[Cryptography] IETF discussion on new ECC curves.

Phillip Hallam-Baker phill at hallambaker.com
Sat Jul 26 16:33:14 EDT 2014


On Sat, Jul 26, 2014 at 3:55 PM, ianG <iang at iang.org> wrote:
> 2c worth,
>
> On 26/07/2014 19:32 pm, Phillip Hallam-Baker wrote:
> ...
>> Curve 25519 is close to 256 and its easy to make the argument. But
>> there isn't a convenient prime near to 2^512. When we come to choosing
>> curve E521 its a gut check sort of thing...
>
>
> I thought you were protecting email?  What rational can there be for
> having two strengths?

It isn't all I do. But these curves are being picked for TLS which
means they would impact PKIX which means they will effectively choose
the default curves for everything.


> Email is primarily hacked on the machine, and 2^256 is so far beyond
> reasonable that we won't see it challenged for a long time.  If you
> don't like that argument increase to 2^512 but it still doesn't support
> having two strengths.

The reason I want 2^(128*2) as the work factor for public key is that

1) Long term public keys are the highest value crypto assets to
target. Getting one AES key does not buy very much unless one message
is fantastically valuable. Getting a public root key gives huge
leverage.

2) There are attacks that reduce the strength of a crypto system to
half the bit size of the key, meet in the middle attacks for example.
But its hard to think of an attack that gives dramatically more
leverage than that. 2^128 is sufficient confidence to eliminate brute
force as an attack. Going to the square is a pretty good confidence
factor.


So I probably want 2^512 primes for my EC roots. I can't see a good
reason not to use that for everything.

I already use SHA-2-512 everywhere and truncate it if fewer bits are
desired rather than use SHA-2-256 and I will probably use AES-256 as
default as well.


>> What do folks think here? I see a bunch of possibilities
>>
>> 1) We choose the NUMS curve for the 2^256 work factor curve and Curve
>> 25519 for 2^128
>>
>> 2) We choose NUMS for both
>>
>> 3) We choose Curve25519 and E521
>>
>> 4) We spend several years arguing to no point
>
>
> 5)  Choose one.  Get back to work...  I would use curve25519 as it's
> much more clearly open than Microsoft's stuff, I don't need to go
> researching it, and I know there are plenty of open source code snippets
> to draw from.

I am not sure thats right. Dan is many things. More open to contrary
viewpoints than Brian LaMacchia isn't one of them.

Brian's argument for his curves is precisely that they are more
objective. They are simply the curves which are closest to the minimum
power of 2 necessary to give the desired work factor.


More information about the cryptography mailing list