IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)

Michael Scott <mike.scott@certivox.com> Sat, 21 February 2015 11:00 UTC

Return-Path: <mike.scott@certivox.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7CE1A6EE1 for <cfrg@ietfa.amsl.com>; Sat, 21 Feb 2015 03:00:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.967
X-Spam-Level:
X-Spam-Status: No, score=-1.967 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_MONEY_PERCENT=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUX898uiFu_P for <cfrg@ietfa.amsl.com>; Sat, 21 Feb 2015 03:00:55 -0800 (PST)
Received: from mail-ig0-f178.google.com (mail-ig0-f178.google.com [209.85.213.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1535B1A6D3F for <cfrg@irtf.org>; Sat, 21 Feb 2015 03:00:54 -0800 (PST)
Received: by mail-ig0-f178.google.com with SMTP id hl2so8774115igb.5 for <cfrg@irtf.org>; Sat, 21 Feb 2015 03:00:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=xTOqRi5/KMYqL/R9dEDT8LG1iL0Ov39Y7R+EEm/reeI=; b=bHTPkb6txF2f5ZaKqvtMJyxGr9dQEf2/XHAS6R8aobK6SDnvKHFRbqmAv/OWIEBkAl Q9ew+3SvDS0X41A3weba4pguSC4bCsWsMiWsZaPeKwKq/pTcynoe+7QNEnHCEJRDQh4P ZxcqGfwKQ7k6MLV4MQQiDwYwhHbd0Z7BhA88pQ7C8GcvhIRxikbkHmI6G52ZdOCqDJsP z9hiuge5Z0rnVbesJssb3wCEbVb4hy3J6guzwJ3BjAFPN2/iOzivp/pEgp8BDLqRN9uL NBAkAH8v/asm2LVv1/RooJXjrNj0oey3UTBXAhN3z22JQ/zwWhC3dnuDy6L4/9iyVzS8 9sSw==
X-Gm-Message-State: ALoCoQmFZcrYKWnQR5PapgZQzOk2Ao7acU0TwhKVcPkCmMcHBFi7Lt2hSewPw/vVLaFzw2WVxXlt
MIME-Version: 1.0
X-Received: by 10.43.16.7 with SMTP id pw7mr2375173icb.88.1424516454181; Sat, 21 Feb 2015 03:00:54 -0800 (PST)
Received: by 10.36.115.76 with HTTP; Sat, 21 Feb 2015 03:00:54 -0800 (PST)
In-Reply-To: <CAMm+LwhOT+pPmVgomXmJo+gLBzOD=RFfmyNnNzFQEkMTRVFsWQ@mail.gmail.com>
References: <54E46EA4.9010002@isode.com> <CAHOTMVKCD+DK6QbSuy8R63FVnu_WBNmwMvByqicx=sK6_k63HQ@mail.gmail.com> <D10CAF3B.3F266%kenny.paterson@rhul.ac.uk> <CAMm+Lwhj9H_NK22QbTB7=EFd7GBg0WprwRMN8RxH3+7r_buf7g@mail.gmail.com> <CACsn0c=eqcXm+ir75Qm9PvP5QhdZf_kfVYn2sE-mcHwNtqbP7A@mail.gmail.com> <CAMm+LwjU_c=Oh7uebV3XS1XuD6bAuNGSzFW16uqh9-nQM7n98g@mail.gmail.com> <CACsn0ckySPmSYwUtkmxVx-Ca8jZ7YG9PfkBVQdM9-F7E-F42sA@mail.gmail.com> <CAMm+LwhOT+pPmVgomXmJo+gLBzOD=RFfmyNnNzFQEkMTRVFsWQ@mail.gmail.com>
Date: Sat, 21 Feb 2015 11:00:54 +0000
Message-ID: <CAEseHRq5WhWNmMvDHu9okOpVFqY62LuVFpodkGkLP5jSbp3-cQ@mail.gmail.com>
From: Michael Scott <mike.scott@certivox.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="bcaec5196c253a97e1050f971555"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Ie7PjTeux66x225psX40L5pzwa4>
Subject: Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 11:00:58 -0000

I know I am a bit late to this party, so apologies if some-one has made
this point already.

First off as I voted I see absolutely no point in going beyond 256-bit
curves, unless the asymptotics are broken in which case all bets are off.

However there is an undoubted demand for bigger curves, often driven by
emotions and instincts which seem impervious to logic. Its all about what
Schneier called getting that "warm fuzzy feeling". And I guess imbuing
users with that feeling of confidence may have some value.

In the world of RSA, when RSA-1024 was threatened, the warm fuzzies were
restored by moving to RSA-2048. There is something about doubling the bit
length that appeals. Of course this is not even close to the equivalent of
going from 256-bit curves to 521-bit curves, and indeed RSA-2048 is not
even close to the same security as that provided by even a 256-bit curve.

The equivalent to a 256-bit curve would be 3072-bit RSA approximately. If
the latter were threatened a comfortable response would be a move to 6144
bit RSA, which is the equivalent of a 320-bit curve (roughly).

So anyone for 2^321-9 ? 2^342-65?


Mike


On Sat, Feb 21, 2015 at 4:24 AM, Phillip Hallam-Baker <phill@hallambaker.com
> wrote:

> June 2005 is nine and a half years ago. Go to the 2014 top 500 and the top
> spot is 33 TFlop. And I am not using those $3000 cards, the
> price/performance is better at $500.
>
> Looks like my machine is actually only beating the number 5 machine at
> around 10TFlop at present.
>
>
> On Fri, Feb 20, 2015 at 10:59 PM, Watson Ladd <watsonbladd@gmail.com>
> wrote:
>
>> On Feb 20, 2015 11:50 AM, "Phillip Hallam-Baker" <phill@hallambaker.com>
>> wrote:
>> >
>> >
>> >
>> > On Fri, Feb 20, 2015 at 1:17 PM, Watson Ladd <watsonbladd@gmail.com>
>> wrote:
>> >>
>> >>
>> >> On Feb 20, 2015 9:21 AM, "Phillip Hallam-Baker" <phill@hallambaker.com>
>> wrote:
>> >>
>> >> > Well maybe if we had discussed it first. As it is your poll
>> completely mis-states the reasons people prefer 512 over 521. Which rather
>> undercuts the whole process.
>> >>
>> >> We've been discussing these issues for nearly a full year. You've had
>> and taken ample opportunity to explain why you don't like E-521, and the
>> fact that no one else is convinced has a lot to do with the strength of
>> your arguments.
>> >
>> > You are entitled to your opinion but it is far from the case that
>> everyone here sees things as you do.
>> >
>> > Even if my opinion was wrong, the chairs should not misrepresent them.
>> >
>> >> > The way I would do this is as a Quaker poll asking people what their
>> preferred outcome is and what they can live with on 448, 480, 512 and 521.
>> >> >
>> >> > 448 - No
>> >> > 480 - Acceptable
>> >> > 512 - Preferred
>> >> > 521 - No
>> >> >
>> >> > This is meant to be a consensus process and we should be using
>> consensus seeking tools wherever possible. Votes for the best outcome are
>> not the best way to come to consensus.
>> >>
>> >> No, it's about using our expertise to make the right decision. If your
>> arguments are wrong, don't expect us to pay attention.
>> >
>> > If the issue was expertise in mathematics then it would be a simple
>> choice. The question is not down to that type expertise, it is which set of
>> criteria are considered to be important. And there experience is rather
>> more relevant than expertise in the specific branch of math.
>> >
>> > You think that performance should be the criteria. In the twenty years
>> since I was a grad student the performance of computers has doubled every
>> 18 months or so. I am writing this on a computer that has more computing
>> power than the fastest supercomputer available only ten years ago, cost
>> less than $10,000 and plugs into a regular wall socket.
>>
>> Nope: Top500 list from June 2005 gives 183 teraflops peak. That's 45
>> Telsa K10 GPUs, which will run you $90,000. Each card consumes 225W,
>> leading to 10,125 watts. At US voltage of 120 RMS, that's an 84 amp
>> circuit. You can plug something drawing 84 amps into an ordinary wall
>> socket: the fuse will blow.
>>
>> Of course, performance has never been the sole criterion: as DJB
>> stated in http://www.ietf.org/mail-archive/web/cfrg/current/msg04894.html
>> there are a number of criteria which Curve25519 was designed to meet.
>> But none of them argue against primes with 2^s-c, c as small as
>> possible, and there are very few primes achieving maximal performance.
>> The supposed conflict between rigidity and performance doesn't
>> actually exist.
>>
>> These aren't the only possible criteria: someone with hardware that
>> implements the special reduction for the NSA primes probably won't be
>> happy having to adapt that hardware or work around its absence for
>> other primes. Someone who implements generic Montgomery reduction
>> won't see any speed gains from special primes. But the criteria that
>> these curves and primes meet apply to the vast majority of
>> implementations.
>>
>> It's also not clear what criteria you are actually applying to get the
>> list above: it's not "power of 2 in the name at all costs", nor is it
>> strictly sized based. It's not performance based after a certain size
>> either.
>>
>> >
>> > I don't actually care very much about the specific outcome here. What
>> is important to me is whether the outcome is backed by 10%, 50% or 90% of
>> the industry. And that in turn depends first and foremost on the litigation
>> cost associated with the new algorithm and next to that the ease with which
>> we can convince people that there is nothing odd about the choice.
>> >
>> > So I am far more concerned about process than outcome here. How long we
>> spend arguing is much less important to me than the risk we have to do it
>> all again soon.
>> >
>> >
>> > The litigation risk has no bearing on 512 or 521 but it is going to
>> have a big bearing on the choice of curve. More than one of us is going to
>> have to eventually have to explain all of this stuff to lawyers at $400/hr
>> per person involved and up. The cost of moving to ECC is going to largely
>> depend on the length of time those conversations take.
>>
>> But we're not talking about the coordinates to be used yet, only the
>> prime.
>>
>> Sincerely,
>> Watson Ladd
>>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email