[Cfrg] Criteria for the selection of new ECC mechanisms
David McGrew <mcgrew@cisco.com> Tue, 29 April 2014 14:37 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C131D1A04AC for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 07:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.152
X-Spam-Level:
X-Spam-Status: No, score=-10.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ku16cUT8x12 for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 07:37:33 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) by ietfa.amsl.com (Postfix) with ESMTP id 44E021A0908 for <cfrg@irtf.org>; Tue, 29 Apr 2014 07:37:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3311; q=dns/txt; s=iport; t=1398782249; x=1399991849; h=message-id:date:from:mime-version:to:subject: content-transfer-encoding; bh=BYKVd4dFGZqObJafvK3mGfTgIiREgKQudxajXGrCeL0=; b=eEcBZFHb8YohKFgWjzKIftJ7HOVLlpGl0iFsekTKr8apvuODd2KwFXVC eNcqebh4t6u3dDdH/d1fcgLCFGiUKhg70+fzf35W5lac4ETtA+Vj/N++F B0ZZ4xCCMgRbBfevv+GtzZupqZ4+62jH1Oeb19HqKCp+26/xGtVmoWd17 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiMFAPG3X1OtJV2c/2dsb2JhbABZgwZPxnAWdIJkQD0PBxgDAgECAUsNCAKIPZZkslsXjW0RAW+EIQEDlR6DcoE8hSOMA4NNIYE1
X-IronPort-AV: E=Sophos;i="4.97,951,1389744000"; d="scan'208";a="39690279"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-8.cisco.com with ESMTP; 29 Apr 2014 14:37:28 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8913.cisco.com [10.117.10.228]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id s3TEbRHv016076 for <cfrg@irtf.org>; Tue, 29 Apr 2014 14:37:27 GMT
Message-ID: <535FB927.8080909@cisco.com>
Date: Tue, 29 Apr 2014 10:37:27 -0400
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/5HqjPeqU0pFoU7P8QWiIC6X4LEc
Subject: [Cfrg] Criteria for the selection of new ECC mechanisms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 14:37:34 -0000
Hi CFRG,
in order to frame the discussion in today's meeting, I wrote up criteria
for new ECC mechanisms. I will go over this briefly in today's
meeting. Hopefully, this will foster good understanding about what the
important goals are, and a good discussion about how to meet our common
goals. Comments are welcome, especially when they come with suggested
text and a reference, where appropriate.
David
----
Criteria for the selection of new ECC mechanisms
David McGrew
April 28, 2014
This short note summaries the criteria that have been put forward for
new ECC mechanisms, using the requirements language typical of
standards processes. Each criterion is identified as either required
(strictly necessary) or desired (not strictly necessary, but strongly
appealing). Some criteria apply only to key exchange methods (and not
to signatures) or Password Authenticated Key Exchange (PAKE), and are
labeled as such. The Safecurves web page is an outstanding resource
for security criteria, though it does not distinguish between
properties that are essential for key exchange and those for
signatures. Sources are described in footnotes; this note aims to be
objective, but the author's opinion is reflected in some choices.
The following criteria have been identified:
Simplicity
R1. Desired: easy to understand and implement [1]
Efficiency
R2. Required: amenable to compact implementations and fast
implementations, across both small and large processors [1]
R3. Desired: re-use components between signatures and key exchange
algorithms [3]
Intellectual Property
R4. Required: available worldwide under reasonable and well
understood licensing terms [1]
R5. Desired: available worldwide under royalty-free licensing
terms [1]
Interoperability
R6. Desired: can be used with current software implementations
(using different curve parameters) of TLS, PKIX, SSH, and IKE [4]
R7. Desired: can be used within current ECC standards of TLS,
PKIX, SSH, and IKE [4]
Security
R8. Required: amenable to constant-time implementations, to avoid
side channel attacks [2]
R9. Required: resist twist attacks [2]
R10. Required: curve parameters should have good provenance;
random curves should be provably pseudorandom [5]
R11. Desired for key exchange: resist invalid curve attacks [2];
note that complete addition laws help and are thus desirable [2].
(Note that the use of ephemeral keys also resist such attacks.)
R12. Required for PAKE: indistinguishability of curve points from
random strings [2]
Footnotes:
[1] Original criteria set out for the Advanced Encryption Standard,
which is equally applicable to ECC. National Institute of
Standards and Technology (NIST) of the United States, 1998.
[2] Daniel J. Bernstein and Tanja Lange. SafeCurves: choosing safe
curves for elliptic-curve cryptography.
http://safecurves.cr.yp.to, accessed April 2014.
[3] Criteria identified by David McGrew, 2014.
[4] Criteria identified by Russ Housley, TLS WG meeting at IETF89.
[5] Criteria widely acknowledged on CFRG email list during 2014.
- Re: [Cfrg] Criteria for the selection of new ECC … Rene Struik
- Re: [Cfrg] Criteria for the selection of new ECC … Michael Hamburg
- [Cfrg] Criteria for the selection of new ECC mech… David McGrew
- Re: [Cfrg] Criteria for the selection of new ECC … David McGrew
- Re: [Cfrg] Criteria for the selection of new ECC … David McGrew
- Re: [Cfrg] Criteria for the selection of new ECC … Rene Struik
- Re: [Cfrg] Criteria for the selection of new ECC … Michael Hamburg
- Re: [Cfrg] Criteria for the selection of new ECC … David McGrew
- Re: [Cfrg] Criteria for the selection of new ECC … Michael Hamburg
- Re: [Cfrg] Criteria for the selection of new ECC … Dan Harkins
- Re: [Cfrg] Criteria for the selection of new ECC … Rene Struik
- Re: [Cfrg] Criteria for the selection of new ECC … Paul Lambert
- Re: [Cfrg] Criteria for the selection of new ECC … Johannes Merkle