IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 18 February 2015 12:33 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46971A1A6E for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 04:33:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9E_G03PCRbgD for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 04:33:30 -0800 (PST)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 294DC1A8772 for <cfrg@irtf.org>; Wed, 18 Feb 2015 04:32:46 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 427E4699A3; Wed, 18 Feb 2015 14:32:44 +0200 (EET)
Date: Wed, 18 Feb 2015 14:32:43 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <20150218123243.GA19166@LK-Perkele-VII>
References: <54E46EA4.9010002@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <54E46EA4.9010002@isode.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dT__HpTpwFqEKvik75ZhYE1m6_E>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 12:33:33 -0000

On Wed, Feb 18, 2015 at 10:51:16AM +0000, Alexey Melnikov wrote:
> CFRG chairs are starting another poll:
> 
> Q3: (For people who want CFRG to recommend a curve at 256bit level) Is
> bandwidth cost of going to p521 worth the speed win over primes closer to
> 512 bits?

Yes, it is a win.

- The cost is ~3% (~1.5% for some cases). Any application where that
  is a concern sure will not be using 256-level curves. Probably not
  even 128-level curves.
- The small speed penalty for "breaking a stride" is more than
  compensated by the faster arithmetic due to smaller constant.
- 2^512-569 looks quite nasty to implement (large constant causing
  overflows more easily, irregular structure)
- Both primes cause issues with signatures as required hash output
  length exceeds what is commonly available (the ECC signature
  schemes blow up with even the smallest nonuniformity, so you need
  the extra bits).
- 2^521-1 is already very slow (~5-6x slower than 128-level curves,
  which was one of the main reasons I think that 256-level is too
  high), 2^512-569 is even worse.

BTW: In NIST P-x curves, the 256-bit one is the only one that isn't
some nasty-looking trinomial or pentanomial. ECC people really
beeline for nearby Mersennes.


-Ilari

v2.23.0 | Report a Bug | By Email