Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sat, 21 February 2015 13:46 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 961EF1A6FEC for <cfrg@ietfa.amsl.com>; Sat, 21 Feb 2015 05:46:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYN21MiBeOZl for <cfrg@ietfa.amsl.com>; Sat, 21 Feb 2015 05:46:02 -0800 (PST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0622.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::622]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D250B1A19F6 for <cfrg@irtf.org>; Sat, 21 Feb 2015 05:46:01 -0800 (PST)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) with Microsoft SMTP Server (TLS) id 15.1.87.18; Sat, 21 Feb 2015 13:40:53 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.01.0087.013; Sat, 21 Feb 2015 13:40:53 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Alyssa Rowan <akr@akr.io>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
Thread-Index: AQHQS2jkNrWH3jDLOk2dqVH4gyhmX5z5HPGAgAAsfACAAILyAIAAMLcAgAEkFIA=
Date: Sat, 21 Feb 2015 13:40:53 +0000
Message-ID: <D10E3729.3F869%kenny.paterson@rhul.ac.uk>
References: <54E46EA4.9010002@isode.com> <CAHOTMVKCD+DK6QbSuy8R63FVnu_WBNmwMvByqicx=sK6_k63HQ@mail.gmail.com> <D10CAF3B.3F266%kenny.paterson@rhul.ac.uk> <CAMm+Lwhj9H_NK22QbTB7=EFd7GBg0WprwRMN8RxH3+7r_buf7g@mail.gmail.com> <54E795DA.3080502@akr.io>
In-Reply-To: <54E795DA.3080502@akr.io>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [78.146.73.200]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-microsoft-antispam-prvs: <DBXPR03MB38411EEEEEBA1DE7E7A7CACD92B0@DBXPR03MB384.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-forefront-prvs: 049486C505
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(24454002)(199003)(54524002)(479174004)(51444003)(51704005)(164054003)(102836002)(74482002)(76176999)(46102003)(93886004)(92566002)(15975445007)(54356999)(2501002)(50986999)(77096005)(68736005)(40100003)(2900100001)(2950100001)(19580395003)(19580405001)(97736003)(87936001)(83506001)(2656002)(36756003)(107886001)(106356001)(62966003)(106116001)(77156002)(1720100001)(105586002)(66066001)(122556002)(68196006)(101416001)(575784001)(86362001)(64706001)(44824005); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB384; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <3882CDAD8F19174FBFFC802FDA26E8D9@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2015 13:40:53.1417 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB384
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/BsqRojFJuS32mhPNlh0B7ND7AAU>
Subject: Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 13:46:04 -0000

Hi Alyssa,
 
On 20/02/2015 20:15, "Alyssa Rowan" <akr@akr.io> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>> [TA] Have you considered doing a poll of what specific curves
>> people actually want to use?
>
>> [PHB] [Š] your poll [Š] rather undercuts the whole process.
>
>Strongly agreed.
>
>> [KP] Yes, we considered a number of different ways of narrowing
>> down our choices. However, we settled on doing it this way. Please
>> stick with us.
>
>With the greatest respect, if upstream and external parties were
>willing to tolerate undocumented decisions by editor/chair fiat,
>they'd stick with the NIST curves, wouldn't they?

I think you have to give the chairs some room to make decisions in order
to help move things forward. We've been rightly criticised for not doing
that in recent months, and now we are trying to do better. So cut us some
slack, please.

Yes, we could have first run a "meta poll" to ask the group what kinds of
questions they wanted to be asked, or what the topics of the questions
should be, but I think that would only have led to dismayed comments from
other participants saying we were not providing enough direction or
leadership (but Alexey and I are by now well aware that chairs cannot
please all of the people any of the time, and some of the time we do not
please anyone; for us, it goes with the territory).

>We were asked because publicly-documented technical consensus, not
>guided by any one party, is very highly desirable.

But then what to do if there is no consensus? This appeared to be the case
on the specific question of whether we should stick to "traditional powers
of 2" security levels or not.

I explained this in an earlier response to one of your messages here:

http://www.ietf.org/mail-archive/web/cfrg/current/msg06183.html.

So now it seems to me that we are just rehashing. Let's try to avoid that,
please.

Now, all of this said: we can come back to other security levels later on,
if we have sufficient time and energy. But right now, we're focussing on a
question about the 256-bit security level.

Thanks,

Kenny

>
>We need that if our efforts are to be meaningful.
>
>> [PHB] The way I would do this is as a Quaker poll asking people
>> what their preferred outcome is and what they can live with on 448,
>> 480, 512 and 521.
>
>I agree - that process will probably work much better than these
>forced-choice yes/no polls!
>
>So: my preference votes on prime consensus for the record:
>
>Just 2^255-19: Acceptable [no concerns; but CAs want extra-strength]
>     2^379-19: No         [one 1 mod 4 is probably enough]
>    2^384-317: No         [slow and awkward]
>     2^389-21: Acceptable [seems fast, but not very well-explored]
>     2^414-17: Acceptable [fast, but a slightly awkward size]
>2^448-2^224-1: Preferred  [fast, strong, good size, plenty of margin]
>2^480-2^240-1: Acceptable [fast, but only with 64-bit]
>    2^512-569: No         [way too slow; awkward; would not implement]
>      2^521-1: Acceptable [could live with it; slower than I'd like]
>
>- -- 
>/akr
>-----BEGIN PGP SIGNATURE-----
>
>iQIcBAEBCgAGBQJU55XaAAoJEOyEjtkWi2t6jH4P/1F6iBWEt8i7Y1aLXKQo8Efm
>FncsTL1Byh51vi0WHHjnrJ+9d8z/oNecFeklfjPVvu5+rdezpCR+m2MN/SwW8d25
>WmYjse75bBN9ilz7YohD7T632fUi4wcG1ffRnyNGw40ngiZIJopPAJMA0SZ4N5Wl
>OPaIUNssN/y+XoEcezFzAioIoUkO+C24r3589dc5Bozd7hZQfz4INmyajFHGhgBy
>ctpzMAoOqD+lgY6dbpeWrprV8Nnr3ZMm5Hnq9lb5rFgSSDUU8KsU5yIMX9yTwK/p
>JFPewlUyJK4nb6zdj3Wc42pPgJuezXfdfrif6I6YRwFxet0lRMN1QVFKANubdOtC
>hIKjQjBdMWYKcQkpFQJhoAiHSbMKSFafO+3KeMimyn3aKYotIUyuRZ9bf89cMuzl
>HjABTiPmZNU4hyXxOn/9eNd5vd5T+UIKRY+RfVxSPwo6S/dDphwJ7W/3dhiwCMWI
>AC6Ix5PFCia/y/TFP9R+edsHpmjzUwL+5MgJ+/oSUCgwFDuW8mpuncAtfPLujVQA
>dsDkzhcJZvlna1AiIh8bNiAj9TFnyiiWr3K33tNPmTaocuN6y7yC3BW2hMiGbzT+
>7u5TU8krsfiq1tG/yPzriZBXdlYmnMhTl9LmGvBw9gEMqxtmChJTXDdz0XnI7uy0
>4YgaokzGUjTwkn5PxI9X
>=FXwL
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg