Re: [Cfrg] Curve manipulation, revisited

David Gil <> Thu, 25 December 2014 20:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 39D5D1A8859 for <>; Thu, 25 Dec 2014 12:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.102
X-Spam-Status: No, score=-15.102 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_WHITELIST=-15] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pthNRFkVrdXu for <>; Thu, 25 Dec 2014 12:38:19 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7C5931A876E for <>; Thu, 25 Dec 2014 12:38:19 -0800 (PST)
Received: from ( []) by (8.14.9/8.14.9/y.out) with ESMTP id sBPKc6H9028966 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <>; Thu, 25 Dec 2014 12:38:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=cobra; t=1419539887; bh=qTZsJKdsBWVwPtHSnDYhoaEsKkXmOuiSrssM+WH2CUI=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject; b=EMjO1c66qxl9DOLBEeY2XK77XqRXW7+FqrbFx/lZMLMknnni58fN7ipA/XaOXVIeN T1OyVE+tTjKmkD9wGjK7IpEE2bRhAMHZd98nxqyLcfjvmAQ24w/F/cL3DSgXYYIVUB bz+LXox6551q1eKBvu/ENXHh7QsCSHzSZVcP9200=
Received: (qmail 16054 invoked by uid 1000); 25 Dec 2014 20:38:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1419539886; bh=qTZsJKdsBWVwPtHSnDYhoaEsKkXmOuiSrssM+WH2CUI=; h=Date:From:Reply-To:To:Message-ID:In-Reply-To:References:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; b=tVXGOVrF7oBBfoXzIjUpz4Crek1r9W+pda4EVhBTEYbDDSXBh0HlgzBLCvvIZmDNL97RkhHDLGcqbE+J6JfEw/VNchjt04DPTNWnSHwDw+K9u4YZrYtTrTTjhycBHgGhR62qc3gL2M80bvoGIWr549BSWSa5cDuY8rD4ROpM4EA=
X-YMail-OSG: pLtiCA4VM1krJuRUSf6_HMAV2.pDI80YjCMxaSRzzCt6QUbPbL6hmYBjuWCHrht 32VgOyfic0NrtyOHJfjjycZ7YQbYdODWZq229lAQoQGQcDYd9tPLZ0IF7.._24SGKvKZY0.voOuh OpsEJSRbg9L_Nox2JI66y1E9eCx1BZFeAje0tEYn6cj4DQyo0huOLr8XeudVenSKmlsiUVxfOqzg eHyBRfpBFj2NnqGoR9Amt1KJgEHc_tjtX1gZJSkpBXCPbnOUJTaxE
Received: by; Thu, 25 Dec 2014 20:38:05 +0000
Date: Thu, 25 Dec 2014 20:38:05 +0000
From: David Gil <>
To: Adam Langley <>, "" <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 539887000
Subject: Re: [Cfrg] Curve manipulation, revisited
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Gil <>
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Dec 2014 20:38:21 -0000

On Thursday, December 25, 2014 4:15 AM, Adam Langley
<> wrote: [reordered]

> I don't plan on supporting any larger curve that this WG may
> produce (even more so if it's an "ugly" curve). If nothing
> else, P-384 isn't going away.

I will.

In particular, w.r.t. Yahoo's eventual release of an End-to-End
messaging extension, we will generate EC keys for extension users
on a curve subgroup with log2(#K) >= 376. The additional computational expense is, frankly, negligible.

(And this will likely be a larger deployment, w.r.t. number
of keys, than even TLS -- though vastly smaller in number of
crypto operations.)


> I'm skeptical that a larger curve is actually useful. I think
> ~128 and ~192 bit [security strength] curves have shared fate
> to the point where the risks from supporting any extra curve
> outweigh the benefits.

I disagree.

It's absurd to ignore the fact that the organization with the most mathematicians working on ECC[^fbfw] does not trust a bit-length
256 curve for data they consider important. See [NSA Suite B

Do we have any reason to believe that we're so much smarter than


[^fbfw]: I would say "for better or for worse", but it is clearly
for the worse.