IETF Logo Mail Archive

[CFRG] Curve25519 security level is better than stated in RFC 7748

John Mattsson <john.mattsson@ericsson.com> Sun, 04 December 2022 11:36 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D4EAC14CE42 for <cfrg@ietfa.amsl.com>; Sun, 4 Dec 2022 03:36:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjafNO8Nfmaa for <cfrg@ietfa.amsl.com>; Sun, 4 Dec 2022 03:35:58 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0603.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::603]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC483C14CF0E for <cfrg@irtf.org>; Sun, 4 Dec 2022 03:35:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Xrs1hsIC/hAKWHk5N/FLpvbh3eYjlDTqxjniCs48t8IDDuQX6Z4WrzxqdJcbkmpAQMwW7vVHYv8j55lPQVL6GzOryWEUcsLp8s7eH4IINRoEs0xPsqQWBQtLEgQBQw/B+6FiT5mTDTIvuoStsd4JkOWPNBE33MtWF0GKb5f1FquNO2Gh7+0j2LvJL8pR0Q5Wu+82F7nRIr6MtqQYwEioB/pvWkAU1QSvZQv9DlkiL2e1uMU6LqFr+n5kKFmdRRFotnIqNZuLfLxg1l/XRlzh/Clp7K20qSFVlTtTxmf+iCI+L/qbjExdgw4Hz/G7heKf+YoUkNv0iq0onVbpneyinw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lGSWoMZxx4SKXHazRL/xEyXgN447mLaHpEKFOeeQudk=; b=H2RqSCsbDy5Hk8VyofNLNmYvDUPq8cdavOvGxr33o7gWHJe3RXkmOCUnboMPFY4fuanMqGJ7JsdPwqmO2atpwkDAKIAmz33aJwPUl/cD/p6d15s1Fa+vt+c5xnK70ZgcbhOyw+ZFe99VgvuNRj6vGqZ85YCP3eFFwcBOd2++51KvV66W/qIBxrFjtl96gH+mWDeCM/6kWpAku8+aepOq98ILVXAVT2MD9PT5LgadptPiGVY9dlABAwPOQw3dAgC3hLikrwRJ3vKX63mD9LzMeImQUhyZTYSLOpwCrjef59eeJ+w4LKCLFUo6zQ2I0H1jiGpczq2Aee8OoQ5rGHp/MQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lGSWoMZxx4SKXHazRL/xEyXgN447mLaHpEKFOeeQudk=; b=R+KNSCPixyV+hlcnqWHa5ckKLvr9Q7XB7z8GeVYyuh/WSmUMVTUdb4XBwCWWyR/WWcnXH6AqkmtHfGzXLmPEUsHS3+scs6NqEPVWvHw/sngUFr8+XWRwRj/vIrtvldG+AbJaze9ABE9Mp9rfCJhXgAUgylOfFu2aRi064Gf9hTE=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by PR3PR07MB6955.eurprd07.prod.outlook.com (2603:10a6:102:70::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.13; Sun, 4 Dec 2022 11:35:55 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::99e7:5b55:a0ca:8a73]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::99e7:5b55:a0ca:8a73%6]) with mapi id 15.20.5880.013; Sun, 4 Dec 2022 11:35:54 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: Curve25519 security level is better than stated in RFC 7748
Thread-Index: AQHZB9FEJNjbJT+210SQ9RWZ1nLUmw==
Date: Sun, 04 Dec 2022 11:35:54 +0000
Message-ID: <HE1PR0701MB3050285EF57A80DE425BD20289199@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|PR3PR07MB6955:EE_
x-ms-office365-filtering-correlation-id: 5dd9ff53-d005-4a83-8a84-08dad5ebb440
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9NdQk3s0XA2VWp71saF/gD581+ZuyRZT5Ewp1Hgo3uvh+JO3Lz4OTb1nUpP4PDVfugl2p86pTGJH/6j/Gg89zjcDXqTenFYGvYiX5CdnmGN05FDDJY+gT6xyjWZGongYZecArihrRcxI8fydOrgBl3zzhEPUzgxT52sSj/KrLN+Npj4QDYP4bpTqQNbqx9k4mVYnNWGyEefl7YIQQQTx8DBC4WMnxOwvv07DkCQ13ssADJDIjuex8rW0CN22RjSI1jcdRwlWGZo15SXs82XZiTgGJvfVqFiKREmTcCPRs4T6UKIC15MLDLrVC0nuCjEL1bBayQGQdOjAYwb9bAlaRJOg5N+XGWQrL1ERfMXzccl+K3Kr5Uyv6w4GywvvY3rGt0JKVptN7acmFb6ewQoxWHhVIjWaZ4yzERDTurxpoIYPWQXeigO9F0SpzHD1SdgJUZGvPDbFX3hBvUJlm+c4rLRqHbmIBu5csXZAY1k52LffyDQiPlR1eCVNxTp/CpI8Lit7cAOF73G3ruD0PuBa3QptsW7rfcE/W+CsyA0J4Y3Vq4NMaRegZJj+S5lKRLErFTgl+FiK9KsI5EfIdTCPwuVPAcHBapKStVAMlvaERpBLcMYWjpk8RDnerPZ+4vZS9eEGf/bGBmd+UU0FFfAJmlnyvxOUIJ4dKgsfsWn7eudjJD+VGmhtudkNMbalXzsel6pJ2Ik4i/1PkyGbTD7llPLlulUKA9C9GyyU3Ncn5+jZ6XKH8tem7ykOLEEkM5kkn/ZiALAeeWtfuSi63nCOjA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(346002)(396003)(376002)(366004)(39860400002)(136003)(451199015)(66899015)(33656002)(86362001)(6506007)(7696005)(478600001)(38070700005)(55016003)(166002)(82960400001)(122000001)(83380400001)(38100700002)(186003)(8936002)(41300700001)(5660300002)(8676002)(91956017)(9686003)(26005)(71200400001)(15650500001)(64756008)(66946007)(44832011)(52536014)(316002)(66476007)(66556008)(76116006)(66446008)(2906002)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JJmOV8RVMesZCXtzXFg7DtoaTeB9OCtqriXr04Tc9suUE86MZr3GtkSMv63FbyG3NFrNnK7g6YIoCWkzN0Mnv5IMf8sU7Tg9n5cOx9Wnk+AW0c46F57a9XKOOYsc14i2vzmja97hiIhTGduEgxw9qbVSQJa41iCKCHJzRNKzDFHOKsJdUeWiH3WE0kPwzAF+3ly3c9dKNJvJrPipH1RnkcRRWFn6GZY7Vt623Yu+W1JJLIjmx7IDS4YLomnmt9AMGViPZmlxDkmjX1uFHWDExjJzGqS+0JOZusfD1r8M/uscuHdO1a8wJOQXjfhAH9rOixTF0jF0rZm2XXNzisfJcyKl9wveelSQV1uhnaUR4m+yEIhVrP0JkODkvqJx+FOfJg3sxsXKpEGHCzKYgielPZ3dycQrJVH6cjItBgvAnL/aiXW3yZy3hYxb9d/I0u2/A+1XTd2nRWynA99dB+LHEcgh5NoNSyLT4jdw+Mn9hMxtBflAV5z2Zl1qsCXNGZw3pBgXtO6ZWji65onO0XcQv+cjcSOE/hsRbDe82uEwFnsOs4TDl2XGf1eNgnGCkRVuj9C/SyvaeeXTgMfwl06TYMFYfn71+5QOQROX9NvdKl6YnIIxDf6uSWSnzcTid889NQwj1B7puCcVQhJZgDGFrjRzmn62vrmRYmKY9U6FS0+RXF7NuT/8z79IA6gO6Hj4FZ8v+VVWoyeeMbiYpFOXqhD31d2eDcZ3qmL6KxX8xa5k0jpKfVeear99KQMoQ8b3Nqh6x/Up5V2sHeWAHU4EPdOPJbxO0IrL4Gp0PI/PS29/7AmVgNzkFWYJVt6bPyOMnx0iUzbPkkYfmMXSCmP4U/il2kOSpq2mc6JrQ+P5UpY7F6679gJPsv72X4wkoW2SNyk2w5mc4lvaeWLXVSLabM2K1hFtEJ75ZIbpaYGA/WZTAv5HIVDSYQU9nHPOB3ULsqH3UwOD6da3HuFW/lY//iXLvFk7QBjaVm76W7lWVOq/VutsPKxzrtu2LQGlwd6W6dNomV3b7erHAoTFvcnylRkvpTex6WFkLBCbnUWQNLy0bcmfIZOYe6pFgRJoAQkJ0vAHkgH7h7U5IW1RhSei0wMcmOBFSndZW/iUWW+VIHKRnfJ5y7uLn/S+2OoFrY0kZpECIcCGH0pRC+zMTEYnzKn//I9v2YiLIfgA6KtF2AnuXEoGl4ntSqHXQFevLYGhoP3nsoSuEavjR4p/sCBx/e9XyE3FHPBTFaH4b1C2k2LIKS2Zv1t1MkKGgY7ZPGFFAOfRW9T1Uqydnelyo945c8Um8YR/c4Vp42pidMNGaK+enZgHaHYejRTAz15Uc5NIERrREzlHJ8bFoJKe/o03mD4oElaoeV+L12EDViEA1x3hL4cv4sF/kNflEkpFH//CYLARPemBHkt/nC1REWlIgAM/DXnRijC8qg56wOiEbLUDLsmJ5oITYjj59up4Zc0R7huVP/4Bta55NIhuxJxvfygLXrjWDY/gF0Ut0cv5T9IEEQeXHgGLIHnbIPHzg8Ne6qh/D3p8JNhV3Ib4wMP1xhTOJfu/ZRi20m2rR3nNo0V3AxQgV/KkY7I9cU3mHCmGMa9nlVd01cccGS1FyYzEPxF6dSCc5H/T4gmqT2UsjyI=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050285EF57A80DE425BD20289199HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5dd9ff53-d005-4a83-8a84-08dad5ebb440
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2022 11:35:54.4349 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wyU2blBJqGbbjh5JwUn71YsagRvJnJl+oU5Fp9dxfPrMGxtHj5bnurHdfZ9caGTp97gB91ul8gT0dGNcuNc6s8UbWDGITC7kKq1UNL2+RZQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR07MB6955
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8CEwj_o8k4IeFBIhKBx_u3fGDx8>
Subject: [CFRG] Curve25519 security level is better than stated in RFC 7748
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 11:36:04 -0000

Hi,

Dan recently corrected a statement I made in NIST pqc-forum about Curve25519 security level. RFC 7748 states that:

   The security level (i.e., the number of "operations" needed for a
   brute-force attack on a primitive) of curve25519 is slightly under
   the standard 128-bit level.

I think this statement is wrong or at least misleading. For a reader it is easy to get the understanding that Curve25519 offers less classical security than e.g., AES-128 when in fact the opposite is true. When using AES-128 and Curve25519 together, AES-128 is the weakest link (considering known classical attacks). Comparing asymmetric and symmetric "operations" are like comparing apples to oranges. When you make a fair comparison, it is very clear that Curve25519 is stronger than AES-128 based on known classical attacks. The original statement in the Curve25519 paper (https://cr.yp.to/ecdh/curve25519-20060209.pdf) seems much more accurate to me.

   Every known attack is more expensive than performing a
   brute-force search on a typical 128-bit secret-key cipher.

If RFC 7748 is ever updated, I think the security considerations should be updated.

Cheers,
John

v2.23.0 | Report a Bug | By Email