Re: [Cfrg] When's the decision?

Phillip Hallam-Baker <> Thu, 09 October 2014 05:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AEFC51A90CE for <>; Wed, 8 Oct 2014 22:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VROvIpgaKma2 for <>; Wed, 8 Oct 2014 22:20:42 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ACE7B1A90C8 for <>; Wed, 8 Oct 2014 22:20:40 -0700 (PDT)
Received: by with SMTP id ge10so436855lab.24 for <>; Wed, 08 Oct 2014 22:20:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=9hI03x24ZOmwyAxFg/b/GaeS/3Kb50NYb6GqozSjlP4=; b=XNQyFnvOIK+HERqkDrhNIpktw/FnekTwsdDooA2ebvhQQGn0giUPOxKVzpvY81k4nI CQ7D5hjPCofvu0k3SljmtpmySnhg6HCHKdd9aBm/yt487kUgHpUDXzUiGoK569mUuhHj 27ltQgJ9Em4H7qAGw5h5jISn5BnKLfpVhXQjlTwqLOV74iJLFhTfJbnoLhuP9WfHBfo8 jR0tu1+8K5YWwiP4937OR/KHk+P8BJ1UWxR7Cz2J3wlqao7C4sA4lgN7lk0fmC3Gq7aR 2g45oyyqu3JeCDEjd2dFe6OAE4jkE7eMNSCGMKIHkUShzX85a4M1tnX0FfsDfj9TzaSe p/Sw==
MIME-Version: 1.0
X-Received: by with SMTP id ld6mr401027lac.97.1412832038993; Wed, 08 Oct 2014 22:20:38 -0700 (PDT)
Received: by with HTTP; Wed, 8 Oct 2014 22:20:38 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Thu, 9 Oct 2014 01:20:38 -0400
X-Google-Sender-Auth: 2PZG7GctvXwB0bdoWEAYqcT0xnY
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Mike Hamburg <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [Cfrg] When's the decision?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Oct 2014 05:20:43 -0000

On Wed, Oct 8, 2014 at 11:42 PM, Mike Hamburg <> wrote:

> This is basically the point of Ed448-Goldilocks.  It's received a mixed
> response in this forum, since some people would prefer the most constrained
> curve, for some definition of "constrained" which doesn't consider
> performance.

I am happy to consider performance but only if the differences are
large and consistent.

This is not a competition where more is better. I don't want more than
exactly one high strength curve and exactly one exceptionally high
curve. I don't want to see any options or parameters either. Either we
are all doing the twist again or nobody is. Either we are all doing
compression or not.

And if there isn't a clear basis for a decision we can throw darts.

Some performance issues are show stoppers. Anything that is not less
than a clean multiple of a power of 2 is going to cause severe
performance hits on future architectures. 512 bit memory buses are
common in graphics cards, 521 bit buses are not.

If ED448 is twice as fast as the exactly 512 bit curve then there is a
decisive performance advantage. Anything less than 20% is noise.

The point is elimination, to vote people off the island so we can have
a winner, not to get more people in.