[Cryptography] IETF discussion on new ECC curves.
Bear
bear at sonic.net
Sat Aug 2 14:50:21 EDT 2014
On Sat, 2014-08-02 at 11:24 -0400, Phillip Hallam-Baker wrote:
> The point I am making here is that when we are talking about making
> compromises between speed and security we need to look at the actual
> work factor, not its logarithm.
> Going down from WF256 to WF240 is not a small change and going to
> WF224 is a huge change.
> Going from WF256 to WF254 is well within the margin of error measuring
> performance and the argument might be stretched to WF250. But any
> further and you are eating into the safety margin.
I don't think "WF" means anything in the way you're using it.
As I understand the classes of attacks here the "Work Factor"
according to best available attacks is not related to the number
of bits in the way you are arguing.
The actual security - or 'work factor' of the best available
attacks - is proportional to some base raised to the power of
the number of bits, and the base is (I believe) around 1.32 at
this point. So something 16 bits shorter is, really, only a
work factor of about 2^5 easier, not 2^16.
I want to see a curve selected based on hardware constraints
of bus and memory width according to an absolutely nothing-up-
my-sleeve set of rules. So far, all these performance arguments
have big floppy sleeves.
More information about the cryptography
mailing list