSS/issuances/Policies.cfm (CNSSP No 15,
   Use of Public Standards for the Secure Sharing of Information Among
   NSS," Released 10/01/2012)

-- Yet, http://safecurves.cr.yp.to/ unambiguously flags those curves as 
   NOT safe; see "Security Dangers of the NIST Curves" at 
   for more. I'm not sure how to resolve this point with the preceding

-- If you want to do ECC for publicly trusted certs, you need them 
   issued from an appropriate root. Currently Mozilla only appears to 
   know about four (4) ECC roots, see

-- Whatever curve you want to use also needs to be supported by the
   crypto library you're using on your server, and by your browser; 
   that may further constrain your options

-- Not surprisingly, ECC deployment to date appears to have been 
   quite limited

-- All of the above said, some pretty smart folks are moving to 
   ECC with alternative cuves, including the folks at Silent Cicle, 
   and Google (as I discuss on slide 76 of my talk)

Hard to know what to say, given the preceding. I'd love to hear what
people think on this issue, however.



More information about the Ach mailing list