Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Simon Josefsson <> Wed, 25 February 2015 16:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 66A521A87C1 for <>; Wed, 25 Feb 2015 08:50:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.348
X-Spam-Status: No, score=0.348 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SZc6ekTGBIaN for <>; Wed, 25 Feb 2015 08:50:52 -0800 (PST)
Received: from ( [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 680711A1AB0 for <>; Wed, 25 Feb 2015 08:50:52 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4) with ESMTP id t1PGomer029482 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 25 Feb 2015 17:50:50 +0100
From: Simon Josefsson <>
To: Alexey Melnikov <>
References: <>
OpenPGP: id=54265E8C; url=
Date: Wed, 25 Feb 2015 17:50:47 +0100
In-Reply-To: <> (Alexey Melnikov's message of "Wed, 25 Feb 2015 14:27:58 +0000")
Message-ID: <>
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.5 at
X-Virus-Status: Clean
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Feb 2015 16:50:53 -0000

I believe the focus on "around 256bit work factor" is distracting and
could better be phrased "alternative to Curve25519 with higher security
margin".  Given that the work factor on the mentioned curves vary quite
significantly away from 256-bit, I'm reading the poll that way.

> Q3: This is a Quaker poll (please answer one of "preferred",
> "acceptable" or "no") for each curve specified below:
> 1) 448 (Goldilocks)


> 2) 480


> 3) 521


> 4) other curve (please name another curve that you "prefer" or
> "accept", or state "no")

Curve25519       Preferred
E-382            Acceptable
M-383            Acceptable
Curve383187      Acceptable
brainpoolP384t1  No
NIST P-384       No
Curve41417       Acceptable
Ed448-Goldilocks Preferred
M-511            Acceptable
E-521            Acceptable

Generally, any curve that has high performance, reasonable security
(more than ~100 bits of work factor) and doesn't have design warts
(SafeCurves) is acceptable to me.  To become preferred, I select the
curves out of the acceptable curves that is seeing the highest adoption
rate in the implementers community and getting the most reviews in the
cryptographic community.  The former (acceptable) is a simple process,
the latter (preferred) is subjective.