Re: [Cfrg] Curve manipulation, revisited

David Gil <dgil@yahoo-inc.com> Thu, 25 December 2014 20:38 UTC

Return-Path: <dgil@yahoo-inc.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39D5D1A8859 for <cfrg@ietfa.amsl.com>; Thu, 25 Dec 2014 12:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.102
X-Spam-Level:
X-Spam-Status: No, score=-15.102 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_WHITELIST=-15] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pthNRFkVrdXu for <cfrg@ietfa.amsl.com>; Thu, 25 Dec 2014 12:38:19 -0800 (PST)
Received: from mrout4.yahoo.com (mrout4.yahoo.com [216.145.54.109]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C5931A876E for <cfrg@irtf.org>; Thu, 25 Dec 2014 12:38:19 -0800 (PST)
Received: from omp1055.mail.ne1.yahoo.com (omp1055.mail.ne1.yahoo.com [98.138.89.197]) by mrout4.yahoo.com (8.14.9/8.14.9/y.out) with ESMTP id sBPKc6H9028966 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <cfrg@irtf.org>; Thu, 25 Dec 2014 12:38:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1419539887; bh=qTZsJKdsBWVwPtHSnDYhoaEsKkXmOuiSrssM+WH2CUI=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject; b=EMjO1c66qxl9DOLBEeY2XK77XqRXW7+FqrbFx/lZMLMknnni58fN7ipA/XaOXVIeN T1OyVE+tTjKmkD9wGjK7IpEE2bRhAMHZd98nxqyLcfjvmAQ24w/F/cL3DSgXYYIVUB bz+LXox6551q1eKBvu/ENXHh7QsCSHzSZVcP9200=
Received: (qmail 16054 invoked by uid 1000); 25 Dec 2014 20:38:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1419539886; bh=qTZsJKdsBWVwPtHSnDYhoaEsKkXmOuiSrssM+WH2CUI=; h=Date:From:Reply-To:To:Message-ID:In-Reply-To:References:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; b=tVXGOVrF7oBBfoXzIjUpz4Crek1r9W+pda4EVhBTEYbDDSXBh0HlgzBLCvvIZmDNL97RkhHDLGcqbE+J6JfEw/VNchjt04DPTNWnSHwDw+K9u4YZrYtTrTTjhycBHgGhR62qc3gL2M80bvoGIWr549BSWSa5cDuY8rD4ROpM4EA=
X-YMail-OSG: pLtiCA4VM1krJuRUSf6_HMAV2.pDI80YjCMxaSRzzCt6QUbPbL6hmYBjuWCHrht 32VgOyfic0NrtyOHJfjjycZ7YQbYdODWZq229lAQoQGQcDYd9tPLZ0IF7.._24SGKvKZY0.voOuh OpsEJSRbg9L_Nox2JI66y1E9eCx1BZFeAje0tEYn6cj4DQyo0huOLr8XeudVenSKmlsiUVxfOqzg eHyBRfpBFj2NnqGoR9Amt1KJgEHc_tjtX1gZJSkpBXCPbnOUJTaxE
Received: by 98.138.101.171; Thu, 25 Dec 2014 20:38:05 +0000
Date: Thu, 25 Dec 2014 20:38:05 +0000 (UTC)
From: David Gil <dgil@yahoo-inc.com>
To: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com>
In-Reply-To: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 539887000
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/MMuf2LAVF3wybrGvU-jNkanQFV0
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Gil <dgil@yahoo-inc.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Dec 2014 20:38:21 -0000

On Thursday, December 25, 2014 4:15 AM, Adam Langley
<agl@imperialviolet.org>; wrote: [reordered]

> I don't plan on supporting any larger curve that this WG may
> produce (even more so if it's an "ugly" curve). If nothing
> else, P-384 isn't going away.

I will.

In particular, w.r.t. Yahoo's eventual release of an End-to-End
messaging extension, we will generate EC keys for extension users
on a curve subgroup with log2(#K) >= 376. The additional computational expense is, frankly, negligible.

(And this will likely be a larger deployment, w.r.t. number
of keys, than even TLS -- though vastly smaller in number of
crypto operations.)

--

> I'm skeptical that a larger curve is actually useful. I think
> ~128 and ~192 bit [security strength] curves have shared fate
> to the point where the risks from supporting any extra curve
> outweigh the benefits.

I disagree.

It's absurd to ignore the fact that the organization with the most mathematicians working on ECC[^fbfw] does not trust a bit-length
256 curve for data they consider important. See [NSA Suite B
Cryptography][suiteb].

Do we have any reason to believe that we're so much smarter than
them?

--


[^fbfw]: I would say "for better or for worse", but it is clearly
for the worse.

[suiteb]: https://www.nsa.gov/ia/programs/suiteb_cryptography/