Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-21 Thread Eric Rescorla
On Tue, Jul 21, 2015 at 7:20 PM, Ilari Liusvaara < ilari.liusva...@elisanet.fi> wrote: > On Tue, Jul 21, 2015 at 11:30:15AM -0400, Dave Garrett wrote: > > On Tuesday, July 21, 2015 10:47:05 am Ilari Liusvaara wrote: > > > I thought that Brainpool curves weren't removed (even if those aren't > > >

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-21 Thread Ilari Liusvaara
On Tue, Jul 21, 2015 at 11:30:15AM -0400, Dave Garrett wrote: > On Tuesday, July 21, 2015 10:47:05 am Ilari Liusvaara wrote: > > I thought that Brainpool curves weren't removed (even if those aren't > > explicitly in), which are random prime curves. > > > > Also, the security of binary curves seem

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-21 Thread Dave Garrett
On Tuesday, July 21, 2015 10:47:05 am Ilari Liusvaara wrote: > I thought that Brainpool curves weren't removed (even if those aren't > explicitly in), which are random prime curves. > > Also, the security of binary curves seems quite questionable. Brainpool curves aren't in the TLS 1.3 draft, but

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-21 Thread Ilari Liusvaara
On Tue, Jul 21, 2015 at 04:39:17PM +0200, Johannes Merkle wrote: > > I absolutely back up this position. Currently, the TLS 1.3 draft only permits > curves over special primes. It has become > quite clear in the discussions in CFRG and at the NIST ECC workshop that some > parties (major hardware

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-21 Thread Johannes Merkle
Rene Struik schrieb am 16.07.2015 um 03:42: > Dear colleagues: > > It seems prudent to keep some diversity of the gene pool and not only have > curves defined over prime curves. Similarly, > one should perhaps have some diversity of gene pool criteria within the set > of recommend curves and not

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-16 Thread Rene Struik
k *Cc: * *Subject: *Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1 ‎ To respond more specifically to your concerns: On Wed, Jul 15, 2015 at 6:42 PM, Rene Struik <mailto:rstruik@gmail.com>> wrote: It seems prudent to keep some diversity of the gene pool and not

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-16 Thread Blumenthal, Uri - 0553 - MITLL
: [TLS] (selection criteria for crypto primitives) Re: sect571r1 ‎ To respond more specifically to your concerns: On Wed, Jul 15, 2015 at 6:42 PM, Rene Struik wrote: It seems prudent to keep some diversity of the gene pool and not only have curves defined over prime curves. Similarly, one should

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-16 Thread Dan Brown
attacks have shown, so one can focus on more speculative threats, and to choose better seeds, etc.‎ ‎   Original Message   From: Viktor Dukhovni Sent: Thursday, July 16, 2015 12:45 AM To: tls@ietf.org Reply To: tls@ietf.org Subject: Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1 On

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-15 Thread Viktor Dukhovni
On Thu, Jul 16, 2015 at 12:17:28AM -0400, Dave Garrett wrote: > Side question: what is the meaning of the "r" in the naming convention we > use? (e.g. secp521r1, & sect571r1 vs. sect571k1) The "r" means that a mysterious seed can be used to "verify" that the curve paramets are ("nothing up my sle

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-15 Thread Dave Garrett
On Wednesday, July 15, 2015 10:31:12 pm Tony Arcieri wrote: > Binary curves in particular are showing warning signs of potential future > security issues: > > https://eprint.iacr.org/2015/310.pdf > > I think even if we don't completely pare down the TLS curve portfolio to > the list I suggested,

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-15 Thread Tony Arcieri
To respond more specifically to your concerns: On Wed, Jul 15, 2015 at 6:42 PM, Rene Struik wrote: > It seems prudent to keep some diversity of the gene pool and not only have > curves defined over prime curves. Similarly, one should perhaps have some > diversity of gene pool criteria within the

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-15 Thread Jeffrey Walton
> It seems prudent to keep some diversity of the gene pool and not only have > curves defined over prime curves. Similarly, one should perhaps have some > diversity of gene pool criteria within the set of recommend curves and not > only include special primes. Should some problem with a particular

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-15 Thread Tony Arcieri
On Wed, Jul 15, 2015 at 6:42 PM, Rene Struik wrote: > Dear colleagues: > > It seems prudent to keep some diversity of the gene pool and not only have > curves defined over prime curves. Similarly, one should perhaps have some > diversity of gene pool criteria within the set of recommend curves an

[TLS] (selection criteria for crypto primitives) Re: sect571r1

2015-07-15 Thread Rene Struik
Dear colleagues: It seems prudent to keep some diversity of the gene pool and not only have curves defined over prime curves. Similarly, one should perhaps have some diversity of gene pool criteria within the set of recommend curves and not only include special primes. Should some problem with