Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)

Tony Arcieri <bascule@gmail.com> Fri, 20 February 2015 22:24 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E1F11A1B2E for <cfrg@ietfa.amsl.com>; Fri, 20 Feb 2015 14:24:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-Id0GeVOuxN for <cfrg@ietfa.amsl.com>; Fri, 20 Feb 2015 14:24:19 -0800 (PST)
Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93A7A1A028A for <cfrg@irtf.org>; Fri, 20 Feb 2015 14:24:19 -0800 (PST)
Received: by mail-ob0-f180.google.com with SMTP id vb8so27010144obc.11 for <cfrg@irtf.org>; Fri, 20 Feb 2015 14:24:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=nmorDLZXo+xglx/zQBitYDmC6nNIr5zcmJus5cSO81o=; b=DrBpnI5rhxTqseJUZ20mAj0ATbE6oH0T5tt/mFcW1ib2TnaHKfLmpUx1k0FjvpHwXt C4toY7LRDs1qJaDBT8Vkrn3LhlGh9zMjn3UxmUvfHdKvGrfEevnLg92q5N3tYEfFspIf EojsGd/4UVIpZN8fieB6Y05S4ZZKbnlpPWJyRocCVAhEGE3+dojgw8Lo7uIMh271uXHE WwE1Dxnpzdvvd4cRpvDlpOgt1NHAemyQ5VGc2Xuf/VotiO2/q04YaQtmkkCFw4ickxSx zHkNK6PTJuTSHV/+iTt+4/l00z9V2zJfElPopRdth1Ci+2Bb3S6/IwuSfhrlZ9GhApjL R0kw==
X-Received: by 10.202.62.70 with SMTP id l67mr7650749oia.59.1424471058901; Fri, 20 Feb 2015 14:24:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.202.224.66 with HTTP; Fri, 20 Feb 2015 14:23:58 -0800 (PST)
In-Reply-To: <CAMm+LwjU_c=Oh7uebV3XS1XuD6bAuNGSzFW16uqh9-nQM7n98g@mail.gmail.com>
References: <54E46EA4.9010002@isode.com> <CAHOTMVKCD+DK6QbSuy8R63FVnu_WBNmwMvByqicx=sK6_k63HQ@mail.gmail.com> <D10CAF3B.3F266%kenny.paterson@rhul.ac.uk> <CAMm+Lwhj9H_NK22QbTB7=EFd7GBg0WprwRMN8RxH3+7r_buf7g@mail.gmail.com> <CACsn0c=eqcXm+ir75Qm9PvP5QhdZf_kfVYn2sE-mcHwNtqbP7A@mail.gmail.com> <CAMm+LwjU_c=Oh7uebV3XS1XuD6bAuNGSzFW16uqh9-nQM7n98g@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Fri, 20 Feb 2015 14:23:58 -0800
Message-ID: <CAHOTMV+Bdk6zuup-0fjxqSVFBphsww2=2X2kqUy-TLT6MUQzNg@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="001a113ce09a7570f3050f8c83c9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/PiKAJUn0F6px433fxL6aVFggYY0>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 22:24:22 -0000

On Fri, Feb 20, 2015 at 11:50 AM, Phillip Hallam-Baker <
phill@hallambaker.com> wrote:

> You think that performance should be the criteria. In the twenty years
> since I was a grad student the performance of computers has doubled every
> 18 months or so. I am writing this on a computer that has more computing
> power than the fastest supercomputer available only ten years ago, cost
> less than $10,000 and plugs into a regular wall socket.
>

Let's imagine we want to use E-521 as a digital signature on a TLS
certificate. Now let's imagine we have intermediates. And we're on a mobile
phone, which is slow.

This is an interactive user experience... someone is just trying to access
a web site over HTTPS, and to ensure we have the correct certificate, we
have to verify two E-521 signatures.

How long is that going to take?

What's the argument for a curve that's closer to 512? Surely it's not that
the field arithmetic is easier. It's going to be slower and harder to
implement.

Can you say what exactly what the beneficial properties of 512 over 521
actually are?

-- 
Tony Arcieri