[Cryptography] IETF discussion on new ECC curves.

[ianG]

On 2/08/2014 12:43 pm, Michael Kjörling wrote:

> Personally, _as a systems designer and developer_, I'd prefer to have
> a few options. Not many, mind you, but a few. Sort of like AES does by
> specifying 128, 192 and 256 bit key lengths; I can go with "fast, and
> sufficient for almost any needs" (128 bits) or I can accept the
> performance penalty and use "even more" if for some reason I feel 128
> bits of key is not sufficient (very long term secrecy needs against a
> potentially determined and powerful adversary, for example). I could
> then make the argument in each specific instance why I'd choose one
> over the other and what considerations went into the trade-off between
> key length and encryption/decryption throughput on a particular class
> of hardware.


Yup.

Having options is good, as a systems designer.  But if you pass those
options on to users, that is bad.  Users have no idea what to do, and
they spin wheels while listening to so-called experts pontificate.

For this motive, now I suggest well supported by history, I propose that
the designer should pick one suite for the whole lot, and take on the
responsibility for everyone that the choice is good.

(PHB's question is slightly more complicated, as I understand it.  His
project has both ephemeral keys and long term secrets.  That complicates
a little, because that suggests can be two different suites depending on
the purpose.  But that choice can still be stripped as an option, the
software choosing what it needs according to purpose.)



iang