Re: [Cfrg] Elliptic Curves - poll on security levels (ends on February 17th)
Alyssa Rowan <akr@akr.io> Tue, 10 February 2015 18:35 UTC
Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480BF1A1B7B for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 10:35:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UreqfmD3ZEi for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 10:35:19 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 879AB1A049C for <cfrg@irtf.org>; Tue, 10 Feb 2015 10:35:19 -0800 (PST)
Message-ID: <54DA4F61.204@akr.io>
Date: Tue, 10 Feb 2015 18:35:13 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <54D9E2E3.4080402@isode.com>
In-Reply-To: <54D9E2E3.4080402@isode.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/VgsaY4rBmnnx9UMnKmospqjDiDQ>
Subject: Re: [Cfrg] Elliptic Curves - poll on security levels (ends on February 17th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 18:35:22 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/02/2015 10:52, Alexey Melnikov wrote: > Q1: Should CFRG recommend a curve at the 192-bit security level? > Q2: Should CFRG recommend a curve at the 256-bit security level? Tricky. I think I'd rank my preferences from top to bottom: [≈128] ≫ [≈128,≈192] > [≈128,≈256] ⋙ [≈128,≈192,≈256] So [No, No] ideally; followed by [Yes, No], followed by [No, Yes], followed by "oh, god no". Explaining my thoughts here: • I absolutely do not want to delay the ≈WF128 curve. • Is a jumbo ρ truly security-relevant in practice? Is it worth it? - No, I think, probably not. - It's certainly not the biggest threat/easiest real-world attack! • I'd generally prefer to specify as few curves as possible. • If we have to specify 2 curves, I would prefer the faster 2. - If we specify a larger curve: * CAs will use it for their roots¹ * Everyone will have to verify the sigs on intermediates * That _might_ be too costly for mobile/constrained devices? • If we specify 3 curves, we'll only actually _use_ 2. (See AES-192.) I do appreciate the sentiment in wanting to narrow issues down, but if we want two curves, I am not sure we can usefully distinguish (or agree) which would be more preferable without considering the actual primes: as we actually have a whole spectrum of candidates from ≈192 to ≈260ish with no single clear-cut best-fit. We had enough trouble deciding on ≈128 when we did have one outstanding candidate! So, I'm perfectly happy using that one. ___ [1] CAs (critically important to the upstream WG asking for this work) currently use secp384r1, a ≈WF192 curve, for their roots - largely because NSA Suite B had that and secp256r1, and for competitive parity. They are likely to use the strongest one we specify for new roots, but don't seem to have any actual problems with any of the curves under discussion. See the on-list conversation I had with Rob from COMODO from October: <https://www.ietf.org/mail-archive/web/cfrg/current/msg05294.html> <https://www.ietf.org/mail-archive/web/cfrg/current/msg05328.html> <https://www.ietf.org/mail-archive/web/cfrg/current/msg05329.html> <https://www.ietf.org/mail-archive/web/cfrg/current/msg05354.html> - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU2k9hAAoJEOyEjtkWi2t67NYQAJdvFImIEIi6bEe4rMVxg18h HzhhGOy8YtPHyoqL+WYIkg7htzMnV0019ZCteh0+tTEnTwGgCvzt+xEjsuq+lmSs IfKz+0u1XsRSl8IxtaRT3mJCF+HGTpzb1eSeLObLKPqf31EJejTa4+O/ulxsidsS 1JdN6/JDZ8+RHagJ04TP6zYItORbTPfXTOswMrPRen5UGrr3UgM6AJGP/a2rW0+n OuMRr32e0lrJfl7UYKKBZ+oQluKC5eJaEYcGRmcFSLHS7Tym2ukmY71+GI20v6It QKynbnQlsPu8uNA0uDjEPmdjQBSP2tCFgJX0UUI6ICfedKLXZ5/m60DyjrwE0qx2 RKvYDAOOo+WZs9UuAj+pzRLG7Q2nsBoI9Rf8jly0A1iPhRmovgY/F59UgLxvFIuJ 5S+6pLNHsBBfQaTPcq9N4Bthp2mWh1GvZ94wVrxIP3kPWavfSTpTHg38rMLTA5GS EnbKwd9xPr3oQhqLSJpNS2dIwKzoeXehLtzgbAI/uBNZ/SuJH5clWHEMMm7Jv0bU KxSH6N37UaVcq1iE3bA5qVoHxSTFs/VKiyr3LSB1g9MF800GyFpxFOW5T5AizQ7P ZdkGefGOjUmua5wvAWslJQwXhq9WsyZn904TsT+Xl6ZFi7CPMbSifr04JPqI3U1Z j20knPn2k9S+74JwbHoc =LSX9 -----END PGP SIGNATURE-----
- [Cfrg] Elliptic Curves - poll on security levels … Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Torsten Schütze
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
- Re: [Cfrg] Elliptic Curves - poll on security lev… Nguyen Dr., Kim
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
- Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
- Re: [Cfrg] Elliptic Curves - poll on security lev… Aaron Zauner
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Christoph Anton Mitterer
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - poll on security lev… Adam Langley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - poll on security lev… Salz, Rich
- Re: [Cfrg] Elliptic Curves - poll on security lev… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Kurt Roeckx
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - poll on security lev… Станислав Смышляев
- Re: [Cfrg] Elliptic Curves - poll on security lev… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - poll on security lev… James Cloos
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Damien Miller
- Re: [Cfrg] Elliptic Curves - poll on security lev… James Cloos
- Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Jones
- Re: [Cfrg] Elliptic Curves - poll on security lev… Benjamin Beurdouche
- Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - poll on security lev… David Leon Gil
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Harkins
- Re: [Cfrg] Elliptic Curves - poll on security lev… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - poll on security lev… Bindhunadhava
- Re: [Cfrg] Elliptic Curves - poll on security lev… Aaron Zauner
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
- Re: [Cfrg] Elliptic Curves - poll on security lev… Manger, James
- Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Brian Smith
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
- Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
- Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
- Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
- Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - poll on security lev… Eric Rescorla
- Re: [Cfrg] Elliptic Curves - poll on security lev… Annie Yousar
- Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Andrey Jivsov
- [Cfrg] Why I think 256-level is a bad idea [Was: … Ilari Liusvaara
- Re: [Cfrg] Why I think 256-level is a bad idea [W… Adam Langley
- Re: [Cfrg] Elliptic Curves - poll on security lev… Michael Scott
- Re: [Cfrg] Elliptic Curves - poll on security lev… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - poll on security lev… _MiW
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Brian Smith
- Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - poll on security lev… Joseph Salowey
- Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
- Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - poll on security lev… Kurt Roeckx
- Re: [Cfrg] Elliptic Curves - poll on security lev… Nex6|Bill