I'd like to bring this up again before the next revision of the draft. How
close are we to consensus on the ECC semantics?
OpenSSL now has ECC in it, and there is an ECC in TLS draft being proposed
in the IETF. It is worth nailing this down, I think.
On Wed, 5 Sep 2001 hal(_at_)finney(_dot_)org wrote:
We have been looking at the ECC issue and have a few comments on the
proposed draft by Dominikus Scherkl and Christoph Fausak.
Broadly speaking it looks very good. Obviously a lot of care and effort
has gone into the work. It seems to be timely to address the issue of
elliptic curve support as there is interest in this technology from a
number of areas.
Our main concern is the number of variations proposed. Experience with
OpenPGP and other standards suggests that having a multitude of options
does not lead to interoperability and security. It is better to focus
on a small number of options that will be used and tested.
In looking at the various forms of elliptic curves, we can separate
consideration of the coordinate field (the field from which the X and
Y coordinates are taken) from the curve group. Rather than describing
each curve choice as a particular coordinate field and elliptic curve,
we would rather specify a limited set of coordinate fields, and then to
define curves using that set.
Especially when implementing the binary (characteristic 2) fields,
to get good performance it is necessary to optimize the code for the
particular field size and basis. Knowing the polynomial you can hard-code
the necessary shifts, xors, and array offsets and do the arithmetic
very fast. Code which treats these values as variables will be much
less efficient. As efficiency is much of the motivation for going to EC
technology, we should try to preserve it.
Therefore we recommend choosing a limited set of field sizes, and for each
one choosing a single coordinate basis. This will let all implementers
optimize their code for the fields that are actually in use.
As candidates for the specific fields to use, we recommend
the selections from NIST [fips186-2], used as ECC groups in IKE
[draft-ietf-ipsec-ike-ecc-groups-03]. These fields are being deployed
and are in use in some environments. They provide for efficient
ECC groups in IKE specifies two curves for each choice of coordinate
field, a random curve which is expected to provide maximal security due
to absence of any exploitable structure, and a Koblitz curve which has
structure that allows for optimization and high speed. We feel this is a
good model to follow. It provides some flexibility while still providing a
limited number of choices which will promote interoperability. No special
coding is needed to support the Koblitz curve for interoperation purposes;
effort is only required if you want to get the potential speed advantages.
The last point we would like to make is about the field representation
format (section 4.4 in the draft), where again we would propose to reduce
the number of options in order to improve interoperability. 16 options
is too many.
We suggest the initial draft use only prime fields, descriptor 3,
and trinomial/pentanomial binary fields, descriptors 11 and 12. These
three are enough to cover all the NIST curves. They seem to provide
the advantages which we seek from ECC without multiplying the options
If the group does want to pursue additional field types, we would like
to see some rationale for the use of prime extension field types 4-9. Our
concern with the special primes 1-2 is that this area seems to be covered
by patents. And descriptors 14-16 are for normal bases, where we see
two problems. First, they cannot be efficiently implemented in software;
and second, we do not think it is possible to convert from a normal basis
into a polynomial basis representation without additional information
regarding the specific normal basis chosen. Hence using normal bases
as an interchange format is not a good choice. So we would like to see
more discussion of that aspect if the group wishes to pursue it.
(One organizational point: section 4.4 actually describes custom curves,
and we would prefer to see the draft focus on predefined curves. We have
ideas on how to reorganize the draft to define specific coordinate
fields and curves based on them, which we are getting into shape to
Network Associates, Inc.
NIST curves: http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf