[Cryptography] IETF discussion on new ECC curves.
Phillip Hallam-Baker
phill at hallambaker.com
Sun Jul 27 09:30:00 EDT 2014
On Sun, Jul 27, 2014 at 1:16 AM, Trevor Perrin <trevp at trevp.net> wrote:
> On Sat, Jul 26, 2014 at 11:32 AM, Phillip Hallam-Baker
> <phill at hallambaker.com> wrote:
>> One point of comparison of course is performance but it is actually
>> quite difficult to compare like with like. There does not seem to be
>> more than a 15% difference between any of them.
>
> Here are some efficiency scores based on extrapolating performance vs
> security for Microsoft NUMS (w-*-mers and ed-*mers), Curve25519,
> Goldilocks, and others:
>
> https://docs.google.com/a/trevp.net/spreadsheet/ccc?key=0Aiexaz_YjIpddFJuWlNZaDBvVTRFSjVYZDdjakxoRkE&usp=sharing#gid=0
>
> The differences are larger than 15%. For example, Microsoft's fastest
> 512-bit curve takes close to twice the time of 448-bit Goldilocks.
> But you would expect a 512-bit curve to be only ~40% slower than a
> 448-bit curve.
Should have said 15% for the curves, rather than the actual
parameters... But the problem in the meeting was there were two
partisan sides presenting the curves. Independent measurements are
useful.
> It's reasonable to ask for a work factor significantly greater than
> 2^128 as a hedge against cryptanalysis. But people like Adam Langley,
> myself, and Mike Hamburg have argued that demanding the work factor
> match a precise number (like 2^256) is over-prescriptive.
>
> https://www.imperialviolet.org/2014/05/25/strengthmatching.html
> https://moderncrypto.org/mail-archive/curves/2014/000140.html
The point is not whether you need exactly that amount of security. It
is whether you can argue that the curve has not been selected for a
hidden reason.
If it was a choice between A with exactly 2^256 and B with slightly
less it would be one thing. But once you open up anything less than
the full work factor its not just one alternative curve, its six or a
dozen. And the choice is subjective.
> I think the world should move towards Curve25519 for a fast
> "regular-strength" curve, and choose one efficient "extra-strength"
> curve in the 384-512ish range. Curve41417, Goldilocks, and E-521 seem
> like prime contenders.
Absent a definitive way to choose between them, I can't really pick
any. Its back to the 2^512-x curve
More information about the cryptography
mailing list