Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Fri, 20 February 2015 08:34 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C03E1A7032 for <cfrg@ietfa.amsl.com>; Fri, 20 Feb 2015 00:34:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mi4gg8XECXaY for <cfrg@ietfa.amsl.com>; Fri, 20 Feb 2015 00:34:06 -0800 (PST)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F37D1A00D0 for <cfrg@irtf.org>; Fri, 20 Feb 2015 00:34:06 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id BBD1D1887D7; Fri, 20 Feb 2015 10:34:03 +0200 (EET)
Date: Fri, 20 Feb 2015 10:34:03 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Message-ID: <20150220083403.GA21470@LK-Perkele-VII>
References: <54E46EA4.9010002@isode.com> <CAMm+LwjBHGLzFs9KgDyDee=L+7wf7_iirFo360s7mTsf6RqeDw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMm+LwjBHGLzFs9KgDyDee=L+7wf7_iirFo360s7mTsf6RqeDw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/leIV6JW7r2K4zmDN_pyCo36jIlk>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 08:34:09 -0000

On Fri, Feb 20, 2015 at 01:09:56AM -0500, Phillip Hallam-Baker wrote:
> On Wed, Feb 18, 2015 at 5:51 AM, Alexey Melnikov <alexey.melnikov@isode.com>
> wrote:
> 
> > CFRG chairs are starting another poll:
> >
> > Q3: (For people who want CFRG to recommend a curve at 256bit level) Is
> > bandwidth cost of going to p521 worth the speed win over primes closer to
> > 512 bits?
> >
> 
> No, and I rather object to the phrasing.
> 
> The issue has never been the bandwidth of 9 extra bits. Its that it is an
> odd size. Going down a bit from 256 to 255 is much easier than going up a
> step.

Well, cachelines are 512 bits on (semi-)modern Intel CPUs. Breaking that
means a couple more L1 promotions (the calculations itself should produce
very few Data-L1 misses).

However, 2^512-569 in practice _breaks_ 512 bits. The issue is that working
on full 64-bit (or whatever) units in software leads to excessive carry
propagation.

This carry propagation is an issue for threee reasons:
1) Pretty much nothing above assembly has good support for carry
   propagation (pick your favorite compiled language).
2) SIMD vector units often have no carry propagation support
   (smartphones).
3) Carry propagation interacts badly with tricks modern CPUs use for
   fast code execution (Intel CPUs).

Then there is the 569 constant, which due to its size tends to cause
lots of carrying without at least two extra words (M_521 needs none).

AFAIK, the largest prime that properly fits into 8 words of 64 bits
each (512 bits) when doing arithmetic is 480-bits in size
("Ridinghood"). For 16 of 32, it is 450 bits (the second largest is
448 ("Goldilocks")).


On dedicated hardware, one can make all sorts of odd sizes. And
there doesn't seem to be any significant scalability problems
(512x512 parallel multiplier is already too big to be practical).

Mike Hamburg posted a mail about this earlier.


> Speed isn't much of a concern as this is going to be used for the long term
> trust framework and as a backup algorithm.

That's not what I have heard. I have heard actual use being
planned (and that's a major reason I found 256-level curves so
distasteful).


-Ilari