Re: [Cfrg] ECC reboot

Andy Lutomirski <luto@amacapital.net> Thu, 23 October 2014 20:59 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1881A6ED8 for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 13:59:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJtBqTC_W3Xz for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 13:59:02 -0700 (PDT)
Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73EAF1A1B2D for <cfrg@irtf.org>; Thu, 23 Oct 2014 13:59:02 -0700 (PDT)
Received: by mail-lb0-f175.google.com with SMTP id u10so1556321lbd.34 for <cfrg@irtf.org>; Thu, 23 Oct 2014 13:59:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=xU1vALOUB4BKxOEEFbfM9N9Eypxsa9B9BBWb13/CSig=; b=eU/wZI24eBtxRpBK14dqb0P8Dcd7HxeJUkbNWpT3DrETz33GkYt1hm6YaELNC73eDT 0ag3ivNuTuYjFT2piUuGpZxbTr86v4rXJxJJ2g6oISICvL5gQcjXc4JwJd3JhdBGRvfv LpfZV/zFsk8BQYGAqGb/slbdmBOt4RiolTE8xmrhdVQFnpHK/sX7VCaqdWaNhSWtKUQD qbIHXhkpUeuBhEjLZgs+Zl97OBp1/JA2aHLRC58APCejSnvCFec+MwtbHNE+l19YJt/l 4CkUYXErE4PWyBR5S8XacIcl4Xl13u35jGkw7Kl2ulf9EWq1ukcJ2qfffr7TQX1EP4ES DZmg==
X-Gm-Message-State: ALoCoQnYhsqHBw2uUXibbXwb7sv/JLeTnGHM87lDa2zsudovu5fkF1yrxx398gY2HlTs9Xrw7WVr
X-Received: by 10.152.27.67 with SMTP id r3mr93276lag.19.1414097940690; Thu, 23 Oct 2014 13:59:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.4.71 with HTTP; Thu, 23 Oct 2014 13:58:40 -0700 (PDT)
In-Reply-To: <CAMm+LwgtJ_gEumsU=F9Lv0W0TzQMzY5TPCsvnwRVoihJqfpY_Q@mail.gmail.com>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <54400E9F.5020905@akr.io> <CAMm+LwhVKBfcfrXUKmVXKsiAMRSTV+ws+u07grmxkfnR2oYJoQ@mail.gmail.com> <5218FD35-E00A-413F-ACCB-AA9B99DEF48B@shiftleft.org> <m3r3y6z3z8.fsf@carbon.jhcloos.org> <CA+Vbu7x4Y_=JZ9Ydp=U5QnJokL28QMQnV4XUn9S6+CUZR9ozEw@mail.gmail.com> <5444D89F.5080407@comodo.com> <90C609A5-ECB2-4FDC-9669-5830F3463D2B@akr.io> <5448DBE2.10107@comodo.com> <CACsn0cne95adtTbCf6WyAZGyCSyLXo5L0302rm7238yHAsE5EQ@mail.gmail.com> <54493DB1.5070204@akr.io> <CALCETrWjR4ROJJFBTo-zAVUg6t50ppm0O_fd=gf2tCr8-evDwg@mail.gmail.com> <CAMm+Lwi-X5_Bh-dwe54uzratLzpds=719F=hzpATCME4wDqxhA@mail.gmail.com> <CALCETrVicR0hj3oi1xCwfG9Z0n0PpBsrCCW7AGBo_-tpxcq3Rw@mail.gmail.com> <0317470A-AA6A-44FA-A831-81CB93204C78@shiftleft.org> <CAMm+LwgtJ_gEumsU=F9Lv0W0TzQMzY5TPCsvnwRVoihJqfpY_Q@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 23 Oct 2014 13:58:40 -0700
Message-ID: <CALCETrUpYVSoWCCsZZA=b00KKqQLsXqf39tcqoUxX9GcF2vsow@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/2YPRXcdwK3SxjanYqb0hfzjLtc0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ECC reboot
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 20:59:04 -0000

On Thu, Oct 23, 2014 at 1:52 PM, Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
> Having built large parallel machines and used them for very large tasks, I
> am going by a little more than common sense. 512 bit arithmetic operations
> are certainly going to be faster than 521. Now what that implies for
> implementing
> Knotted Weierstrass curves with a double Irish Dutch sandwich or whatever is
> what I am looking for an explanation of in terms that I can explain to the
> general security community.
>
>
> What I began arguing is that 521 is going to break stride on a 512 bit
> architecture and should be taken off the table unless the speed advantage is
> enormous. I don't think we need to implement the algorithm to see that.
>
> Now if you are arguing that 512 will also break stride on a 512 bit
> architecture then that is an important data point that by the same logic
> argues for looking at a curve that does fit and maybe Golilocks is actually
> the one.

I'm really having trouble understanding what you mean by "break
stride".  I doubt that any implementation of any of these algorithms
is even close to fast enough that the time it takes to shove data
across the bus is relevant.  If someone really builds special-purpose
ASICs for this, they they can presumably back a 521-bit register (or
any other size register) by a far smaller bus and get excellent
performance.

--Andy