[Ach] choosing safe curves for elliptic-curve cryptography

Joe St Sauver joe at oregon.uoregon.edu
Mon May 12 19:03:21 CEST 2014


Aaron commented:

#> see http://pages.uoregon.edu/joe/crypto-bcp/crypto-bcp.pdf
#Thanks, currently reading through the massive amount of slides

It's like flipping through a comic book, it actually reads pretty quickly. :-;

#> -- Suite B crypto from the NSA uses elliptic curve, and specifies curve=
#>    P-256 and curve P-384 for SECRET and TOP SECRET respectively. See
#>    https://www.cnss.gov/CNSS/issuances/Policies.cfm (CNSSP No 15,
#>    Use of Public Standards for the Secure Sharing of Information Among
#>    NSS," Released 10/01/2012)
#The thing is - most of us do not live in the US and of those who do,
#most probably do not work or serve government, which means we can safely
#disregard any NSA, NIST/FIPS recommendations without business impact. We
#should focus on getting other curves (e.g. those designed by prof.
#bernstein et al.) into IETF standards.

One of the points I make in my presentation is that, like it or not,
the NIST crypto standards appear to be adopted incredibly broadly. I'm
simply not seeing a lot of alternatives that are widely supported and

US or non-US, people seem to do NIST crypto standards by default.

And the point about mentioning the Suite B crypto is that if you *do*
believe in the NIST crypto standards, it's *supposed* to be the most
secure option available -- if anyone's actually using it -- and yet,
I'm also seeing safecurves.cr.yp.to showing a yellow card for those

#> -- Yet, http://safecurves.cr.yp.to/ unambiguously flags those curves as
#>    NOT safe; see "Security Dangers of the NIST Curves" at=20
#>    http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
#>    for more. I'm not sure how to resolve this point with the preceding
#>    point.
#As far as I can tell from my limited understanding of elliptic curve
#security - not all of the issues raised on this page do directly reflect
#on real world security when these curves are used. Most do though.

If you just focus on the "Safe?" column, the news for the NIST recommended
curves isn't good.

That's the fundamental conflict, and one that I'd love to see addressed
by NIST. *Is* there a problem with the Suite B recommended/required curves,
or not?

And if there *is* a problem with the Suite B recommended/required curves,
then what's the answer for MS Windows, where, as far as I know, those
may be the *only* supported ECC curves? (per
http://msdn.microsoft.com/en-us/library/windows/desktop/bb204775%28v=vs.85%29.aspx#suite_b_support )

I ask not to be a PITA, but because I'm having trouble pounding all 
the blocks into the frame given the set of applicable constraints.



More information about the Ach mailing list