Re: [Cfrg] Requirements for curve candidate evaluation update

Phillip Hallam-Baker <> Fri, 15 August 2014 05:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7037D1A8A18 for <>; Thu, 14 Aug 2014 22:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.022
X-Spam-Level: *
X-Spam-Status: No, score=1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MANGLED_MEN=2.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MmKyna6aJZgE for <>; Thu, 14 Aug 2014 22:27:26 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0D3101A8A17 for <>; Thu, 14 Aug 2014 22:27:25 -0700 (PDT)
Received: by with SMTP id pv20so1962359lab.1 for <>; Thu, 14 Aug 2014 22:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=eyrvUgQZAAbngBVZv8Gd51OMzNEyTJfOvXfK2945Q98=; b=rfmUuHyhxROKudA/yhA9nGSHa0iAko6FvkBjgH49PoyM5bAFEaXxMzGaM1aYdnkVu6 uXb9e/9m4mrlHZlRz37PPfI8DdF8KnAwTul1ToY2rfUi8Sx3/B9fIn7TuuQqmO8ik0kB zSicamo8h7YDU5A1DqmmIBglNdy8KTCNMU2pU77FlaD2sTiB3eqKSTk3V9kDBlU2uEuD 4Y3saiEJGHo2umKm1biRLrBTX9Qe1Fqd8Np3fHSOF30dEOLFSmeCwHOHY1egFngbxeeU G+cId5OMyBc/ZyW++YeqUce5Q2YqIgIQ0E8izJslG9BmZ4vR7FNcYPa7koZXTGgTBPwk +vjg==
MIME-Version: 1.0
X-Received: by with SMTP id zp10mr9301593lbb.2.1408080444310; Thu, 14 Aug 2014 22:27:24 -0700 (PDT)
Received: by with HTTP; Thu, 14 Aug 2014 22:27:24 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Fri, 15 Aug 2014 01:27:24 -0400
X-Google-Sender-Auth: dI_Y2WurvGTrsUfmSyw97IZHrag
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Tanja Lange <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] Requirements for curve candidate evaluation update
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Aug 2014 05:27:27 -0000

On Thu, Aug 14, 2014 at 10:31 PM, Tanja Lange <> wrote:
>>    4. The security levels are 128, 192, and 256 bits and each curve will only
>>    be evaluated at one of those levels.
> You Keep Using That Word, I Do Not Think It Means What You Think It Means.
> Seriously, define for me n-bit security level.

Well its easy enough to define work factor according to best known attack.

Only we need some security margin and we probably need to round up so
that we can defend the choice to folk who are not experts without
getting into citing specific papers.

So if the work factor isn't a 1:1 exponent of the key size or very
close, one way is we round up to the next integer.

AES-128 has a work factor of 2^128
AES-256 has a work factor of 2^256

A 128 bit modulus curve does not have a 128 bit work factor, its less.
but it is greater than 64 bits which is 128/2.

Now obviously the case can be made that a 448 bit modulus gives a work
factor greater than 2^256. But it requires a PhD to understand it. And
that is not a case I want to have to make to lay-people who think
everyone secretly works for the NSA.