Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

[Phillip Hallam-Baker <phill@hallambaker.com>]

On Wed, Feb 25, 2015 at 9:27 AM, Alexey Melnikov <alexey.melnikov@isode.com>
wrote:

> CFRG chairs are starting another poll:
>
> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable"
> or "no") for each curve specified below:
>
> 1) 448 (Goldilocks)
> 2) 480
> 3) 521
> 4) other curve (please name another curve that you "prefer" or "accept",
> or state "no")
>
> If you stated your curve preferences in the poll that ended on February
> 23rd (see the attachment), you don't need to reply to this poll, your
> opinion is already recorded. But please double check what chairs recorded
> (see the attachment).
>
> If you changed your mind or only answered the question about performance
> versa memory usage for curves 512 and 521, feel free to reply.
>

521 Preferred
480 OK-ish
448 Not acceptable


My problem with 521 versus 512 is the oddness factor. What I want to be
able to do is to be able to carry the argument that the IETF has specified
the best performance curve and the best security curve.

I don't want to have 20+2 curves as a result of this process, I want 2
curves and use them for absolutely everything without exception. One of the
reasons RSA is so dominant is that as far as developers are concerned, RSA
is RSA. You don't need to have an expert to pick between two dozen
different flavors.


One piece of data I had not been aware of is that NIST actually proposed
some 521 curves back in the day though not in suite B.. While not endorsing
their specific curves, it does provide a data point and an argument against
'oddness'.


Let us imagine that you are deciding between the IETF curve and the NIST
521 curve

If the IETF curve is 521, then we win against the NIST curve on performance.

If the IETF curve is 512. The NIST curve has 16 times the work factor so it
is a little stronger. So we would be arguing higher performance against
their random prime curve. It is a colorable argument but more folk know who
NIST are than IETF. We can only really win the argument if NIST agrees to
let us. And that would take them a year or more.

If the IETF curve is 480 then we are much less secure. We are giving up
2^30 worth of work factor, a billion times. Now even though we are talking
a billion, billion, billion, billion, billion, billion, billion, billion,
versus a billion, billion, billion, billion, billion, billion, billion,
billion, billion, we are still talking about a factor of a billion.

If the IETF curve is 448 then we are giving up a billion billion times the
work factor.


My desired outcomes here are

1) NIST recommends our new curves
2) NIST recommends our new curves as preferred

If we go for 512 then we might get 2 but it is a somewhat harder sell. I
can't see us winning that argument for Riding Hood (480) or Goldilocks (448)