Re: [Cfrg] Requirements for curve candidate evaluation update
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 15 August 2014 05:27 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7037D1A8A18 for <cfrg@ietfa.amsl.com>; Thu, 14 Aug 2014 22:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.022
X-Spam-Level: *
X-Spam-Status: No, score=1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MANGLED_MEN=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmKyna6aJZgE for <cfrg@ietfa.amsl.com>; Thu, 14 Aug 2014 22:27:26 -0700 (PDT)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D3101A8A17 for <cfrg@ietf.org>; Thu, 14 Aug 2014 22:27:25 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id pv20so1962359lab.1 for <cfrg@ietf.org>; Thu, 14 Aug 2014 22:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=eyrvUgQZAAbngBVZv8Gd51OMzNEyTJfOvXfK2945Q98=; b=rfmUuHyhxROKudA/yhA9nGSHa0iAko6FvkBjgH49PoyM5bAFEaXxMzGaM1aYdnkVu6 uXb9e/9m4mrlHZlRz37PPfI8DdF8KnAwTul1ToY2rfUi8Sx3/B9fIn7TuuQqmO8ik0kB zSicamo8h7YDU5A1DqmmIBglNdy8KTCNMU2pU77FlaD2sTiB3eqKSTk3V9kDBlU2uEuD 4Y3saiEJGHo2umKm1biRLrBTX9Qe1Fqd8Np3fHSOF30dEOLFSmeCwHOHY1egFngbxeeU G+cId5OMyBc/ZyW++YeqUce5Q2YqIgIQ0E8izJslG9BmZ4vR7FNcYPa7koZXTGgTBPwk +vjg==
MIME-Version: 1.0
X-Received: by 10.112.167.170 with SMTP id zp10mr9301593lbb.2.1408080444310; Thu, 14 Aug 2014 22:27:24 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Thu, 14 Aug 2014 22:27:24 -0700 (PDT)
In-Reply-To: <20140815023150.GV28679@cph.win.tue.nl>
References: <CA+Vbu7wuAcmtAKJYEgAaSBTf6sj8pRfYpJhz2qV_ER=33mrk8Q@mail.gmail.com> <20140815023150.GV28679@cph.win.tue.nl>
Date: Fri, 15 Aug 2014 01:27:24 -0400
X-Google-Sender-Auth: dI_Y2WurvGTrsUfmSyw97IZHrag
Message-ID: <CAMm+LwgY=Te5M8-Rxj3eiwXHK17-UXJwi=NOQ2EXC+S66stmtQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Tanja Lange <tanja@hyperelliptic.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/fLGMW9f8-WApKWyUH9qFc3nxJhw
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Requirements for curve candidate evaluation update
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 05:27:27 -0000
On Thu, Aug 14, 2014 at 10:31 PM, Tanja Lange <tanja@hyperelliptic.org> wrote: >> 4. The security levels are 128, 192, and 256 bits and each curve will only >> be evaluated at one of those levels. >> > You Keep Using That Word, I Do Not Think It Means What You Think It Means. > > Seriously, define for me n-bit security level. Well its easy enough to define work factor according to best known attack. Only we need some security margin and we probably need to round up so that we can defend the choice to folk who are not experts without getting into citing specific papers. So if the work factor isn't a 1:1 exponent of the key size or very close, one way is we round up to the next integer. AES-128 has a work factor of 2^128 AES-256 has a work factor of 2^256 A 128 bit modulus curve does not have a 128 bit work factor, its less. but it is greater than 64 bits which is 128/2. Now obviously the case can be made that a 448 bit modulus gives a work factor greater than 2^256. But it requires a PhD to understand it. And that is not a case I want to have to make to lay-people who think everyone secretly works for the NSA.
- [Cfrg] Requirements for curve candidate evaluatio… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Watson Ladd
- Re: [Cfrg] Requirements for curve candidate evalu… William Whyte
- Re: [Cfrg] Requirements for curve candidate evalu… Mike Hamburg
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… David Jacobson
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Alyssa Rowan
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Alyssa Rowan
- Re: [Cfrg] Requirements for curve candidate evalu… Watson Ladd
- Re: [Cfrg] Requirements for curve candidate evalu… D. J. Bernstein
- Re: [Cfrg] Requirements for curve candidate evalu… Tanja Lange
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker