IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)

Jon Callas <jon@callas.org> Thu, 19 February 2015 19:05 UTC

Return-Path: <jon@callas.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A89B1A003A for <cfrg@ietfa.amsl.com>; Thu, 19 Feb 2015 11:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byYRnjSin_BM for <cfrg@ietfa.amsl.com>; Thu, 19 Feb 2015 11:05:50 -0800 (PST)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id E892E1A00CA for <cfrg@irtf.org>; Thu, 19 Feb 2015 11:05:42 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id C2E8A69DC2F4 for <cfrg@irtf.org>; Thu, 19 Feb 2015 11:05:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIT6eV9-o0+d for <cfrg@irtf.org>; Thu, 19 Feb 2015 11:05:00 -0800 (PST)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id E1D3169DC2CD for <cfrg@irtf.org>; Thu, 19 Feb 2015 11:05:00 -0800 (PST)
Received: from [10.0.23.30] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Thu, 19 Feb 2015 11:05:00 -0800
X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 19 Feb 2015 11:05:00 -0800
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <54E61BD2.8050705@shiftleft.org>
Date: Thu, 19 Feb 2015 11:04:54 -0800
Message-Id: <9AC7FB08-624B-4C23-9B12-BA06455EACF8@callas.org>
References: <54E46EA4.9010002@isode.com> <m3sie2bvjh.fsf@carbon.jhcloos.org> <E6CF50E9-EB1E-4102-A1C8-7CEE62A577EB@callas.org> <54E61BD2.8050705@shiftleft.org>
To: Mike Hamburg <mike@shiftleft.org>
X-Mailer: Apple Mail (2.1878.6)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9VQ3R0uRXqj_sMZLFtKy1dhwqV0>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 19:05:52 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On Feb 19, 2015, at 9:22 AM, Mike Hamburg <mike@shiftleft.org> wrote:

> Jon, if you're using Curve41417, do you have benchmarks for Curve41417 on x86 or amd64?  I've only ever seen their NEON benchmarks.

No, I only do it on ARM, and I'm using it as an alternative to P-384.

The decision we made in looking for ciphers was to reduce options. Our original plan was to have a 128-bit cipher suite and a 256-bit cipher suite, and have the default be 256, with fallback to 128 when performance wasn't good enough. That original decision was to have only one public key parameter, and that was P-384.

Even before the Snowden revelations, Dan Bernstein and Tanja Lange talked to me about elliptic curves, and in specific asking why we didn't use 25519, and my answer on 25519 was that I wanted greater than 128-bit security, and even at 128 bits, 25519 isn't *quite* 128. There's no *technical* reason to care about the difference, but it's good to be able to say, "I do at least 128 bits of security" and not have someone in the room point out that well, technically 25519 is some fraction of a bit lower in security.

They offered to design me a curve as a replacement for P-384. The result is 41417. It's a really nice curve, both intellectually and from a performance standpoint. Our naive implementations of 41417 performed just fine. Public key performance isn't a real problem for me -- good enough is good enough. P-384 was good enough.

The NEON implementation of 41417 is amazing. I'm sure getting an equivalent done for Intel is completely doable -- just pick what generation of vector instructions you want to support.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii

wsBVAwUBVOYz3PD9H+HfsTZWAQgLowgAgs2bTlkfCKfGV3xgg8G29b9ymb6e0Viy
779bAob2E+raULDsYZw/h6y3V1U5dQ1mZgchfW/laoYqu4Xpl4b7CWryU04wZPGO
E/GyxqvB8ATL1z8aaszP9DKCedXy5doePDiDJeHjhkYYPjviydih7Bh+e9EH/YS4
VJ0lMrFT9PxuMe3/RgWBSqeyJo+Mn0+TmDMZE7UFjO/qKg6/fvVK38YHbSQPOg1B
o/xeirFaOmHv3k1oQJqrfQdZsxMsFHp3fmfRkfAgVO9KOBEMozy0Ofx/U0GOnYye
ofJtR3V9yoFxUpUjZXKexiJtRgkegkpq0qW+6jBE9eUhVGDIxuMyOg==
=XfBj
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email