Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Dan Brown <dbrown@certicom.com> Thu, 26 February 2015 17:21 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727D91A910B for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 09:21:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-uuaGokZmFW for <cfrg@ietfa.amsl.com>; Thu, 26 Feb 2015 09:21:47 -0800 (PST)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 5C3AE1A90E7 for <cfrg@irtf.org>; Thu, 26 Feb 2015 09:21:47 -0800 (PST)
Received: from xct101cnc.rim.net ([10.65.161.201]) by mhs213cnc.rim.net with ESMTP/TLS/AES128-SHA; 26 Feb 2015 12:21:44 -0500
Received: from XCT114CNC.rim.net (10.65.161.214) by XCT101CNC.rim.net (10.65.161.201) with Microsoft SMTP Server (TLS) id 14.3.210.2; Thu, 26 Feb 2015 12:21:43 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT114CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Thu, 26 Feb 2015 12:21:42 -0500
From: Dan Brown <dbrown@certicom.com>
To: "'alexey.melnikov@isode.com'" <alexey.melnikov@isode.com>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
Thread-Index: AQHQUQdPFXtNEp30ikKmKrI5h0TObJ0DLU+g
Date: Thu, 26 Feb 2015 17:21:41 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5D6CE9E@XMB116CNC.rim.net>
References: <54EDDBEE.5060904@isode.com>
In-Reply-To: <54EDDBEE.5060904@isode.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/QvOxI_f1mWiyuWAiaWupsZOCFxA>
Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 17:21:56 -0000

My votes in this poll:

521: preferred
512: acceptable
480: acceptable
448: acceptable

Earlier, I voted NO on pursuing 192-bit and 256-bit security in the
short term.  Perhaps that disqualifies me to vote on this poll about
the short term choice for higher security curves, but I still have
some preferences on the outcome of the short term recommendation, so
I'll submit my vote in the current poll.  Feel free to ignore for the
short-term activity, especially if it helps to achieve CFRG to
consensus, thereby progressing with a recommendation.

Long-term, I strongly support higher-level security, including what
might be labelled as 192-bit security, and perhaps even other
intermediate values.

Though I voted above on 448 and 480 as acceptable, just to be clear,
we should not label them as providing "256-bit security" and not use
them with AES-256, until we solidify accounting arguments such
compatibility, such as:

- the for the EC operations per bit size being slower than say AES
operations per bit size,

- the stronger per-user security of ECC compared to AES,

- the more secure quadratic trade-off of success rate for time in ECC
compared to linear trade-off for AES.

These arguments are subtle, but perhaps within reach.

Alternatively, I wouldn't mind recommending the 448 and 480 field
sizes, and then using symmetric key sizes that are appropriate for the
field sizes. In other words, with public-key taking a more leading
role in security decisions, with symmetric-key just following suit.

An additional reservation I have with 480 and 448 is that they arise
from more recent, and lower profile proposals, compared to NIST P521.
Generally, I have a strong belief in the security in the security of
ECC, including the hardness of the ECDLP and other things needed for
security of ECC.  But for making recommendations of higher security,
I'd want something stronger than mere belief.

For low-characteristic fields, Menezes, Diem and others have published
attacks on weak fields, in the strongest sense of having an easier
ECDLP.  Also, some have argued here that in some prime-field are more
vulnerable to side channels than others [ref?].  Based on these two
existing threats, we might reasonably speculate that there remains a
remote risk of new weaknesses in ECC that depend on the field choice.
If we want to rationally reduce that remote risk, then we can use the
evidence of the 521-bit field size has remained unbroken since 1999.
This is a reason to deem 521 as less risky the newer 448 and 480.

Finally, others have commented that 128-bit security is so strong that
anything beyond that is pointless.  Well, I disagree, for several
reasons, albeit perhaps theoretical reasons.  For example, many
security proofs [*], especially for signature schemes, have loose
reductions, which suggest larger key sizes are needed for the provable
security results to be concretely applicable.  Of course, real-world
security can be better than what the proofs suggests, but occasionally
the bounds in the proof turn out to be right after all.  Luckily, for
many signature applications, perhaps even those of CAs and signed
ECDH, that looseness is irrelevant, either because the number of
signatures is low, or the signing oracle is more limited than the
threat model of the security proofs.  For another example, consider
known reductions between ECDHP and ECDLP, whose tightness depend on
not just on the field size, but also the group size.


[*] I'm using the conventional terms "security proof", though a more
modest label like "reductionist security argument", or "conditional
security analysis" might be better.

> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Alexey Melnikov
> Sent: Wednesday, February 25, 2015 9:28 AM
> To: cfrg@irtf.org
> Subject: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work
> factor (ends on March 3rd)
> 
> CFRG chairs are starting another poll:
> 
> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or
> "no") for each curve specified below:
> 
> 1) 448 (Goldilocks)
> 2) 480
> 3) 521
> 4) other curve (please name another curve that you "prefer" or "accept", or
> state "no")
> 
> If you stated your curve preferences in the poll that ended on February 23rd
> (see the attachment), you don't need to reply to this poll, your opinion is
> already recorded. But please double check what chairs recorded (see the
> attachment).
> 
> If you changed your mind or only answered the question about performance
> versa memory usage for curves 512 and 521, feel free to reply.
> 
> Once this issues is settled, we will be discussing (in no particular order. Chairs
> reserve the right to add additional questions) implementation specifics and
> coordinate systems for Diffie-Hellman. We will then make decisions on
> signature schemes. Please don't discuss any of these future topics at this time.