Re: [Cfrg] Elliptic Curves - poll on security levels (ends on February 17th)

[Alyssa Rowan <akr@akr.io>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/02/2015 10:52, Alexey Melnikov wrote:

> Q1: Should CFRG recommend a curve at the 192-bit security level?
> Q2: Should CFRG recommend a curve at the 256-bit security level?

Tricky. I think I'd rank my preferences from top to bottom:

    [≈128] ≫ [≈128,≈192] > [≈128,≈256] ⋙ [≈128,≈192,≈256]

So [No, No] ideally; followed by [Yes, No], followed by [No, Yes],
followed by "oh, god no".

Explaining my thoughts here:
 • I absolutely do not want to delay the ≈WF128 curve.
 • Is a jumbo ρ truly security-relevant in practice? Is it worth it?
   - No, I think, probably not.
   - It's certainly not the biggest threat/easiest real-world attack!
 • I'd generally prefer to specify as few curves as possible.
 • If we have to specify 2 curves, I would prefer the faster 2.
    - If we specify a larger curve:
       * CAs will use it for their roots¹
       * Everyone will have to verify the sigs on intermediates
       * That _might_ be too costly for mobile/constrained devices?
 • If we specify 3 curves, we'll only actually _use_ 2. (See AES-192.)

I do appreciate the sentiment in wanting to narrow issues down, but if
we want two curves, I am not sure we can usefully distinguish (or
agree) which would be more preferable without considering the actual
primes: as we actually have a whole spectrum of candidates from ≈192
to ≈260ish with no single clear-cut best-fit.

We had enough trouble deciding on ≈128 when we did have one
outstanding candidate! So, I'm perfectly happy using that one.

___
[1] CAs (critically important to the upstream WG asking for this work)
currently use secp384r1, a ≈WF192 curve, for their roots - largely
because NSA Suite B had that and secp256r1, and for competitive parity.

They are likely to use the strongest one we specify for new roots, but
don't seem to have any actual problems with any of the curves under
discussion.

See the on-list conversation I had with Rob from COMODO from October:
<https://www.ietf.org/mail-archive/web/cfrg/current/msg05294.html>
<https://www.ietf.org/mail-archive/web/cfrg/current/msg05328.html>
<https://www.ietf.org/mail-archive/web/cfrg/current/msg05329.html>
<https://www.ietf.org/mail-archive/web/cfrg/current/msg05354.html>

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU2k9hAAoJEOyEjtkWi2t67NYQAJdvFImIEIi6bEe4rMVxg18h
HzhhGOy8YtPHyoqL+WYIkg7htzMnV0019ZCteh0+tTEnTwGgCvzt+xEjsuq+lmSs
IfKz+0u1XsRSl8IxtaRT3mJCF+HGTpzb1eSeLObLKPqf31EJejTa4+O/ulxsidsS
1JdN6/JDZ8+RHagJ04TP6zYItORbTPfXTOswMrPRen5UGrr3UgM6AJGP/a2rW0+n
OuMRr32e0lrJfl7UYKKBZ+oQluKC5eJaEYcGRmcFSLHS7Tym2ukmY71+GI20v6It
QKynbnQlsPu8uNA0uDjEPmdjQBSP2tCFgJX0UUI6ICfedKLXZ5/m60DyjrwE0qx2
RKvYDAOOo+WZs9UuAj+pzRLG7Q2nsBoI9Rf8jly0A1iPhRmovgY/F59UgLxvFIuJ
5S+6pLNHsBBfQaTPcq9N4Bthp2mWh1GvZ94wVrxIP3kPWavfSTpTHg38rMLTA5GS
EnbKwd9xPr3oQhqLSJpNS2dIwKzoeXehLtzgbAI/uBNZ/SuJH5clWHEMMm7Jv0bU
KxSH6N37UaVcq1iE3bA5qVoHxSTFs/VKiyr3LSB1g9MF800GyFpxFOW5T5AizQ7P
ZdkGefGOjUmua5wvAWslJQwXhq9WsyZn904TsT+Xl6ZFi7CPMbSifr04JPqI3U1Z
j20knPn2k9S+74JwbHoc
=LSX9
-----END PGP SIGNATURE-----