[Cfrg] Goldilocks (was Re: EC - next steps to get draft-irtf-cfrg-curves done)
Watson Ladd <watsonbladd@gmail.com> Wed, 11 February 2015 02:04 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 029491A1BC2 for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 18:04:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vI_6Midy_bUv for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 18:04:49 -0800 (PST)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A7451A1BBD for <cfrg@irtf.org>; Tue, 10 Feb 2015 18:04:49 -0800 (PST)
Received: by mail-yh0-f44.google.com with SMTP id f73so309727yha.3 for <cfrg@irtf.org>; Tue, 10 Feb 2015 18:04:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=4o0y5y2m6YOiDpIUhZeQg0wLMwmXAh/EOLRf/HQlW4E=; b=uTvsk61tmAX6JgyAQxU2m/5A/fprl3O94UrtiBIeYCKG3KfSdcBLjPfpJS63rnlZzC XOrG9gqdN2499N9nJr+UYnYFcQD4Zl9U6NNo1zVsGxctBGn2Lun3nJDEktifvX44vfdP Py5CijMPF9g+FLGlKEgfj1RurZIZ4qlqMSOJFv4NSDQVvK+pYElbNzr1IZcwidQvHjHG s0k7kTDryrT02VnxJC/sl2A6WJto7fq0hULuAKzpof3zn7uTnKh7bxMcrsYhVlpP2NX2 Zh8Ig+Jwh5ZG46zUfZHw+yPehVOrLvX9VrAQEO4W8Mo6PFwLFrIOCZs9XgXLKXZp1sBm jHBA==
MIME-Version: 1.0
X-Received: by 10.170.217.9 with SMTP id j9mr11554740ykf.19.1423620288436; Tue, 10 Feb 2015 18:04:48 -0800 (PST)
Received: by 10.170.126.10 with HTTP; Tue, 10 Feb 2015 18:04:48 -0800 (PST)
Date: Tue, 10 Feb 2015 18:04:48 -0800
Message-ID: <CACsn0cmfyRqQrVRnbroYV++8axVxWm-1BtTXUOjGYa-30GdW9A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Kenny Paterson <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/NJKetkZ0xbsvnpHfVGhHIuGd0uA>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] Goldilocks (was Re: EC - next steps to get draft-irtf-cfrg-curves done)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 02:04:52 -0000
On Feb 10, 2015 1:23 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> wrote: > > Hi, > > On 10/02/2015 18:33, "Watson Ladd" <watsonbladd@gmail.com> wrote: > > > > >On Feb 10, 2015 9:42 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> > >wrote: > >> > >> > >> Thanks to the chairs for trying this approach. I've answered > >> your first poll, but I'd also like to say that I'm entirely > >> fine if the chairs use their judgement to evaluate poll responses > >> and I hope you do not limit yourselves to purely mechanical > >> evaluations. That's because it's inevitable that people will > >> question the questions, as has happened already;-) And we > >> don't want to have to re-do a bunch of polls I hope. > >I'm surprised that you consider implicitly rejecting 2^448-2^224-1 for > >unstated arguments a good idea, given your openness to supporting it. > > Thanks for making explicit what was implicit. > > Yes, we are ruling out 2^448-2^224-1 and focussing on primes yielding > curves at or near the 192 and 256 bit security levels. There was a long > discussion on this on the list a while back, no clear consensus emerged on > whether we should "stick" to the 192-bit and/or 256-bit security levels or > go for "intermediate" values, and the chairs are now making a decision on > this. This strikes me as extremely premature. We do not yet have hard performance data on 32 bit machines for 2^389-21. In fact, the best fractional radix I could come up with used exactly the same number of limbs as the Karatsuba revisited paper uses for 2^414-17, and exactly the same number of limbs as Goldilocks does: until we actually measure on actual silicon highly optimized assembly optimizations (something I can't write: I should learn someday) we don't know which prime is better. Of course, if you don't actually care about smartphone performance, but only the latest and greatest Intel chips, then Goldilocks incurs a 7-8% performance penalty compared to 2^389-21. And if you don't care about performance, but want the most secure curve possible. Goldilocks is much smaller than 521. But each of these rationales also excludes one of the options in the consensus poll! Far more likely is that people who care about performance agree to eat a 7% performance hit, and people who want maximum security absorb a factor of 2^64 in group size, so we have stronger support for Goldilocks than either of the two extremes. But that's not currently an option on the poll, and it's not clear what the reason for excluding it is, other than "448 isn't 384 or 512". Sincerely, Watson Ladd <snip> > > Kenny > <snip> > >Sincerely, > >Watson Ladd >
- [Cfrg] Goldilocks (was Re: EC - next steps to get… Watson Ladd
- Re: [Cfrg] Goldilocks (was Re: EC - next steps to… Alyssa Rowan
- Re: [Cfrg] Goldilocks (was Re: EC - next steps to… Damien Miller
- Re: [Cfrg] Goldilocks (was Re: EC - next steps to… Paterson, Kenny