[Cryptography] IETF discussion on new ECC curves.
Watson Ladd
watsonbladd at gmail.com
Sun Jul 27 13:57:41 EDT 2014
On Sun, Jul 27, 2014 at 6:30 AM, Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> On Sun, Jul 27, 2014 at 1:16 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> On Sat, Jul 26, 2014 at 11:32 AM, Phillip Hallam-Baker
>> <phill at hallambaker.com> wrote:
><snip>
>
>> It's reasonable to ask for a work factor significantly greater than
>> 2^128 as a hedge against cryptanalysis. But people like Adam Langley,
>> myself, and Mike Hamburg have argued that demanding the work factor
>> match a precise number (like 2^256) is over-prescriptive.
>>
>> https://www.imperialviolet.org/2014/05/25/strengthmatching.html
>> https://moderncrypto.org/mail-archive/curves/2014/000140.html
>
> The point is not whether you need exactly that amount of security. It
> is whether you can argue that the curve has not been selected for a
> hidden reason.
>
> If it was a choice between A with exactly 2^256 and B with slightly
> less it would be one thing. But once you open up anything less than
> the full work factor its not just one alternative curve, its six or a
> dozen. And the choice is subjective.
Picking from 6 curves means that 1/6 curves has to be weak to force the choice.
Picking a BADA55 curve means 1/2^32 curves has to be weak. The rigidity issue
is much less bad than you make it out to be.
By contrast, rigidly picking curves ignoring performance means that
people will use
the small curve instead of the big curve, when they would prefer the
medium curve.
These curves are all about speed.
>
>> I think the world should move towards Curve25519 for a fast
>> "regular-strength" curve, and choose one efficient "extra-strength"
>> curve in the 384-512ish range. Curve41417, Goldilocks, and E-521 seem
>> like prime contenders.
>
> Absent a definitive way to choose between them, I can't really pick
> any. Its back to the 2^512-x curve
There is: performance. People do not enable DHE suites in TLS because
of performance concerns.
Curve25519 was put forwards for TLS because of performance. I don't
see why 2^512-x would be
picked: E-521 is stronger and faster, and we've got some very nice alternatives.
Sincerely,
Watson Ladd
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
--
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
More information about the cryptography
mailing list