Re: [Cfrg] revised requirements for new curves

Adam Langley <agl@imperialviolet.org> Wed, 10 September 2014 16:53 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 020221A8A7F for <cfrg@ietfa.amsl.com>; Wed, 10 Sep 2014 09:53:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JGgaTbAUYpU3 for <cfrg@ietfa.amsl.com>; Wed, 10 Sep 2014 09:53:01 -0700 (PDT)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A26E1A8A80 for <cfrg@irtf.org>; Wed, 10 Sep 2014 09:53:01 -0700 (PDT)
Received: by mail-la0-f46.google.com with SMTP id el20so1348752lab.33 for <cfrg@irtf.org>; Wed, 10 Sep 2014 09:52:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=4/MGuC6tM+aooKCx3zSOtqiX28uCtZQY/B/PSQRSrjY=; b=H9lDhvKBGKcOBGgyLG2by0dyHFiAjsBNNNAsgbLuhhQdDiE7EzNcsMJOjYRoKoRZsm IQ/xj2gMoyF1PQvUOWdS5vrpzhmcd6niPUX4Haj+YCgSZzzRvk5SnKIr/lgKMecGiAOP jsPtzvyrcAhtgG0Iw6ps6rOi/3I6JKrMJNFI6lESDcm/R+WM6PnbE3IVmUF0Z9+w63Om PrwoSDPWoCkcOpi33I7est2BYXVYSL8jYqsvyOZL8BaGS/5t0OzsEkOl39DXLeeJ8DhE jIhZf23dcdfGCBAc201nfhbR41h+RXEmXNVfvRco+P7VSCMmcuaD0vFYt1DoBAFm3sg6 TG6g==
MIME-Version: 1.0
X-Received: by 10.112.135.230 with SMTP id pv6mr3423815lbb.105.1410367979357; Wed, 10 Sep 2014 09:52:59 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.112.170.37 with HTTP; Wed, 10 Sep 2014 09:52:59 -0700 (PDT)
In-Reply-To: <D035E0DD.2CB51%kenny.paterson@rhul.ac.uk>
References: <CAMfhd9UaJtcaRurEOtN289ribT7ZH6OUB55or+T1NN6U8jv9Rw@mail.gmail.com> <D035E0DD.2CB51%kenny.paterson@rhul.ac.uk>
Date: Wed, 10 Sep 2014 09:52:59 -0700
X-Google-Sender-Auth: 3-42D_3XcnhD6Rj6RLELa-gavgQ
Message-ID: <CAMfhd9X3RhN0jcyGSwYKhpDmSLMDvh9pMghjzygzf7se55KGYg@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/-mhnrVMpyxw13Fhn3zy0YNdcTHM
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] revised requirements for new curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Sep 2014 16:53:03 -0000

On Wed, Sep 10, 2014 at 3:15 AM, Paterson, Kenny
<Kenny.Paterson@rhul.ac.uk> wrote:
> Should we infer, then, that Google would prefer at most a single curve at
> each security level (rather than, say, two)?

I was suggesting that only one or two curves be approved in total.

Consider the current situation: in terms of having a good
implementation base, P-{256|384|521} are significantly above the rest.
Of those, P-256 is the workhorse. There is some use of P-384,
generally, from what I've seen, for long-lived ECDSA keys (with
dubious justification). P-521 is hugely less common than either of the
other two.

In order to get a performant, solidly constant-time implementation,
one needs, in practice, to hand craft the field operations for an
elliptic curve, which is quite a lot of work. That's been done for
P-256 in many cases, but much less so for P-384. (Since P-384 is
substantially used for ECDSA verification, constant-time is less of a
worry there.)

Diversity of curves dilutes the capacity for building, auditing and
verifying good implementations. Also, the precomputed tables for high
speed signing take too much space in some clients if there are several
of them, and then implementations need to support and test two build
modes: fast and small.

Many systems will never be able to drop support for P-256 and 384, so
these new curves can only add to the implementation burden. I think
that a single curve to replace P-256 can pay its way by being faster
and simpler. I'm much less sure about a second, and pretty confidently
against a third.


Cheers

AGL