[Cryptography] NIST should publish Suite A

ianG iang at iang.org
Tue Nov 12 11:44:41 EST 2013


Hi Peter,

thanks for this collation!

On 12/11/13 07:31 AM, Peter Bowen wrote:
> On Mon, Nov 11, 2013 at 5:31 AM, ianG <iang at iang.org> wrote:
>> On 10/11/13 16:14 PM, CodesInChaos wrote:
>>>>
>>>> NIST should publish Suite A
....

> A good starting point would be to look at the publicly available
> documentation about Type 1 algorithms and which are likely to make up
> Suite A.


That's exactly the starting point we would want.


> There appear to be two primary Type 1 asymmetric/public key
> algorithms: FIREFLY and MAYFLY.  FIREFLY is the older of the two and
> appears to be based on Finite Field DLP or RSA.  MAYFLY is based on
> Elliptic Curves.  The NSA has developed a hybrid or transition
> approach called "Enhanced FIREFLY" that allows systems to use EC when
> both ends support it and fall back to basic FIREFLY when they do not.
>  From the TACLANE Operator's Manual (helpfully published by the
> Government of Canada[1] among others):
>
> "Enhanced FIREFLY (EFF) is a key management technique that makes use
> of existing FIREFLY technology to implement Elliptic Curve
> cryptography (specifically, a form of the MAYFLY Elliptic Curve
> technology). TACLANE is able to use MAYFLY with other enhanced-capable
> TACLANEs. TACLANE can also negotiate down, if necessary, to Basic FF
> for TACLANEs that have not been upgraded to support EFF. Enhanced
> FIREFLY therefore serves as a bridge between the existing FIREFLY
> infrastructure and the move to a solely Elliptic Curve solution"


So pretty clearly (from that single data point) EC is the future, RSA is 
the legacy.

> PKCS11 Version 2.0 Draft 2 (from RSA's FTP server[2]) helpfully
> provides a little more detail about MAYFLY.  A MAYFLY public key
> object has four attributes:
> - Prime p (512 to 1024 bits, in steps of 64 bits)
> - Subprime q (160 bits)
> - Base g (512 to 1024 bits, in steps of 64 bits)
> - Public value W
>
> p, q, and g are collectively the "MAYFLY parameters".  The MAYFLY
> private key objects are very similar except replace "Public value W"
> with "Private value w".
> This description is virtually identical to the ECDSA public and
> private key objects in the same specification.


So, same framework, means likely same techniques.  Which leaves some 
credibility to the ECDSA approach.  Lengths are 512 - 1024, I guess?

Question then is, is there enough information about generating the 
params to tell us whether the NIST/standards are amusingly different or 
curiously similar?

...

> I'm sure there is more information that can be easily gleaned from
> public sources, but it is clear the EC is a core part of Suite A.


Super!  This is very encouraging.  If we agree with this albeit limited 
data point, then it means that we don't have to steer clear of EC nor do 
we have to go back to RSA.


> [1] http://publications.gc.ca/gazette/archives/p2/2007/2007-01-10/pdf/E100_Operator_Manual_Rev%201.4.pdf
> [2] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2drft2.pdf

(leaving out the MEDLEY stuff as my specific interest was whether EC was 
good or bad...)



iang



More information about the cryptography mailing list