IETF Logo Mail Archive

Re: [Cfrg] What constitutes a curve with a 256-bit security level?

David Jacobson <dmjacobson@sbcglobal.net> Thu, 19 February 2015 06:57 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 940171A8880 for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 22:57:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zFDU8PAGxuZa for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 22:57:39 -0800 (PST)
Received: from nm9-vm7.access.bullet.mail.gq1.yahoo.com (nm9-vm7.access.bullet.mail.gq1.yahoo.com [216.39.63.187]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 964A31A887F for <cfrg@irtf.org>; Wed, 18 Feb 2015 22:57:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1424329059; bh=nw50nK+00HkLtQLGJLm514q9ZbvE2PVBfQqlgGLWx0Q=; h=Date:From:To:CC:Subject:References:In-Reply-To:From:Subject; b=Yd8hQTuRWg6Ababgf2CXgFJpd1L/PItfnbenvKbjnDdmJiME/90FGhyCN9rMVQKXz1HZeFoy/118cF6P6CKXshRGkzj1OHCHBhcg2Zdbi2fzdVYtXj6vvBULo7Qrk2ml2fjaIea+9PqM8KKA8Y49UOPbTYF4Ph8OrC7kpCEM/uURQfcIeuPQqhT8LjKp1m+VSUP/g7EJoE83dayPsf0AIIZyTM8VfrjkO9auqn1aOAV9VRu99nBiYFp5K29YnRMEdRZiVJQBDJD6f6/eUdojkamcDALAKR7hD5MTBuwrPCLCuyphd2AwRAG1Y63Q+s0zV/xfw2RWzc4yeeMzLf8U2Q==
Received: from [216.39.60.168] by nm9.access.bullet.mail.gq1.yahoo.com with NNFMP; 19 Feb 2015 06:57:39 -0000
Received: from [67.195.23.144] by tm4.access.bullet.mail.gq1.yahoo.com with NNFMP; 19 Feb 2015 06:57:39 -0000
Received: from [127.0.0.1] by smtp116.sbc.mail.gq1.yahoo.com with NNFMP; 19 Feb 2015 06:57:39 -0000
X-Yahoo-Newman-Id: 96542.95618.bm@smtp116.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: hoJr5HQVM1n1JSJR1EpmpKMcwBX1T63fgcQdzxFagfOUuDL qGdUSo1V6nDbbFBMqz9hOQW2pbcfyxV5KKywmQt6YtnIEO6o_IN1krU6ghxq FF._d0ZdGWQiCGhzLFl.9VfIzJJzw87BG.MCPvj5AaMIDO1bd23BByA8n8cz FJFVUaXzsIgbkrWi1ydMcc1MPz4SAWB_Myn._JiAviB3pnP8sYp9mNKCvkRz m.6_MuKCTUKyGk6fU7x72Gvta3LpsRmXEINrwuzMS.LB40LtgXUhait28dJ_ LBhvdYqnIZNT.SPUicIljh9aDgzbg0aJ5HZQJGn6vRV9PDIljyk3g08USvEd KXBovERNFtvsh04P9ofTUduvln_F8BqAPPheJ_brveqUI5VgfcVQBiORKp9C ClbO84eDITSiBS9Z0tuXwdeuIkGJsSm1X0W2MVkeXwOVycCg1CVLziaou4D7 .pfquyLKQo6By1yxbMkP3uRsJ63ctJ6UkfdAab4tVgQbEzLqEDznDfoL_fCh 0uCymMe8I7c9u6qpvjlqpG64VTyxjYGVBKwwl6aYzQ9GSBbvb1nY-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <54E58961.4050202@sbcglobal.net>
Date: Wed, 18 Feb 2015 22:57:37 -0800
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, Tony Arcieri <bascule@gmail.com>
References: <CAHOTMVJKqMcddZ0DEdgh7gVedFR5TPfZHZaVNVmMMUnvTfpLzA@mail.gmail.com> <E64DFFE5-92AE-40EF-8B9D-BD8DA57F0D31@shiftleft.org> <CAHOTMVKSQHSP_=_VreCbXhdE+jkLBq8qJ9S_hquwQEoofB5c4g@mail.gmail.com> <A5B5FC81-DBA3-4FC1-9DFB-FA3D5AD575BD@shiftleft.org> <CAHOTMVJiOT2+jytVkw626VZUjpbuN76Qgf5J5B61L8uXtAY0-w@mail.gmail.com> <CACsn0cmpntED6T9X+Fh=8OwdcwXPnckeGh3dPJZmvuusdDNazQ@mail.gmail.com>
In-Reply-To: <CACsn0cmpntED6T9X+Fh=8OwdcwXPnckeGh3dPJZmvuusdDNazQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020606030805000802040105"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/nCbI9TrqzjEwJ_bAxyQL5nCtmAA>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] What constitutes a curve with a 256-bit security level?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 06:57:41 -0000

On 2/18/15 2:45 PM, Watson Ladd wrote:
>
>
> On Feb 18, 2015 2:39 PM, "Tony Arcieri" <bascule@gmail.com 
> <mailto:bascule@gmail.com>> wrote:
> >
> > On Wed, Feb 18, 2015 at 2:14 PM, Michael Hamburg <mike@shiftleft.org 
> <mailto:mike@shiftleft.org>> wrote:
> >>
> >> It may be that you’re thinking SHA512-and-truncate won’t be uniform 
> enough mod the order of Ridinghood.  But in fact it will, because the 
> order of Ridinghood is 2^480 - O(2^240), and so the deviation from 
> uniformity will be O(2^-(240+32)).  The same would not be true for a 
> prime with a large coefficient like NIST P-256.
> >
> >
> > Okay, my mistake, but that is an issue for E-521, right?
>
> Not really. While the naïve approach if using a single hash function 
> output of double length for deterministic signing won't work, hashing 
> an incrementing counter with the message and private key, or some 
> other variant will.
>
> Sincerely,
> Watson Ladd
>
[snip]

Clarifying question:

Do you mean to be advocating using a KDF like the counter one in NIST SP 
800-108, and specifying an output bit length of the ceiling of log2 of 
the order of the base point?

Or do you mean using a construct similar to that, but if the results is 
 >= the curve order, try again with the next counter values, until you 
get a value < the order of the base points.  In this construct all 
possible values < the order of the base point are equally likely.

     --David Jacobson

v2.23.0 | Report a Bug | By Email