Re: [Cfrg] revised requirements for new curves
"D. J. Bernstein" <djb@cr.yp.to> Mon, 08 September 2014 18:37 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5BE1A02BC for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 11:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.101
X-Spam-Level:
X-Spam-Status: No, score=0.101 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_ROu6CDvIYy for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 11:36:59 -0700 (PDT)
Received: from mace.cs.uic.edu (mace.cs.uic.edu [131.193.32.224]) by ietfa.amsl.com (Postfix) with SMTP id 818F31A0277 for <cfrg@irtf.org>; Mon, 8 Sep 2014 11:36:59 -0700 (PDT)
Received: (qmail 24148 invoked by uid 1011); 8 Sep 2014 18:36:56 -0000
Received: from unknown (unknown) by unknown with QMTP; 8 Sep 2014 18:36:56 -0000
Received: (qmail 18194 invoked by uid 1001); 8 Sep 2014 18:36:35 -0000
Date: Mon, 08 Sep 2014 18:36:35 -0000
Message-ID: <20140908183635.18192.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <D0333B6F.2C8CF%kenny.paterson@rhul.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/nqvSObXZvyc7-xWjD17ofP_R66Q
Subject: Re: [Cfrg] revised requirements for new curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 18:37:01 -0000
I have two clarification questions regarding SE6: > SE6. Required: the selected curves should provide levels of security > that match to a good approximation 128-bit, 192-bit and 256-bit > security levels, as these levels are currently commonly understood in > the wider security community. [NC] Background for question 1: E-521 was proposed by three teams independently. It appears to be faster on typical platforms than Microsoft's 2^512-569, despite the higher security level. It's also supported by various arguments from other people, such as "a lot of effort has gone into optimization of modular reduction for the NIST primes". E-521 reuses the NIST P-521 prime, the only NIST prime that's immune to Adam Langley's "What a difference a prime makes" critique. Question 1: Does SE6 formally exclude E-521 as being above the "commonly understood" 256-bit security level? Background for question 2: There are also proposals for faster 414-bit and 448-bit curves. This intermediate range is backed by a variety of arguments from a variety of people: e.g., clear improvements over the larger option in Suite B (NIST P-384 with AES-256); deployment by Silent Circle; and the argument "What benefit do you derive from including a stronger algorithm in a chain made of weaker algorithms?" combined with undisputed evaluations of the AES-256 security level. Question 2: Does SE6 formally exclude Curve41417 etc. as being above the "commonly understood" 192-bit security level but below the "commonly understood" 256-bit security level? ---Dan
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves William Whyte
- Re: [Cfrg] revised requirements for new curves Manuel Pégourié-Gonnard
- Re: [Cfrg] revised requirements for new curves Phillip Hallam-Baker
- Re: [Cfrg] revised requirements for new curves Stephen Farrell
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Watson Ladd
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves David Jacobson
- Re: [Cfrg] revised requirements for new curves Manuel Pégourié-Gonnard
- Re: [Cfrg] revised requirements for new curves D. J. Bernstein
- Re: [Cfrg] revised requirements for new curves Michael Hamburg
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Adam Langley
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Adam Langley
- Re: [Cfrg] revised requirements for new curves Damien Miller
- Re: [Cfrg] revised requirements for new curves Damien Miller
- Re: [Cfrg] revised requirements for new curves Torsten Schuetze
- Re: [Cfrg] revised requirements for new curves Eric Rescorla
- Re: [Cfrg] revised requirements for new curves Markulf Kohlweiss
- Re: [Cfrg] revised requirements for new curves Phillip Hallam-Baker
- Re: [Cfrg] revised requirements for new curves Alyssa Rowan
- Re: [Cfrg] revised requirements for new curves Michael Hamburg
- Re: [Cfrg] revised requirements for new curves Phillip Hallam-Baker
- Re: [Cfrg] revised requirements for new curves Michael Hamburg
- Re: [Cfrg] revised requirements for new curves Andrey Jivsov
- Re: [Cfrg] revised requirements for new curves Andrey Jivsov