Re: [Cfrg] Comparing ECC curves
Patrick Longa Pierola <plonga@microsoft.com> Thu, 24 July 2014 15:17 UTC
Return-Path: <plonga@microsoft.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8E091A0451 for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 08:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASuQt-6trGbs for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 08:17:39 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 393361A04BA for <Cfrg@irtf.org>; Thu, 24 Jul 2014 08:15:09 -0700 (PDT)
Received: from BY2PR03MB474.namprd03.prod.outlook.com (10.141.141.149) by BY2PR03MB476.namprd03.prod.outlook.com (10.141.141.153) with Microsoft SMTP Server (TLS) id 15.0.990.7; Thu, 24 Jul 2014 15:15:07 +0000
Received: from BY2PR03MB474.namprd03.prod.outlook.com ([10.141.141.149]) by BY2PR03MB474.namprd03.prod.outlook.com ([10.141.141.149]) with mapi id 15.00.0990.007; Thu, 24 Jul 2014 15:15:07 +0000
From: Patrick Longa Pierola <plonga@microsoft.com>
To: David Jacobson <dmjacobson@sbcglobal.net>, Phillip Hallam-Baker <phill@hallambaker.com>, "Cfrg@irtf.org" <Cfrg@irtf.org>
Thread-Topic: [Cfrg] Comparing ECC curves
Thread-Index: AQHPpsVlokHtIBVyPkOedmRlQCZAupuurLaAgACcX4CAAAfBEA==
Date: Thu, 24 Jul 2014 15:15:06 +0000
Message-ID: <3bd6bf358e7a42a6ada96f7187656c32@BY2PR03MB474.namprd03.prod.outlook.com>
References: <CAMm+Lwj9EPJ9v92xrkM1ceAbkWYe22fpOOBObUbUJjkk8X0dng@mail.gmail.com> <bf68fd7300e14fb58330b094f4795f30@BY2PR03MB474.namprd03.prod.outlook.com> <53D117AD.8060506@sbcglobal.net>
In-Reply-To: <53D117AD.8060506@sbcglobal.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.47.83.223]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 028256169F
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(479174003)(243025005)(377454003)(13464003)(24454002)(189002)(199002)(106116001)(81542001)(50986999)(66066001)(83322001)(79102001)(15975445006)(76176999)(74662001)(86362001)(81342001)(77982001)(15202345003)(80022001)(2656002)(101416001)(105586002)(86612001)(33646002)(99396002)(99286002)(19580395003)(74316001)(46102001)(21056001)(19580405001)(76576001)(83072002)(20776003)(31966008)(85852003)(107046002)(74502001)(92566001)(76482001)(85306003)(107886001)(54356999)(64706001)(87936001)(4396001)(95666004)(106356001)(108616002)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB476; H:BY2PR03MB474.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/e_BQ10RGwFzYgTBP6QSj3VEKUVE
Subject: Re: [Cfrg] Comparing ECC curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 15:17:41 -0000
-----Original Message----- From: David Jacobson [mailto:dmjacobson@sbcglobal.net] Sent: Thursday, July 24, 2014 7:27 AM To: Patrick Longa Pierola; Phillip Hallam-Baker; Cfrg@irtf.org Subject: Re: [Cfrg] Comparing ECC curves On 7/23/14 11:36 PM, Patrick Longa Pierola wrote: [snip] > An important related point: I haven't seen any result in the > literature demonstrating any meaningful performance advantage when > dropping one bit from 256 to 255 bits, or from 384 to 383, or from 512 > to 511 (case of primes with the form 2^m - c). Our experiments [1] > reveal that one bit less injects less than 4% of performance > improvement. Under this light, we prefer the conservative approach: > keep a traditional 2 x s bitlength, which is multiple of a computer > word of 64 bits (for a bit-security level s = {128,192,256}), maximize > ECDLP security and make the curve generation process as simple and > rigid as possible. This also helps to keep curve design at different > security levels consistent. And, arguably, all this together avoids > some potential errors and ease the work of implementers. At the other > side of the spectrum, I haven't seen any performance advantage of > increasing the prime bitlength beyond 2 x s. It is actually > potentially counterproductive: in [1] we show that increasing the > field representation by one word (which happens when moving from 512 > bits to 521 bits for example) degrades performance by a factor 1.2. In > this case, the performance issues make the conservative approach even > more attractive, taking as a bonus all the benefits mentioned above. > [1] http://eprint.iacr.org/2014/130.pdf [snip] > David Jacobson wrote: > You are addressing performance. But what about the ease of making a constant time implementation? The security value of 256 over 255 or 254 is not much. It is > just that 256 is a nice round number, and might be a checkbox item. If we can accept 255 or 254, it might make constant time implementations easier. Perhaps > people who have done constant time implementations can comment. All our implementations supporting different bitlenghts (255, 256, 383, 384, 511 and 512) are constant-time. They follow the standard approach using the minimal word representation (e.g., 4 words to represent 255 and 256-bit field elements). Another alternative is to use an extended, unsaturated representation (e.g., in the case of 255 and 256-bit one would use 5 words). Although the choice and preference is somehow subjective and depends on a given implementer's preference, ultimately every prime under discussion can be implemented in any of these two methods. So really the difficulty of implementation is not a differentiating factor in this case. Patrick
- [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Benjamin Black
- Re: [Cfrg] Comparing ECC curves Michael Hamburg
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Watson Ladd
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Watson Ladd
- Re: [Cfrg] Comparing ECC curves Patrick Longa Pierola
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves David Jacobson
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Patrick Longa Pierola
- Re: [Cfrg] Comparing ECC curves Mike Hamburg
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Mike Jones
- Re: [Cfrg] Comparing ECC curves Yoav Nir
- Re: [Cfrg] Comparing ECC curves Michael Hamburg