[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] FW: real world binary ecc

On 2020-11-15 2:45 p.m., Salz, Rich via cryptography wrote:
Forwarded with permission; Nicoli is one of the (sic) key implementors of ECC in the OpenSSL project.

On 11/15/20, 10:19 AM, "Nicola Tuveri" <nic.tuv AT gmail.com> wrote:

     > suppose you want to create a new TLS library.  Should you support binary curves?

     I'd dare say, from an implementer perspective, the answer to this is
     "likely no".
     RFC 8422, in obsoleting RFC 4492, has de facto removed support of
     binary curves from TLS 1.2 and earlier.

Nicola, thanks very much for your informative message! And thanks to Rich for sharing the thread.

I had not looked at RFC 8422. Here is the relevant section for those interested:

5.1.1.  Supported Elliptic Curves Extension

   RFC 4492 defined 25 different curves in the NamedCurve registry (now
   renamed the "TLS Supported Groups" registry, although the enumeration
   below is still named NamedCurve) for use in TLS.  Only three have
   seen much use.  This specification is deprecating the rest (with
   numbers 1-22).  This specification also deprecates the explicit
   curves with identifiers 0xFF01 and 0xFF02.  It also adds the new
   curves defined in [RFC7748].  The end result is as follows:

           enum {
               secp256r1 (23), secp384r1 (24), secp521r1 (25),
               x25519(29), x448(30),
               reserved (0xFE00..0xFEFF),
           } NamedCurve;

And for the FIPS 186-5 draft, it references the SP 800-186 draft -- the deprecation message is found there:

4.3 Curves over Binary Fields

This section specifies elliptic curves over binary fields where
each curve takes the form of a curve in short-Weierstrass form
and is either a Koblitz curve (Section 4.3.1) or a pseudorandom
curve (Section 4.3.2). Due to their limited adoption, elliptic
curves over binary fields (i.e., all the curves specified in
Section 4.3) are deprecated and may be removed from a subsequent
revision to these guidelines to facilitate interoperability and
simplify elliptic curve standards and implementations. New
implementations should select an appropriate elliptic curve over
a prime field from Section 4.2.


-James M
The cryptography mailing list
cryptography AT metzdowd.com