Re: [Cfrg] matching AES security
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 01 August 2014 13:33 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F371C1A0B06 for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 06:33:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q2bhFsUXlfm8 for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 06:33:00 -0700 (PDT)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 712C31A0B03 for <cfrg@irtf.org>; Fri, 1 Aug 2014 06:33:00 -0700 (PDT)
Received: by mail-lb0-f171.google.com with SMTP id l4so3227148lbv.30 for <cfrg@irtf.org>; Fri, 01 Aug 2014 06:32:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=zirQcQ2u+gi8mkIUX3NpVmW6zKzV1ixquNPs4h/qN5I=; b=hfkgeTe7frK2F+QSRr4MTzQeIHsCE1qidVE45/ygKJ++IH9N0kpl/HLFKXqldkwruf 480sGJSMHde4WMsZQk3CrkLOERWeiSIMnssjBRZcnJGn8div8hh+zzxYfkMJUt2Fzull krDiNkFdc7a/ojBJYqcCcMsot2g7Euc22GX71N83dVnXLr8aEU64DD8bAmr6hAFIC14J 9Xa0iJVMSljzSq0vF8xouAUQehIsH/lcLyIQIkRATmA7ERZbIOsPASekMQ0VndyHG6GT g3+GoFhTbVok4ZYU0atd5BbfbhSGCWXgEqnD+R5kRE6bero13G7kwsZ80hEXF1r4apZs 6MFg==
MIME-Version: 1.0
X-Received: by 10.152.29.202 with SMTP id m10mr6011595lah.4.1406899978599; Fri, 01 Aug 2014 06:32:58 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Fri, 1 Aug 2014 06:32:58 -0700 (PDT)
In-Reply-To: <836aeec8-62be-4cc7-8c43-9bc4518b5d9e@email.android.com>
References: <20140730123336.29011.qmail@cr.yp.to> <2776234.venKYWsbWt@arkadios> <836aeec8-62be-4cc7-8c43-9bc4518b5d9e@email.android.com>
Date: Fri, 01 Aug 2014 09:32:58 -0400
X-Google-Sender-Auth: M6cep5OSRtmvZtSQuZNbzZA39Zw
Message-ID: <CAMm+LwiLCnx=ZfwgoCkY4Gn9fvcL+rACDxF9Cvc+eQSe9eFjMQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/jF5LPhZOJmo7zZxvYqK-_J8Ogoo
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 13:33:02 -0000
On Fri, Aug 1, 2014 at 9:03 AM, Alyssa Rowan <akr@akr.io> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 1 August 2014 09:53:50 BST, Alex Elsayed <eternaleye@gmail.com> wrote: > >>Matching bit-lengths has value not in the _technicals_, but because it's a Schelling point. > > I think recommendations need to be made on solid technical and practical grounds, not fluffy marketing and psychological ones. Such as? The problem here is that we don't have solid technical reasons because we don't know the attacker capabilities. In fact we can't ever know that. Yesterday someone claimed in another forum that 'performance' was an objective factor, as if every algorithm executed as fast (or at least relatively) on each architecture. The likelihood of a split decision with algorithm A faster on Intel and B faster on AMD didn't occur to them. The needs of marketechture align perfectly with the goal of rigidity. There is absolutely no way that any of the academics can tell us that we need exactly 123 or 129 bits. So we stick to round multiples of 128. Now curve 25519 is not perfectly rigid, but as I pointed out previously, rigidity is a better argument than performance at the WF256 level and performance is a better argument than rigidity at the WF128 level > Users wouldn't typically know Rho work factor is actually lower than they thought at 0.886√ℓ, or might just think the 521-bit curves just typoed 512. Not to mention the eye-roll I know most of us feel when we see "military-grade" crypto marketed (probably with clearly-visible penguins), and the number of times we've all seen people copy-paste SSL configs. I never used the term because most military crypto has been crap. Weekend before last I was watching Daniel Ellsberg in the Chelsea Manning room talking to Edward Snowden on a video link. None of those names would have been known if the NSA had been remotely competent. > We need fast, strong cryptosystems. But I don't think specific aesthetics of the bit lengths of those matter outside their security and performance effects, and I don't think it'll have an appreciable effect on adoption either way. How many customers have you talked to about crypto? Most people who use crypto will use the crypto that the CA industry tells them to use. And we will pick crypto on the basis of arguments we can explain to our customers. And that is the way it should be. The choice of Twisted-Montgomery versus Do-Whap Weinerschnitzel is not something we need to explain even exists. But they do understand bit lengths even if they don't understand the implications. I can make a really solid marketing argument for Curve25519 and I can make a really solid argument for NUMS-512-569. To argue for E521 I have to make the case that 'Dan Bernstein told me he likes it' which is not very convincing to the people who don't know who he is.
- [Cfrg] matching AES security D. J. Bernstein
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Natanael
- Re: [Cfrg] matching AES security Tanja Lange
- Re: [Cfrg] matching AES security Paul Lambert
- Re: [Cfrg] matching AES security Benjamin Black
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Sandy Harris
- Re: [Cfrg] matching AES security James Cloos
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Nico Williams
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Johannes Merkle
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Brian Smith
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Alex Elsayed
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Alyssa Rowan
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Dan Brown
- Re: [Cfrg] matching AES security Dan Harkins
- Re: [Cfrg] matching AES security Ilari Liusvaara
- Re: [Cfrg] matching AES security D. J. Bernstein