IETF Logo Mail Archive

[Cfrg] Why I think 256-level is a bad idea [Was: Re: Elliptic Curves - poll on security levels (ends on February 17th)]

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 12 February 2015 18:38 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2791A1B01 for <cfrg@ietfa.amsl.com>; Thu, 12 Feb 2015 10:38:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.298
X-Spam-Level: **
X-Spam-Status: No, score=2.298 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, MANGLED_SEX=2.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9FkM4ah2ARG for <cfrg@ietfa.amsl.com>; Thu, 12 Feb 2015 10:38:03 -0800 (PST)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A54A1A1B1B for <cfrg@irtf.org>; Thu, 12 Feb 2015 10:38:01 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id C97A818878C; Thu, 12 Feb 2015 20:37:58 +0200 (EET)
Date: Thu, 12 Feb 2015 20:37:58 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150212183758.GA12959@LK-Perkele-VII>
References: <54D9E2E3.4080402@isode.com> <CABcZeBMOdejqTYsYqtYP8d2whVF6HUFjMJBNFeuU7Ypi8sn9mA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBMOdejqTYsYqtYP8d2whVF6HUFjMJBNFeuU7Ypi8sn9mA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/PbRaSZAa-GAAywzO7W4J8Cnuv_w>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] Why I think 256-level is a bad idea [Was: Re: Elliptic Curves - poll on security levels (ends on February 17th)]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 18:38:05 -0000

On Wed, Feb 11, 2015 at 10:24:13AM -0800, Eric Rescorla wrote:
> On Tue, Feb 10, 2015 at 2:52 AM, Alexey Melnikov <alexey.melnikov@isode.com>
> wrote:
> 
> > CFRG chairs are starting a poll, containing 2 initial questions:
> >
> > Q1: Should CFRG recommend a curve at the 192-bit security level?
> >
> > Q2: Should CFRG recommend a curve at the 256-bit security level?
> >
> > Answering Yes/No to each of these would suffice.
> 
> 
> Sorry for giving an unclear answer, but:
> 
> I believe that the CFRG should probably specify one stronger curve at
> either 192 or 256.
> Both of these seem to have arguments in favor, but if I were pushed I would
> probably
> go for 256 for the reason that if we're going to be conservative we should
> be really
> conservative.

I consider 256-level curve a bad idea (and Goldilocks as the largest practical
curve) for the following reasons:

1) Too slow

We have performance budgets, and the real world standard for higher-
security curve is P384, so that sets our performance budget.

Now, P-384 implelmentation in OpenSSL is hilariously bad (In fact, I seem
to have a version of OpenSSL where P-521 is faster(!) than P-384). But
proper P-384 would be a lot faster and even well-optimized E-521 would be
slower.

I would estimate that 256-level is about half the speed (for E-521, since
that's faster than 512-bit curves) of 192-level (and goldilocks would be
about 25% slower than 192-level, due to extraordinarily efficient prime).
This is on top of 2.5-3x penalty for 192-level over 128-level.

And remember that some CA people have actually expressed interest at
actually using the larger curve.

There's also similar arguments on low side (P-256 is the standard there),
but Curve25519 (or whatever it is called) delivers the needed performance.


2) Signature problems

Pretty much anything larger than Goldilocks (448-bit p, so ~224 security,
albeit NIST specs seem say it would be 192) runs into trouble with
signatures.

Specifically, such curve would require one of:
- Questionable signature primitives.
- >512-bit hashes (rare, so replaceability becomes a problem).
- Hash extension (very easy to get this wrong).


3) No real security benefit

Anything that can actually break 192-224 bit curve would cast at least
serious doubt on 256 bit curve (imminent breach), if not break it outright.

Rho aginst Curve25519 is already extremely nasty (due to thermodynamical
limitations). But that's a joke compared to rho on 192-224 level curve.
So classical computation projections appear invalid, so actual threats
come elsewhere. E.g. Major cryptoanalysis results, large enough QC.


4) TLS limitations

TLS is seemingly built only for up to 192-level security (even in 1.3).
One could extend TLS for 256-level, but this would run into issues with
symmetric encryption (E-521 and AES-256 aren't even close to being
matched).

Not really useful, given how high 192-level security really is.



Summary:
So not much less vague: There should be one stronger curve, at least
on 192-level (to match the present standard), but faster than P384.

Out of 192 or 256, I would say 192 (but unconstrained choice in range
might be different, but no higher than 224).



-Ilari

v2.23.0 | Report a Bug | By Email