Re: [Cfrg] revised requirements for new curves

"D. J. Bernstein" <> Mon, 08 September 2014 18:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8F5BE1A02BC for <>; Mon, 8 Sep 2014 11:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.101
X-Spam-Status: No, score=0.101 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id h_ROu6CDvIYy for <>; Mon, 8 Sep 2014 11:36:59 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 818F31A0277 for <>; Mon, 8 Sep 2014 11:36:59 -0700 (PDT)
Received: (qmail 24148 invoked by uid 1011); 8 Sep 2014 18:36:56 -0000
Received: from unknown (unknown) by unknown with QMTP; 8 Sep 2014 18:36:56 -0000
Received: (qmail 18194 invoked by uid 1001); 8 Sep 2014 18:36:35 -0000
Date: Mon, 08 Sep 2014 18:36:35 -0000
Message-ID: <>
From: "D. J. Bernstein" <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Subject: Re: [Cfrg] revised requirements for new curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Sep 2014 18:37:01 -0000

I have two clarification questions regarding SE6:

> SE6. Required: the selected curves should provide levels of security
> that match to a good approximation 128-bit, 192-bit and 256-bit
> security levels, as these levels are currently commonly understood in
> the wider security community. [NC]

Background for question 1: E-521 was proposed by three teams
independently. It appears to be faster on typical platforms than
Microsoft's 2^512-569, despite the higher security level. It's also
supported by various arguments from other people, such as "a lot of
effort has gone into optimization of modular reduction for the NIST
primes". E-521 reuses the NIST P-521 prime, the only NIST prime that's
immune to Adam Langley's "What a difference a prime makes" critique.

Question 1: Does SE6 formally exclude E-521 as being above the "commonly
understood" 256-bit security level?

Background for question 2: There are also proposals for faster 414-bit
and 448-bit curves. This intermediate range is backed by a variety of
arguments from a variety of people: e.g., clear improvements over the
larger option in Suite B (NIST P-384 with AES-256); deployment by Silent
Circle; and the argument "What benefit do you derive from including a
stronger algorithm in a chain made of weaker algorithms?" combined with
undisputed evaluations of the AES-256 security level.

Question 2: Does SE6 formally exclude Curve41417 etc. as being above the
"commonly understood" 192-bit security level but below the "commonly
understood" 256-bit security level?