IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 23 February 2015 19:33 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE7E1A3BA6 for <cfrg@ietfa.amsl.com>; Mon, 23 Feb 2015 11:33:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.622
X-Spam-Level:
X-Spam-Status: No, score=0.622 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAYTdbBw2BCq for <cfrg@ietfa.amsl.com>; Mon, 23 Feb 2015 11:33:23 -0800 (PST)
Received: from mail-la0-x235.google.com (mail-la0-x235.google.com [IPv6:2a00:1450:4010:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE4571A1B87 for <cfrg@irtf.org>; Mon, 23 Feb 2015 11:33:22 -0800 (PST)
Received: by labgq15 with SMTP id gq15so20798001lab.6 for <cfrg@irtf.org>; Mon, 23 Feb 2015 11:33:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=vWh3Kl80Bo6NlYP9sWhuJbeuts1vjuJ1mM2xGGHHoI8=; b=J4cRBHfhBmNtBASraEL4w2OEbJcIFVR5dLCiJlUhvwZJsUh1iGM0Y8DuU+ppU2YQhF l+Qfuh40xDokr3Eqn/NLuNOb8t9gJVXUslHO4j5cIV+vgSR7Jb5SQXqCu1qgQgUG8bZM HXTlU+akUxwf6XKRQtOeiGEBPSfHMU0rtxSCbsBat4VP3BO+b55Z0CjXsfQgAOmogdl1 qlqyVNjFcyfJ0ORGUJfPxm2kJjQgSwf8c7P9qR/y0uNYEKeGjOvNHQVgJMRpBe4i4P/T k8HznVshcL5lIezAlenS6lV9rMwRuZJ6U+mBnXXAslwIOm7bF5rMbiBT3rLK6++SBbjH aalw==
MIME-Version: 1.0
X-Received: by 10.112.147.66 with SMTP id ti2mr11457924lbb.124.1424720001252; Mon, 23 Feb 2015 11:33:21 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.113.3.165 with HTTP; Mon, 23 Feb 2015 11:33:21 -0800 (PST)
In-Reply-To: <87bnkl7x0f.fsf@latte.josefsson.org>
References: <54E46EA4.9010002@isode.com> <87bnkl7x0f.fsf@latte.josefsson.org>
Date: Mon, 23 Feb 2015 14:33:21 -0500
X-Google-Sender-Auth: Y-YaVYIwxnnDk0exI4Rtuoxf40Q
Message-ID: <CAMm+LwgWP8Hcbu1vSVUVH+80kJZ2OGKHU3qdrpZrp8NiJNX4rw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: multipart/alternative; boundary="047d7b3a869094431d050fc6795f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/feqAn79LKRVErnhyzgLD4UQgPPA>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 19:33:30 -0000

On Mon, Feb 23, 2015 at 5:17 AM, Simon Josefsson <simon@josefsson.org>
wrote:

> Alexey Melnikov <alexey.melnikov@isode.com> writes:
>
> > CFRG chairs are starting another poll:
> >
> > Q3: (For people who want CFRG to recommend a curve at 256bit level) Is
> > bandwidth cost of going to p521 worth the speed win over primes closer
> > to 512 bits?
>
> Yes.  In this case, I believe the performance improvement would be
> significant whereas the bandwidth cost is negligible.  I'm assuming
> compressed code points.
>

I don't recall ever seeing a post suggesting bandwidth was the issue.

The actual issues are:

1) Performance (512 takes X% longer than 521)
2) Rigidity, 512 is a round number, 521 isn't
3) Regulation, (apparently Russia has legislation that effectively forces
512 or 511.)

How you weight these issues depends very much on the value of X. So I am
rather surprised that we didn't agree on a figure for X first. We don't
have to have an exact value but we do need values based on code that has
been optimized to the same degree. I have been watching for those numbers
but have not seen them yet.

If the value of X is definitely less than 10% I think there would be no
debate, 10% isn't enough to justify a strange number.

If the value of X is definitely more than 100% then 521 is the clear winner.


Yes, I know there will be error bars on the numbers because the code will
run at different speeds on different platforms. But lets face it, modern
platforms don't actually vary a whole lot.

A 10% difference in speed might be enough to make an objective choice
between Edwards and Montgomery but only experts know the difference between
those.


In short, I want to see the end of this particuar thread:

http://www.ietf.org/mail-archive/web/cfrg/current/msg05349.html

At the time the code for E512-569 was actually 15% faster than for E521-1


If Microsoft care enough about this that they are willing to put in more
cycles optimizing open source code for their favored outcome than
supporters of E521-1, then I say let them have it.

v2.23.0 | Report a Bug | By Email