[Cryptography] IETF discussion on new ECC curves.
Phillip Hallam-Baker
phill at hallambaker.com
Sat Jul 26 14:32:46 EDT 2014
There was much discussion on new curves for ECC. The discussion looks
like it is down to choosing curves that are close to powers of 2 which
can be computed twice as fast as the traditional random curves in a
constant time implementation.
The choices on the table right now are the NUMS curves proposed by
Brian LaMacchia and co at Microsoft and Dan Bernstein's Curve 25519
(2^255-19).
One point of comparison of course is performance but it is actually
quite difficult to compare like with like. There does not seem to be
more than a 15% difference between any of them. Most of the other
differences fall away when the point compression patent expires which
I am told is a matter of weeks.
Another point that is important for me is consistency. I want as few
choices as possible. Given that the CA industry is going from RSA2048
with a putative work factor of 2^120 and all of these alternatives are
much faster and with much shorter keys, I can't see why I would go for
a 2^128 work factor. So I am only really looking for 2^256 work
factor.
So leaving aside the technical differences (which don't seem to be
decisive), and the choice of curve created with the primes (there are
twisted curves, Edwards, Montgomery etc), the main political
difference is that the NUMS curves do have a deterministic choice
procedure. The primes chosen are the largest prime smaller than the
nearest power of 2.
This does remove subjectivity from the equation but (possibly) comes
at a (modest) performance penalty.
Curve 25519 is close to 256 and its easy to make the argument. But
there isn't a convenient prime near to 2^512. When we come to choosing
curve E521 its a gut check sort of thing...
What do folks think here? I see a bunch of possibilities
1) We choose the NUMS curve for the 2^256 work factor curve and Curve
25519 for 2^128
2) We choose NUMS for both
3) We choose Curve25519 and E521
4) We spend several years arguing to no point
Right now my preferred choice would be either (1) or (2). It is a
split the baby approach but I think it would stick because the folk
who care about the NUMS argument are not likely to be interested in
the lower strength curve anyway. Meanwhile the folk obsessing about
speed tend to be more likely to go for Bernstein's argument than
Microsoft's even if its really BAL behind it all.
More information about the cryptography
mailing list