Re: [Cfrg] ECC reboot (Was: When's the decision?)

Watson Ladd <watsonbladd@gmail.com> Fri, 17 October 2014 21:45 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E2761A86EA for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 14:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHwVO08SCf6X for <cfrg@ietfa.amsl.com>; Fri, 17 Oct 2014 14:45:26 -0700 (PDT)
Received: from mail-yh0-x232.google.com (mail-yh0-x232.google.com [IPv6:2607:f8b0:4002:c01::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61E241A86DE for <cfrg@irtf.org>; Fri, 17 Oct 2014 14:45:26 -0700 (PDT)
Received: by mail-yh0-f50.google.com with SMTP id a41so758941yho.9 for <cfrg@irtf.org>; Fri, 17 Oct 2014 14:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pWs5PNxajsqStMFdft+ih6kJLwg6Sc9bG2KShv174+M=; b=HUCqdTaX9Yz+sIgtr4/b59sS+aKs+aso99ewYwJ9HYQI52t8y/i/x8VEbrRgWVyO/5 K5AaFz+IwpJApe1E/s9UecwwMe2zzlkkpBQMT1ByBCRbDYsLuco+wwpg1zPfsw594top Cnc96kNtvASy9iUA6SPfdDoGCOq3kUYJZwpzhWDeXT8TcTc/JPN2MSJ9CHEhY3T+TG7T VU1uy/3Z8/J5quyLfqRAOD698BafSdCFGzns5LQDJomrev6qtMCoz1l8QBESLdN45iUU eiM0ivcRETHsV9ZpebCk9fnOoiXOMYmNH+v7KAqrhGbauMfoGKXQeQYOeb07ehlAP5PL pExQ==
MIME-Version: 1.0
X-Received: by 10.236.51.233 with SMTP id b69mr7871876yhc.147.1413582325526; Fri, 17 Oct 2014 14:45:25 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Fri, 17 Oct 2014 14:45:25 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Fri, 17 Oct 2014 14:45:25 -0700 (PDT)
In-Reply-To: <CAMm+LwhVKBfcfrXUKmVXKsiAMRSTV+ws+u07grmxkfnR2oYJoQ@mail.gmail.com>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <54400E9F.5020905@akr.io> <CAMm+LwhVKBfcfrXUKmVXKsiAMRSTV+ws+u07grmxkfnR2oYJoQ@mail.gmail.com>
Date: Fri, 17 Oct 2014 14:45:25 -0700
Message-ID: <CACsn0cn7-GMUXSWdTfg4-aStM16ubqL5MA=4bmoZk8OO7jc1Ag@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary=089e013a14085fb62d0505a54895
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/VFs3BXXoYceg4ZtMt7xRmazYbOM
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 21:45:30 -0000

On Oct 17, 2014 1:22 PM, "Phillip Hallam-Baker" <phill@hallambaker.com>
wrote:
>
> On Thu, Oct 16, 2014 at 2:29 PM, Alyssa Rowan <akr@akr.io> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On 16/10/2014 17:08, Paterson, Kenny wrote:
> >
> >> Our first task should be to finalise the requirements that we will
> >> use to guide the selection process. I think we are close, with a
> >> couple of outstanding issues:
> >
> > Alright, so let's try to get things in high gear and argue those out…?
> >
> >> 1. Amount of "wiggle room" that should be permitted.
> >
> > Broadly: I think what we're aiming for is probably one faster/strong
> > curve, and one stronger/fast curve.
> >
> > Given the strong preferences of some to minimise the number of curves,
> > it looks to me like ­≈384 is almost-definitely dropped, leaving us
> > with something near ≈256 and something near ≈512.
> >
> > We seem to be in agreement that wiggle room on ≈256 would include
> > fields of 2^255-19 as well as 2^256-189 in scope.
> >
> > For the paranoid-strong, performance-second ≈512, 2^512-569 very
> > obviously falls within scope.
>
> Agree so far.
>
>
> > I put forth that 2^521-1 also falls within scope. It's not very far
> > away, and it's a true Mersenne prime rather than a pseudo-Mersenne,
> > and they do not grow on trees - no others fall near our criteria (the
> > next lowest is 2^127-1 which is way too small, and the next biggest is
> > 2^607-1). They are very attractive - attractive enough for 4 (?)
> > independent research groups to independently arrive on E-521, and
> > SECG/NIST to have independently picked the same prime years ago for
> > secp521r1.
>
> It is a Mersenne but the performance advantage is compromised by it
> being larger than 512 bits. That means every memory operation is going
> to break stride. Which is a really bad tradeoff for the marginal
> improvement in speed.

Shouldn't this show up in benchmarks? Or is this a performance issue that
doesn't actually do anything with performance?

>
>
> > [Previous discussion countering this point: Sean Parkinson @ RSA
> > suggested stepping over a power of 2 is "only going to hurt
> > performance in the future". Phillip Hallam-Baker also thought anything
> > that is not less than a clean multiple of a power of two "may cause
> > severe performance hits on future architectures", mentioning 512-bit
> > memory buses on graphics cards?!
>
> There is a good reason for that. What we call 'graphics cards' are
> really just what we used to call a vector unit.
>
> Getting someone to build purpose built ECC accelerators is hard and
> expensive. I can buy an nvida card that with a ridiculous number of
> cores that I can pretty much program to do anything I like.
>

Actually,  there are major issues with offloading to graphics cards in
latency. My guess is that CPU performance is fast enough that graphics
cards don't win out.

>
> Its not just a question of speed, its a question of the amount of
> microcode required to implement ECC math as a native function of the
> GPU.

Right: an extra load is so hard.
>
>
> > although I'm not convinced that's
> > actually primarily relevant to an implementation of a high-strength
> > curve. We will, of course, evaluate performance of contenders in Phase
> > II, future architectures can be more-or-less anything that works well,
> > and performance implications usually aren't anything like so obvious…
> > Aren't Mersennes actually particularly _good_ performance-wise?]
>
> That depends on whether you are looking for a reason to include or
exclude.
>
> At the ~512 level, what I am looking for is a curve that absolutely
> nobody is going to be able to suggest is suspect as being bongoed.
> 2^512 is a round number that needs no explanation. 2^521 isn't.
>
> The Web PKI will almost certainly be based exclusively on the ~512
> level curve. The roots certainly will. So the performance advantage of
> issuing end entity ~256 certs would be very small.
>
> Where I think ~256 keys will be used is for ephemeral mix ins. So I
> exchange a master session key M with the ~512 bit key, use an
> ephemeral ~256 to create a second session key E and then derive my
> encryption and authentication keys using a one way function on M and
> E. That preserves the ~512 work factor for confidentiality and adds a
> ~256 work factor for forward secrecy.
>
>
> So I am willing to be more flexible on ~256 than ~512 because for my
> applications the attacker always has to break the ~512.
>
>
> > I put forth that 2^414-17 and 2^448-2^224-1 might fall outside "wiggle
> > room" there, although I do so very reluctantly as I think it's a shame
> > to exclude them on that basis if they have otherwise nice properties,
> > and they do seem to have very good performance for their strength.
>
> I agree. They are a little faster but we have to give up a lot of
> security to get that speed. Its not 64 bits, its a 2^20 reduction in
> work factor. I want them bits.
>

As Mike Hamburg points out downthread, TLS doesn't work that way.

Furthermore, P384 is in use now. I wish someone would toss it into eBATS,
but I think both Curve 41417 and Goldilocks are faster by something, can't
recall what.

>
> >> 31/10/14 (2 weeks from now): we agree on whatever benchmarking
> >> system we're going to use for performance measurements. (Right now,
> >> supercop seems like the front runner to me.)
>
> I think a significant performance difference is a tie breaker but not
> the best determinant. What I see as being convincing are:
>
> 1) Difficulty of screwing up the implementation (see Watson Ladd's post).

Which has little to nothing to do with curves. See DJB's curves coordinates
and computations email.

>
> 2) Legacy deployment.

See above.
>
>
> Given the way that I think we are likely to use ~256 and given the
> fact that DJB has established a large user base for the curve already.
> I am willing to suggest we just let him win on that one unless there
> is at least a 10%, maybe a 20% speed advantage he missed.
>
> For ~512 I want the Platinum level security, whatever it takes.
>
> _______________________________________________
> Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/
<http://www.irtf.org/mailman/listinfo/cfrg>cfrg