[Cfrg] Good and bad curves

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 13 August 2014 12:22 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756C11A870B for <cfrg@ietfa.amsl.com>; Wed, 13 Aug 2014 05:22:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.422
X-Spam-Level: *
X-Spam-Status: No, score=1.422 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okrnM0aXGbQH for <cfrg@ietfa.amsl.com>; Wed, 13 Aug 2014 05:22:36 -0700 (PDT)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E8101A8715 for <cfrg@irtf.org>; Wed, 13 Aug 2014 05:22:17 -0700 (PDT)
Received: by mail-lb0-f175.google.com with SMTP id 10so8064092lbg.20 for <cfrg@irtf.org>; Wed, 13 Aug 2014 05:22:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=GmBJj7xrqyqLT8VEbySJeulYiVXXRwtLTGTbx/dQOO8=; b=lRazEp62C0CrZYUfHxSXtHDHXFdkbwxyuEz8s9WqKaH9Uz2g4dhEi33kwQEC4GqZ17 jAJHcz2MP2/9M8aPpPXtfyUKrbgtje9HJ9qc/bHSyxWv1hMNkwoInTBLhCfF49fGd/Y3 oWWxzeGbsW24D7vyCJJ2aVGF/pTkVyp7r2FeDaVrrYJHirLkIcpeSiUrW5IPKtwP7WZ8 RVVHjIcCbDHV7QKttYWifEGNdDQMf1RGr5HQvV75vUWn7xyMSoZjoBv3EH2KSh671SBt kNjkuc9LpkLEgODGZMs6WG8XWMYjLN+8a46P5urrWfeBeQrQuKZ3II1CSsA3KWQy5O0l MzNQ==
MIME-Version: 1.0
X-Received: by 10.152.8.166 with SMTP id s6mr4214655laa.85.1407932535612; Wed, 13 Aug 2014 05:22:15 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Wed, 13 Aug 2014 05:22:15 -0700 (PDT)
Date: Wed, 13 Aug 2014 08:22:15 -0400
X-Google-Sender-Auth: -TSLeQz408UhMTzDp4GJFzfiQ5M
Message-ID: <CAMm+Lwjg2d+qigTuitnCSAggSWf80B9dLu7NCH-1So9QyXoFrw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/XPfH2jZRTgsSHLVXIfBRK0ctRWE
Subject: [Cfrg] Good and bad curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Aug 2014 12:22:38 -0000

Certain curves are known to be weaker than other due to attacks that
require the curve meet specific criteria. There are essentially three
ways to address this problem

1) Reject curve choices that are known to be 'weak', i.e. vulnerable
to known attacks.

2) Do 1 and increase the bit length by a safety factor in case the
attack can be extended.

3) Just increase the bit length and do not attempt to reject weak curves.


My preference is for (3) since any attempt to select curves creates an
opening for IPR claims and we are going to need the safety margin
anyway.

The problem we face is not to find the best compromise or speed and
performance as some suggest. None of us know the set of unknown
attacks by definition. Even Fort Meade only knows a subset of unknown
attacks. So none of us is competent to decide on a compromise.


What the known attacks can tell us usefully is how big a safety margin
we need. So if there is an attack against curves formed from
co-factors of warped smooth numbers that reduces the work factor from
x bits to x/2 then we want a safety margin of 2 times the number of
bits regardless. So it would be interesting to see people raise those
attacks.



What this is really about is coming to a defensible choice that can
become the industry consensus. And this gets us to Bruce's observation
that any security signal inevitably gets wound up to one step below
maximum and stays there. Because nobody wants to take responsibility
for lowering the security precautions. [We now have confirmation of
what was suspected at the time, that the DHS scheme only ever went to
yellow when there was a political need to raise it to orange in the
near future],

The industry can't manage a large number of curves. In fact we only
have a need for an orange curve and a red one. Curve 25519 is plenty
fast enough that we don't need to consider alternatives and it is
comfortably secure for use as the orange curve.

We really only need one red curve and the criteria that matters is
defensibility. The 56 bit DES key space was always suspect because it
was such an odd number. 64 bits would have been just as easy, So it
was pretty clear that there was a fix in somewhere. If we go for a 480
bit key we will get similar questions.

If CFRG proposes a 480 bit key and some other group proposes 512 then
the 512 is going to win. Because there is a cost to explaining the
reason 480 bits are 'enough' and there will also be lost sales. And
those matter far more to me than some explanation about a blend of
performance that requires a PhD to fully understand.

The Red curve is going to be 512 bit. I can defend that choice very
easily because it is the largest memory bus size in common use.

Now '512 bit' could mean a prime slightly smaller like 511 or 510
bits. But it can't be suspiciously lower.


There is also a personal career development issue here. I don't think
anyone wants to leave this discussion being known as the guy (or gal)
who persuaded the industry to use the lower security option.