Re: [Cfrg] What constitutes a curve with a 256-bit security level?
Mike Hamburg <mike@shiftleft.org> Thu, 19 February 2015 07:53 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E24A1A88B9 for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 23:53:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w6YJyp5xCe9S for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 23:53:29 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19C2C1A88C2 for <cfrg@irtf.org>; Wed, 18 Feb 2015 23:53:27 -0800 (PST)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id E504DF210A; Wed, 18 Feb 2015 23:51:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1424332318; bh=t1izCP546bxz0MObVLDZedWgQWm7DitvmQRKn1Dnt1A=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=faNrCRTsMAkCcAIsqQAqRjzHFZ7HJlth3HXAaqoarKX2nNA3NeNqkBlgyQEfUDSoh CsiIAmbh2cNrUPKeVEA4UtmuUegfbRIkdJQt7YyXNL27zxyh+HuxTFfpOGljHhnxUI vAvh8BEGldZzDjd+lvDIfsEUzgWCWRm1eFR8T3cE=
Message-ID: <54E59677.80207@shiftleft.org>
Date: Wed, 18 Feb 2015 23:53:27 -0800
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: David Jacobson <dmjacobson@sbcglobal.net>, Watson Ladd <watsonbladd@gmail.com>, Tony Arcieri <bascule@gmail.com>
References: <CAHOTMVJKqMcddZ0DEdgh7gVedFR5TPfZHZaVNVmMMUnvTfpLzA@mail.gmail.com> <E64DFFE5-92AE-40EF-8B9D-BD8DA57F0D31@shiftleft.org> <CAHOTMVKSQHSP_=_VreCbXhdE+jkLBq8qJ9S_hquwQEoofB5c4g@mail.gmail.com> <A5B5FC81-DBA3-4FC1-9DFB-FA3D5AD575BD@shiftleft.org> <CAHOTMVJiOT2+jytVkw626VZUjpbuN76Qgf5J5B61L8uXtAY0-w@mail.gmail.com> <CACsn0cmpntED6T9X+Fh=8OwdcwXPnckeGh3dPJZmvuusdDNazQ@mail.gmail.com> <54E58961.4050202@sbcglobal.net>
In-Reply-To: <54E58961.4050202@sbcglobal.net>
Content-Type: multipart/alternative; boundary="------------000309070602020805050809"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/EwlFJ44Iq_t6WQtZM7DWqdbsDXM>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] What constitutes a curve with a 256-bit security level?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 07:53:31 -0000
On 02/18/2015 10:57 PM, David Jacobson wrote: > On 2/18/15 2:45 PM, Watson Ladd wrote: >> >> >> On Feb 18, 2015 2:39 PM, "Tony Arcieri" <bascule@gmail.com >> <mailto:bascule@gmail.com>> wrote: >> > >> > On Wed, Feb 18, 2015 at 2:14 PM, Michael Hamburg >> <mike@shiftleft.org <mailto:mike@shiftleft.org>> wrote: >> >> >> >> It may be that you’re thinking SHA512-and-truncate won’t be >> uniform enough mod the order of Ridinghood. But in fact it will, >> because the order of Ridinghood is 2^480 - O(2^240), and so the >> deviation from uniformity will be O(2^-(240+32)). The same would not >> be true for a prime with a large coefficient like NIST P-256. >> > >> > >> > Okay, my mistake, but that is an issue for E-521, right? >> >> Not really. While the naïve approach if using a single hash function >> output of double length for deterministic signing won't work, hashing >> an incrementing counter with the message and private key, or some >> other variant will. >> >> Sincerely, >> Watson Ladd >> > [snip] > > Clarifying question: > > Do you mean to be advocating using a KDF like the counter one in NIST > SP 800-108, and specifying an output bit length of the ceiling of log2 > of the order of the base point? This. The only trouble is that 519 > 512. > Or do you mean using a construct similar to that, but if the results > is >= the curve order, try again with the next counter values, until > you get a value < the order of the base points. In this construct all > possible values < the order of the base point are equally likely. > > --David Jacobson > No, because the order of the curve is p +- O(sqrt(p)), and the subgroup order is exactly 1/4 that, so with p = 2^521-1 the bias is provably negligible. Cheers, -- Mike
- [Cfrg] What constitutes a curve with a 256-bit se… Tony Arcieri
- Re: [Cfrg] What constitutes a curve with a 256-bi… Michael Hamburg
- Re: [Cfrg] What constitutes a curve with a 256-bi… Tony Arcieri
- Re: [Cfrg] What constitutes a curve with a 256-bi… Michael Hamburg
- Re: [Cfrg] What constitutes a curve with a 256-bi… Tony Arcieri
- Re: [Cfrg] What constitutes a curve with a 256-bi… Watson Ladd
- Re: [Cfrg] What constitutes a curve with a 256-bi… Tony Arcieri
- Re: [Cfrg] What constitutes a curve with a 256-bi… David Jacobson
- Re: [Cfrg] What constitutes a curve with a 256-bi… Mike Hamburg