[Cfrg] Why I think 256-level is a bad idea [Was: Re: Elliptic Curves - poll on security levels (ends on February 17th)]
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 12 February 2015 18:38 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2791A1B01 for <cfrg@ietfa.amsl.com>; Thu, 12 Feb 2015 10:38:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.298
X-Spam-Level: **
X-Spam-Status: No, score=2.298 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, MANGLED_SEX=2.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9FkM4ah2ARG for <cfrg@ietfa.amsl.com>; Thu, 12 Feb 2015 10:38:03 -0800 (PST)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A54A1A1B1B for <cfrg@irtf.org>; Thu, 12 Feb 2015 10:38:01 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id C97A818878C; Thu, 12 Feb 2015 20:37:58 +0200 (EET)
Date: Thu, 12 Feb 2015 20:37:58 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150212183758.GA12959@LK-Perkele-VII>
References: <54D9E2E3.4080402@isode.com> <CABcZeBMOdejqTYsYqtYP8d2whVF6HUFjMJBNFeuU7Ypi8sn9mA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBMOdejqTYsYqtYP8d2whVF6HUFjMJBNFeuU7Ypi8sn9mA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/PbRaSZAa-GAAywzO7W4J8Cnuv_w>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] Why I think 256-level is a bad idea [Was: Re: Elliptic Curves - poll on security levels (ends on February 17th)]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 18:38:05 -0000
On Wed, Feb 11, 2015 at 10:24:13AM -0800, Eric Rescorla wrote: > On Tue, Feb 10, 2015 at 2:52 AM, Alexey Melnikov <alexey.melnikov@isode.com> > wrote: > > > CFRG chairs are starting a poll, containing 2 initial questions: > > > > Q1: Should CFRG recommend a curve at the 192-bit security level? > > > > Q2: Should CFRG recommend a curve at the 256-bit security level? > > > > Answering Yes/No to each of these would suffice. > > > Sorry for giving an unclear answer, but: > > I believe that the CFRG should probably specify one stronger curve at > either 192 or 256. > Both of these seem to have arguments in favor, but if I were pushed I would > probably > go for 256 for the reason that if we're going to be conservative we should > be really > conservative. I consider 256-level curve a bad idea (and Goldilocks as the largest practical curve) for the following reasons: 1) Too slow We have performance budgets, and the real world standard for higher- security curve is P384, so that sets our performance budget. Now, P-384 implelmentation in OpenSSL is hilariously bad (In fact, I seem to have a version of OpenSSL where P-521 is faster(!) than P-384). But proper P-384 would be a lot faster and even well-optimized E-521 would be slower. I would estimate that 256-level is about half the speed (for E-521, since that's faster than 512-bit curves) of 192-level (and goldilocks would be about 25% slower than 192-level, due to extraordinarily efficient prime). This is on top of 2.5-3x penalty for 192-level over 128-level. And remember that some CA people have actually expressed interest at actually using the larger curve. There's also similar arguments on low side (P-256 is the standard there), but Curve25519 (or whatever it is called) delivers the needed performance. 2) Signature problems Pretty much anything larger than Goldilocks (448-bit p, so ~224 security, albeit NIST specs seem say it would be 192) runs into trouble with signatures. Specifically, such curve would require one of: - Questionable signature primitives. - >512-bit hashes (rare, so replaceability becomes a problem). - Hash extension (very easy to get this wrong). 3) No real security benefit Anything that can actually break 192-224 bit curve would cast at least serious doubt on 256 bit curve (imminent breach), if not break it outright. Rho aginst Curve25519 is already extremely nasty (due to thermodynamical limitations). But that's a joke compared to rho on 192-224 level curve. So classical computation projections appear invalid, so actual threats come elsewhere. E.g. Major cryptoanalysis results, large enough QC. 4) TLS limitations TLS is seemingly built only for up to 192-level security (even in 1.3). One could extend TLS for 256-level, but this would run into issues with symmetric encryption (E-521 and AES-256 aren't even close to being matched). Not really useful, given how high 192-level security really is. Summary: So not much less vague: There should be one stronger curve, at least on 192-level (to match the present standard), but faster than P384. Out of 192 or 256, I would say 192 (but unconstrained choice in range might be different, but no higher than 224). -Ilari
- [Cfrg] Elliptic Curves - poll on security levels … Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Torsten Schütze
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
- Re: [Cfrg] Elliptic Curves - poll on security lev… Nguyen Dr., Kim
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
- Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
- Re: [Cfrg] Elliptic Curves - poll on security lev… Aaron Zauner
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Christoph Anton Mitterer
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - poll on security lev… Adam Langley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - poll on security lev… Salz, Rich
- Re: [Cfrg] Elliptic Curves - poll on security lev… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Kurt Roeckx
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - poll on security lev… Станислав Смышляев
- Re: [Cfrg] Elliptic Curves - poll on security lev… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - poll on security lev… James Cloos
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Damien Miller
- Re: [Cfrg] Elliptic Curves - poll on security lev… James Cloos
- Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Jones
- Re: [Cfrg] Elliptic Curves - poll on security lev… Benjamin Beurdouche
- Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - poll on security lev… David Leon Gil
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Harkins
- Re: [Cfrg] Elliptic Curves - poll on security lev… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - poll on security lev… Bindhunadhava
- Re: [Cfrg] Elliptic Curves - poll on security lev… Aaron Zauner
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
- Re: [Cfrg] Elliptic Curves - poll on security lev… Manger, James
- Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Brian Smith
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
- Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Eric Rescorla
- Re: [Cfrg] Elliptic Curves - poll on security lev… Annie Yousar
- Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Andrey Jivsov
- [Cfrg] Why I think 256-level is a bad idea [Was: … Ilari Liusvaara
- Re: [Cfrg] Why I think 256-level is a bad idea [W… Adam Langley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Michael Scott
- Re: [Cfrg] Elliptic Curves - poll on security lev… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - poll on security lev… _MiW
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Brian Smith
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - poll on security lev… Joseph Salowey
- Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Kurt Roeckx
- Re: [Cfrg] Elliptic Curves - poll on security lev… Nex6|Bill