IETF Logo Mail Archive

Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Rene Struik <rstruik.ext@gmail.com> Sat, 28 February 2015 17:01 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB4C1A1A32 for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 09:01:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PeR7nXrqj8tt for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 09:01:49 -0800 (PST)
Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FA2F1A00B0 for <cfrg@irtf.org>; Sat, 28 Feb 2015 09:01:49 -0800 (PST)
Received: by iecrd18 with SMTP id rd18so38367165iec.5 for <cfrg@irtf.org>; Sat, 28 Feb 2015 09:01:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=uqvV18Zv2gcnxbh2VidEo2+zEh3TFGOVRbJERDSWNEA=; b=JzhRfKviTMmUAXZtnw3BFwry55KAyDEqwmvDy83QTLdZ3Wh6+bmoNJSwGnXhxVy6Z2 Ogt9tNxUCkS/kAyxPbgGMVCuNmZitug7wyxAn2Roes6vv0d91p8GfxP3eQzGqVGC0EFn T4q8RtgCz+AoLFMu2yQSxJ3Ej+MohhMnGbvROxTQfSKZxogy7Os4mLuWxkFLoi5Nkox2 NLFRiUlJPqu1SDyYwvAwd/a/kMYu2bgIdMfEFHjn/CEKBfNuGCpng56z7xR5W87+V8q2 gLAqpxExtMsYH2J7m/3Z6ASp/ALz8G0e37qLQdwGvkdKssqu5VPNDhsL8CQPF1hI1fHE j2ug==
X-Received: by 10.107.170.8 with SMTP id t8mr25928783ioe.7.1425142908313; Sat, 28 Feb 2015 09:01:48 -0800 (PST)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id b1sm3556262igl.7.2015.02.28.09.01.47 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Feb 2015 09:01:47 -0800 (PST)
Message-ID: <54F1F472.9010001@gmail.com>
Date: Sat, 28 Feb 2015 12:01:38 -0500
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <54EDDBEE.5060904@isode.com>
In-Reply-To: <54EDDBEE.5060904@isode.com>
Content-Type: multipart/alternative; boundary="------------090906070605080506010207"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/E5hAv1yEA9hCB9rJ5oykCsKrIWE>
Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Feb 2015 17:01:51 -0000

Hi Alexey:

Order of preference:
a) curve with 64-byte underlying prime field
b) curve with 521-bit underlying prime field (due to P-521 precedent 
with Mersenne primes)

Notes:
1) This curve is supposed to serve as a really conservative pick, so I 
think curves below the 500-bit demarcation line curves, no matter their 
charm, should be out.
2) Picking a curve with prime order subgroup of 508-512 bit would 
satisfy Russian parameter requirements, so if we could accommodate this 
and show inclusiveness, so much the better (this would be sign of 
strength for this group).
-- Examples: Microsoft's 512-bit nums curve, M-511 (IACR ePrint 
2013-647) {not clear (to me) what design criteria were to include field 
bit-sizes in the poll below, since neither 511/512 mentioned.}
3) Slight performance differentials (say, less than factor 2x) around 
the same design crypto bit strength should not be that important, at 
least not with this really conservative pick (I do expect 128-bit design 
strength curves to be used with, e.g., signing DH exponents, where there 
may be some roots that use the conservative pick).

Best regards, Rene

On 2/25/2015 9:27 AM, Alexey Melnikov wrote:
> CFRG chairs are starting another poll:
>
> Q3: This is a Quaker poll (please answer one of "preferred", 
> "acceptable" or "no") for each curve specified below:
>
> 1) 448 (Goldilocks)
> 2) 480
> 3) 521
> 4) other curve (please name another curve that you "prefer" or 
> "accept", or state "no")
>
> If you stated your curve preferences in the poll that ended on 
> February 23rd (see the attachment), you don't need to reply to this 
> poll, your opinion is already recorded. But please double check what 
> chairs recorded (see the attachment).
>
> If you changed your mind or only answered the question about 
> performance versa memory usage for curves 512 and 521, feel free to 
> reply.
>
> Once this issues is settled, we will be discussing (in no particular 
> order. Chairs reserve the right to add additional questions) 
> implementation specifics and coordinate systems for Diffie-Hellman. We 
> will then make decisions on signature schemes. Please don't discuss 
> any of these future topics at this time.
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email