Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
Dan Brown <dbrown@certicom.com> Thu, 26 February 2015 17:21 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727D91A910B for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 09:21:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-uuaGokZmFW for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 09:21:47 -0800 (PST)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 5C3AE1A90E7 for <cfrg@irtf.org>; Thu, 26 Feb 2015 09:21:47 -0800 (PST)
Received: from xct101cnc.rim.net ([10.65.161.201]) by mhs213cnc.rim.net with ESMTP/TLS/AES128-SHA; 26 Feb 2015 12:21:44 -0500
Received: from XCT114CNC.rim.net (10.65.161.214) by XCT101CNC.rim.net (10.65.161.201) with Microsoft SMTP Server (TLS) id 14.3.210.2; Thu, 26 Feb 2015 12:21:43 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT114CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Thu, 26 Feb 2015 12:21:42 -0500
From: Dan Brown <dbrown@certicom.com>
To: "'alexey.melnikov@isode.com'" <alexey.melnikov@isode.com>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
Thread-Index: AQHQUQdPFXtNEp30ikKmKrI5h0TObJ0DLU+g
Date: Thu, 26 Feb 2015 17:21:41 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5D6CE9E@XMB116CNC.rim.net>
References: <54EDDBEE.5060904@isode.com>
In-Reply-To: <54EDDBEE.5060904@isode.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/QvOxI_f1mWiyuWAiaWupsZOCFxA>
Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 17:21:56 -0000
My votes in this poll: 521: preferred 512: acceptable 480: acceptable 448: acceptable Earlier, I voted NO on pursuing 192-bit and 256-bit security in the short term. Perhaps that disqualifies me to vote on this poll about the short term choice for higher security curves, but I still have some preferences on the outcome of the short term recommendation, so I'll submit my vote in the current poll. Feel free to ignore for the short-term activity, especially if it helps to achieve CFRG to consensus, thereby progressing with a recommendation. Long-term, I strongly support higher-level security, including what might be labelled as 192-bit security, and perhaps even other intermediate values. Though I voted above on 448 and 480 as acceptable, just to be clear, we should not label them as providing "256-bit security" and not use them with AES-256, until we solidify accounting arguments such compatibility, such as: - the for the EC operations per bit size being slower than say AES operations per bit size, - the stronger per-user security of ECC compared to AES, - the more secure quadratic trade-off of success rate for time in ECC compared to linear trade-off for AES. These arguments are subtle, but perhaps within reach. Alternatively, I wouldn't mind recommending the 448 and 480 field sizes, and then using symmetric key sizes that are appropriate for the field sizes. In other words, with public-key taking a more leading role in security decisions, with symmetric-key just following suit. An additional reservation I have with 480 and 448 is that they arise from more recent, and lower profile proposals, compared to NIST P521. Generally, I have a strong belief in the security in the security of ECC, including the hardness of the ECDLP and other things needed for security of ECC. But for making recommendations of higher security, I'd want something stronger than mere belief. For low-characteristic fields, Menezes, Diem and others have published attacks on weak fields, in the strongest sense of having an easier ECDLP. Also, some have argued here that in some prime-field are more vulnerable to side channels than others [ref?]. Based on these two existing threats, we might reasonably speculate that there remains a remote risk of new weaknesses in ECC that depend on the field choice. If we want to rationally reduce that remote risk, then we can use the evidence of the 521-bit field size has remained unbroken since 1999. This is a reason to deem 521 as less risky the newer 448 and 480. Finally, others have commented that 128-bit security is so strong that anything beyond that is pointless. Well, I disagree, for several reasons, albeit perhaps theoretical reasons. For example, many security proofs [*], especially for signature schemes, have loose reductions, which suggest larger key sizes are needed for the provable security results to be concretely applicable. Of course, real-world security can be better than what the proofs suggests, but occasionally the bounds in the proof turn out to be right after all. Luckily, for many signature applications, perhaps even those of CAs and signed ECDH, that looseness is irrelevant, either because the number of signatures is low, or the signing oracle is more limited than the threat model of the security proofs. For another example, consider known reductions between ECDHP and ECDLP, whose tightness depend on not just on the field size, but also the group size. [*] I'm using the conventional terms "security proof", though a more modest label like "reductionist security argument", or "conditional security analysis" might be better. > -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Alexey Melnikov > Sent: Wednesday, February 25, 2015 9:28 AM > To: cfrg@irtf.org > Subject: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work > factor (ends on March 3rd) > > CFRG chairs are starting another poll: > > Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or > "no") for each curve specified below: > > 1) 448 (Goldilocks) > 2) 480 > 3) 521 > 4) other curve (please name another curve that you "prefer" or "accept", or > state "no") > > If you stated your curve preferences in the poll that ended on February 23rd > (see the attachment), you don't need to reply to this poll, your opinion is > already recorded. But please double check what chairs recorded (see the > attachment). > > If you changed your mind or only answered the question about performance > versa memory usage for curves 512 and 521, feel free to reply. > > Once this issues is settled, we will be discussing (in no particular order. Chairs > reserve the right to add additional questions) implementation specifics and > coordinate systems for Diffie-Hellman. We will then make decisions on > signature schemes. Please don't discuss any of these future topics at this time.
- [Cfrg] Rerun: Elliptic Curves - preferred curves … Alexey Melnikov
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Phillip Hallam-Baker
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Watson Ladd
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Stephen Farrell
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Yoav Nir
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Phillip Hallam-Baker
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Paul Hoffman
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Adam Langley
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Paul Lambert
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Simon Josefsson
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Watson Ladd
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Derek Atkins
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Damien Miller
- [Cfrg] On "non-NIST" Paul Hoffman
- Re: [Cfrg] On "non-NIST" stephen.farrell
- Re: [Cfrg] On "non-NIST" Paul Lambert
- Re: [Cfrg] On "non-NIST" Phillip Hallam-Baker
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Alyssa Rowan
- Re: [Cfrg] On "non-NIST" Stephen Farrell
- Re: [Cfrg] On "non-NIST" Tony Arcieri
- Re: [Cfrg] On "non-NIST" Tony Arcieri
- Re: [Cfrg] On "non-NIST" Damien Miller
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Dan Brown
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Dan Harkins
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… _MiW
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Rene Struik
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Ilari Liusvaara
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… David Leon Gil
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Andy Lutomirski
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Tony Arcieri
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Andrey Jivsov
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… David Gil
- Re: [Cfrg] Rerun: Elliptic Curves - preferred cur… Benjamin Beurdouche
- [Cfrg] Results of the poll: Elliptic Curves - pre… Alexey Melnikov
- Re: [Cfrg] Results of the poll: Elliptic Curves -… Benjamin Black
- Re: [Cfrg] Results of the poll: Elliptic Curves -… Watson Ladd
- Re: [Cfrg] Results of the poll: Elliptic Curves -… Michael Hamburg
- Re: [Cfrg] Results of the poll: Elliptic Curves -… Benjamin Black
- Re: [Cfrg] Results of the poll: Elliptic Curves -… Benjamin Black
- Re: [Cfrg] Comb algorithm IPR status (was: Result… Alyssa Rowan
- Re: [Cfrg] Comb algorithm IPR status (was: Result… Benjamin Black
- Re: [Cfrg] Comb algorithm IPR status Mike Hamburg
- Re: [Cfrg] Comb algorithm IPR status Alyssa Rowan
- Re: [Cfrg] Comb algorithm IPR status Benjamin Black
- Re: [Cfrg] Comb algorithm IPR status Benjamin Black