Re: [Cfrg] Primes (last time hopefully!)
Watson Ladd <watsonbladd@gmail.com> Sun, 01 February 2015 18:45 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E3C21A8F45 for <cfrg@ietfa.amsl.com>; Sun, 1 Feb 2015 10:45:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0cFqY6wb_Tj for <cfrg@ietfa.amsl.com>; Sun, 1 Feb 2015 10:45:08 -0800 (PST)
Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC0301A8F43 for <cfrg@irtf.org>; Sun, 1 Feb 2015 10:45:07 -0800 (PST)
Received: by mail-yk0-f174.google.com with SMTP id 131so20477391ykp.5 for <cfrg@irtf.org>; Sun, 01 Feb 2015 10:45:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=f1BzPryMNBIk7SEKQMqDG+CdjQ9r+IG2sRAtIR8t++U=; b=JzrGKkHDcTXXq6FdGgwBHw8twJtMeJVkOcSbxTG6aQEye/VBUutHposkxpdmqoYiqU jd0yAgEVaPjiZpkzEuJ/yAEezBXU9CUnwSBm6R1TKmDmfBOBdz0hRquqe+D4FNnzrKcF AIMAvvFqRFdQtGz+pB3LFGwsv4nCovtoGLb8SUmI9wcGmk3rFpw+/Vy8jRC5AQRUkCYW 2jmbyZwz1MfEIT/RBCrmG5wNQiHZ31I8ffvECpUOaPQBp5xFy/xxz+yYwmeykJTHyp+d 201fjP/sP7DIJ37tdYSgPzCVYarYxrjOKqxjlluFMbUBy1jPWgCGZ4s9KmHSzN1RYwPs CisQ==
MIME-Version: 1.0
X-Received: by 10.170.128.149 with SMTP id u143mr8124733ykb.20.1422816307043; Sun, 01 Feb 2015 10:45:07 -0800 (PST)
Received: by 10.170.115.77 with HTTP; Sun, 1 Feb 2015 10:45:06 -0800 (PST)
In-Reply-To: <54CAAC57.2040504@akr.io>
References: <CACsn0c=a90vhRNg8Dj2otqp4HfjSdA5Cj8oU2XgKcYYMXS+znA@mail.gmail.com> <54CAAC57.2040504@akr.io>
Date: Sun, 01 Feb 2015 10:45:06 -0800
Message-ID: <CACsn0ckJNwTm3t=AE-b4-DCYLcZU4vBqEbES40FA-xN9MuaUpg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/RlEKCfckg9aMmkLSozXuLt4Djww>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Primes (last time hopefully!)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Feb 2015 18:45:11 -0000
On Thu, Jan 29, 2015 at 1:55 PM, Alyssa Rowan <akr@akr.io> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 28/01/2015 15:53, Watson Ladd wrote: >> The following have been suggested for primes at sizes between >> 2^255-19 and 2^521-1. > > I think what would inform my preference most is performance data, so, > tabulating Mike Hamburg's data¹: > > ┏━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┓ > ┃ Prime ┃ ρ ┃ mul ┃ sqr ┃ > ┡━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━┩ > │ 2^521-1 │ 260.3 │ 145.5 │ 110.7 │ > │ 2^512-569 │ 255.8 │ 199.9 │ 140.6 │ > │ 2^448-2^224-1 │ 222.8 │ 118.0 │ 88.9 │ > │ 2^414-17 │ 205.3 │ │ │ > │ 2^389-21 │ │ 112.5 │ 75.5 │ > │ 2^384-317 │ 191.8 │ 117.5 │ 89.8 │ > │ 2^379-19 │ │ │ │ > └───────────────┴───────┴───────┴───────┘ > > ρ = approx cost (in bits) of pollard-rho (higher is better) > mul = cycles per multiply (lower is faster) > sqr = cycles per square (lower is faster) > > (Please feel free to fill in the blanks with more data.) > > I'm guessing ρ for 2^389-21 and 2^379-19 would be around 188-192ish > (but I haven't actually generated the curves to count ℓ). > > Not sure I find 379 tempting, unless it turns out significantly faster. The reason 379 was put forward was saturated would be faster. But until we have SUPERCOP runs we don't know how true that is: it's a consideration on small ARMs sans NEON. Until we have extensively optimized code we don't know for sure. > > Goldilocks looks promising. I'm missing data on 41417, which also > deserves a fair crack of the whip. I could have sworn it was in SUPERCOP. > > I think E-521 can also go a bit faster than this, but I don't have too > many details. It's rigid enough several groups have generated it > independently. But maybe too slow. The Granville and some other people methods are already in the figures. Bear in mind that is a Brazilian standard: we will be adopting it anyway. (Sidenote: why the heck is Curve25519 controversial, and GHOST/ANISSI/Brainpool/China's equivalent not?) > > Remembering that if we do choose a 'big' curve, CAs will use it, and > that means frequent verification for even mobile clients. Not sure I follow: If we provide both 521 and 448/379, why would CAs use the ridiculously oversized one? They didn't for RSA after all. > > Enough already I think to rule 512 and 384 out now: they're slower > than stronger curves (even if the MSR ECCLib comb gave them an advantage). The comb is prime independent. The right way to measure would be all optimized as much as possible, so the effects of arithmetic and curve size shine through. (And on the same framework) Sincerely, Watson Ladd > > Those who really think performance doesn't matter are free to use > 2^1024-105 if they like. ;-) > > ___ > 1. <https://www.ietf.org/mail-archive/web/cfrg/current/msg05733.html> > > - -- > /akr > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJUyqxXAAoJEOyEjtkWi2t6kn8QALQ+ArkbKfTyJ8DFhwYaFj91 > jiU2yJJbQCZeZ7pro+8fXrhD21lTDtWw+D8gbRlggR4HBsOnfNYrrekpBtV13MEC > yoKIdBFaOdl9ZVRHrPyipS8NU6fMt2VDIUMXDzyZKExL0imwqiSbT6SiUKxy4b3c > os+KrGlkuW5lr1nc1p2opQF2Xfcv39kE5AKb//rYz0vlqIMNrVYAsti/tPtfas7Z > mxDihbaEf5Pw7ravkSsJkHLDotUOvAaf3QLOzIMnbJaNdRTdPlwxd+CMA832lxvO > r1zas7YUJg0HqO19UDY5Kv34G6Nt5TfuNPjsLI0Zz5D7l4jCedTQQYHSfdozIMtO > OQ734xxTyUa4aERTdrMwyE7izUPz0Eh0t79YlaFnMM0lh7DhcI+Fw0Tw/IOrZCrN > id8HgtLS/rXr9hj30MqX35WR+29EbOqLuyvCsQhkW18Z9bbR0/Xl2aviRrZTm7CZ > ZixzRZLb9cMtk1rXae8OKe9bf6GeZAWV7btD2+ju/3KD96YG7ZB6qJMCUIn5hT2c > ToOoLibvxGQTAhG/yDudd685ZMGnJy1kOvm4zoPZyGZ1Zo1U/prWCG/PuIqUjqiH > 7aEgkFxsFUYs0eo89eX5dJHrxIsL6L6Pl6jEYVyvhjeATaenz6eP8CHBRnlej+yi > yFmsKUUiWIZempHK+R25 > =1f7h > -----END PGP SIGNATURE----- > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Primes (last time hopefully!) Watson Ladd
- Re: [Cfrg] Primes (last time hopefully!) Alyssa Rowan
- Re: [Cfrg] Primes (last time hopefully!) Ilari Liusvaara
- Re: [Cfrg] Primes (last time hopefully!) Watson Ladd