Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Phillip Hallam-Baker <> Wed, 25 February 2015 16:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DCD1D1A8868 for <>; Wed, 25 Feb 2015 08:22:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vnq8sAikviFD for <>; Wed, 25 Feb 2015 08:22:18 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 342111A8770 for <>; Wed, 25 Feb 2015 08:22:18 -0800 (PST)
Received: by lbiw7 with SMTP id w7so4933295lbi.9 for <>; Wed, 25 Feb 2015 08:22:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=cT9ebR+bAspiYmNklDEh8VLr5P4BFztzPAH626/Lj/o=; b=P7xOKwZbLrEw7I5QyEW0V9O8Gg5kLC1TwGsOT80Pzm8Ok/Jq5HaT6NTQ/6kj1NQKyv g99yUjnwmK22wDqfSRhpwpRtsrYspqi5AgalIBJuLEYnPQTiHxKQVV4tnu4nM09AUX58 cl0hqxmw5C8Mxhf5u86cRcpN5l3V1CW3013Qw8Jlp+OUnvpSLjekpCMTUZcVroEanI00 +7LViMttXRhdKPEfOQv6YlD65Ih55ReKUEoPbvrqHTaLEttTWWT2nuzGAmvGS5yedhQ7 3k6LBHgMRbN1Q8w+sH0djdJ/WCM2MUZdKDUK+rP4cW3dJqcqXj0qusz41PUu5TGUjWkn mksQ==
MIME-Version: 1.0
X-Received: by with SMTP id bc3mr3478544lbc.79.1424881336698; Wed, 25 Feb 2015 08:22:16 -0800 (PST)
Received: by with HTTP; Wed, 25 Feb 2015 08:22:16 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Wed, 25 Feb 2015 11:22:16 -0500
X-Google-Sender-Auth: qQ4KQKpVuKWX0501dzqEjxSmg4g
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Stephen Farrell <>
Content-Type: multipart/alternative; boundary="001a11c3491cebcff4050fec090d"
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Feb 2015 16:22:20 -0000

Do we have figures for performance of these versus RSA2048?

Yes, we get a reversal of the public/private speed advantage on signature.
And that in itself is a huge win on the server side

RSA signature verification takes 0.16 ms on a reasonably current machine
(signature is 6ms)

How much faster/slower one curve is over another matters much less to me
than whether the curve is faster or slower than what I am already using. I
am not going to be using P521 or P448 curves on a constrained device, I
will go for P255.

If we had figures comparing the curve candidates to RSA it would probably
be illuminating.