[TLS] (selection criteria for crypto primitives) Re: sect571r1

Dear colleagues: It seems prudent to keep some diversity of the gene pool and not only have curves defined over prime curves. Similarly, one should perhaps have some diversity of gene pool criteria within the set of recommend curves and not only include special primes. Should some problem with

Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

MITLL wrote: I think you convinced me. And to think of it, I never did like binary curves. :-) No binary curves for the future. :-) Tnx! Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. *From: *Tony Arcieri *Sent: *Wednesday, July 15, 2015 22:32 *To: *Rene Strui

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Dear colleagues: I think this document should absolutely *not* be adopted, without providing far more technical justification. The quoted Raccoon attack is an easy to mitigate attack (which has nothing to do with finite field groups, just with poor design choices of postprocessing, where one u

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

{officially on vacation till Labor Day, but weighing-in briefly} Hi Filippo: I had a brief look at the CVEs you referenced and at your Blackhat 2018 presentation. Some observations on your Blackhat 2018 presentaton: (a) the attack seems to be a reincarnation of the so-called Goubin attack pr

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

of view. On Fri, Aug 13, 2021 at 10:20 AM Blumenthal, Uri - 0553 - MITLL mailto:u...@ll.mit.edu>> wrote: I agree with Rene’s points. -- Regards, Uri *From:*TLS mailto:tls-boun...@ietf.org>> on behalf of Rene Struik mailto:

[TLS] (crypto agility may benefit from private extensions) Re: Additional changes for draft-ietf-tls-iana-registry-updates

Hi Sean: Quick question: does "closing the registry" not contradict catering towards crypto agility? What happens if, say, one wishes to add another signature scheme, besides Ed25519, to the mix. If there is no private field, does this mean that, e.g., Schnorr+BSI Brainpool256r1 is now ruled ou

Re: [TLS] (crypto agility may benefit from private extensions) Re: Additional changes for draft-ietf-tls-iana-registry-updates

escorla wrote: > > > On Tue, Mar 20, 2018 at 2:51 PM, Rene Struik <mailto:rstruik@gmail.com>> wrote: > > Hi Sean: > > Quick question: does "closing the registry" not contradict > catering towards crypto agility? What happens if, say, one wis

Re: [TLS] Draft for SM cipher suites used in TLS1.3

Hi Paul: I tried and look up the documents GMT.0009-2012 and GBT.32918.5-2016 on the (non-secured) websites you referenced, but only found Chinese versions (and Chinese website navigation panels [pardon my poor language skills here]). Since the ISO documents are not available to the general p

[TLS] (offline) Re: Draft for SM cipher suites used in TLS1.3

es to ISO documents? ISO documents are often referenced by IETF drafts. Thanks, Kind Regards Kepeng —— Re: [TLS] Draft for SM cipher suites used in TLS1.3 Rene Struik mailto:rstruik@gmail.com>>Thu, 15 August 20

[TLS] (question on ANSI X9.62-2005) Re: Ecdsa-sig-value in TLS 1.3 – need for erratum?

ANSI did not wish to pursue this, or admin mishaps? Rene Note: purchase info RS from ansi store below: Subject: Your Order Confirmation for X_458150 From: e...@ansi.org Date: 11/22/2016, 2:57 PM To: [snip] 25 West 43 Street New York, NY 10036 Tel: 212.642.4900 Fax: 212.398.0023 Sold To Rene Struik

[TLS] (TLS1.3 - algorithm agility support is enough; no need to crystal ball gaze PQ right now, except as pass-time) Re: RSA-PSS in TLS 1.3

Hi Scott: I think it is really premature to speculate on features PQ-secure algorithms can or cannot provide (*) and try and have this influence *current* TLS1.3 protocol design. Should one wish to include PQ algorithms in a future update of TLS1.3, one can simply specify which protocol ingr

Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Hi Hanno: The papers [1] and [2] may be of interest here. In [2], Section 3.3, Alfred Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS (lots of randomness in the salt), and a scheme by Wang and Katz that only contains one bit of randomness with signing and is claimed to have tigh

[TLS] (confusing the issues) Re: [Cfrg] 3DES diediedie

I think it is a mistake to think that simply using block ciphers with a larger block size is enough to counter attacks, as the literature on successful side channel attacks on such block cipher demonstrates. The real message is that one should not reuse keys ad infinitum, which unfortunately se

Re: [TLS] [Cfrg] (confusing the issues) Re: 3DES diediedie

m not-invented-here syndromes, but acknowledging this playing in the background of our perceptions should also give us some reason to pause and have some restraint here. Rene On 8/29/2016 5:48 PM, Jon Callas wrote: On Aug 29, 2016, at 6:26 AM, Rene Struik wrote: I think it is a mistake to thi

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Dear colleagues: I would suggest adding the following paragraph at the end of Section 5.5: [current text of Section 5.5] There are cryptographic limits on the amount of plaintext which can be safely encrypted under a given set of keys.[AEAD-LIMITS]

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

uments/fips140-3/physec/papers/physecpaper19.pdf [2] On 2/10/2017 1:47 PM, Dang, Quynh (Fed) wrote: Hi Rene, From: TLS mailto:tls-boun...@ietf.org>> on behalf of Rene Struik <mailto:rstruik@gmail.com>> Date: Friday, February 10, 2017 at 10:51 AM To: Sean Turner mailto:s...@sn3r