[Ach] choosing safe curves for elliptic-curve cryptography

Aaron Zauner azet at azet.org
Mon May 12 19:02:26 CEST 2014


Hi Joe,

Joe St Sauver wrote:
> Hi,
> 
> Aaron commented:
> 
> #Reference to their project has been in our Paper since almost from the
> #beginning (see theory sections - ECC).
> #Discussion here on this list hasn't shifted to that topic for a whole
> #though.
> 
> I actually did a talk on "Cryptographic Best Practices in the Post-Snowden
> Era" just last week at the Educause Security Professionals 2014 meeting, 
> see http://pages.uoregon.edu/joe/crypto-bcp/crypto-bcp.pdf
Thanks, currently reading through the massive amount of slides
> 
> After thinking about ECC for a bit, here are my observations/concerns:
> 
> -- Suite B crypto from the NSA uses elliptic curve, and specifies curve
>    P-256 and curve P-384 for SECRET and TOP SECRET respectively. See
>    https://www.cnss.gov/CNSS/issuances/Policies.cfm (CNSSP No 15,
>    Use of Public Standards for the Secure Sharing of Information Among
>    NSS," Released 10/01/2012)
The thing is - most of us do not live in the US and of those who do,
most probably do not work or serve government, which means we can safely
disregard any NSA, NIST/FIPS recommendations without business impact. We
should focus on getting other curves (e.g. those designed by prof.
bernstein et al.) into IETF standards.

> -- Yet, http://safecurves.cr.yp.to/ unambiguously flags those curves as 
>    NOT safe; see "Security Dangers of the NIST Curves" at 
>    http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
>    for more. I'm not sure how to resolve this point with the preceding
>    point.
As far as I can tell from my limited understanding of elliptic curve
security - not all of the issues raised on this page do directly reflect
on real world security when these curves are used. Most do though.

> -- If you want to do ECC for publicly trusted certs, you need them 
>    issued from an appropriate root. Currently Mozilla only appears to 
>    know about four (4) ECC roots, see
>    http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
Yup. But thats ECDSA only, and issues with DSA and ECDSA have been
raised over and over again, the last good post on this issue is - again
- by djb: blog.cr.yp.to/20140323-ecdsa.html

The voiced critique on ECC as standardized by IETF does not only imply
ECDSA but also - IMHO more importantly - ECDH handshakes.

> -- Not surprisingly, ECC deployment to date appears to have been 
>    quite limited
ECDSA that is. ECDH is wide spread.

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140512/ce0e6f5d/attachment.sig>


More information about the Ach mailing list