[Cfrg] Elliptic curve evaluation truths

"Parkinson, Sean" <sean.parkinson@rsa.com> Tue, 25 November 2014 07:56 UTC

Return-Path: <sean.parkinson@rsa.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id B2C0F1A002C for <cfrg@ietfa.amsl.com>; Mon, 24 Nov 2014 23:56:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id il1uxeVALhIv for <cfrg@ietfa.amsl.com>; Mon, 24 Nov 2014 23:56:27 -0800 (PST)
Received: from mailuogwdur.emc.com (mailuogwdur.emc.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 421C61A0025 for <cfrg@irtf.org>; Mon, 24 Nov 2014 23:56:27 -0800 (PST)
Received: from maildlpprd56.lss.emc.com (maildlpprd56.lss.emc.com []) by mailuogwprd54.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sAP7uPkg008082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <cfrg@irtf.org>; Tue, 25 Nov 2014 02:56:25 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd54.lss.emc.com sAP7uPkg008082
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=rsa.com; s=jan2013; t=1416902185; bh=YbrJMMKzUA7KFV0TCwZM77//fnU=; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; b=wqRG9TkQ0TuNamVOjRaonjRiTcW1VZT1kgD8Io/R20i+05ZAUZ+zKl0qcVencfRyq FGQ2LGOKNlXtLizomr4yA0oPnvg8KUX5YSSrkaxjGn/wvYjlbMQ+qTdwHjMKRskKki TKbIh/FI7M4MSlWyNnZC6XaXrSS3753blKrztkPo=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd54.lss.emc.com sAP7uPkg008082
Received: from mailusrhubprd03.lss.emc.com (mailusrhubprd03.lss.emc.com []) by maildlpprd56.lss.emc.com (RSA Interceptor) for <cfrg@irtf.org>; Tue, 25 Nov 2014 02:55:43 -0500
Received: from mxhub25.corp.emc.com (mxhub25.corp.emc.com []) by mailusrhubprd03.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sAP7u9NI013539 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <cfrg@irtf.org>; Tue, 25 Nov 2014 02:56:09 -0500
Received: from mx17a.corp.emc.com ([]) by mxhub25.corp.emc.com ([]) with mapi; Tue, 25 Nov 2014 02:56:09 -0500
From: "Parkinson, Sean" <sean.parkinson@rsa.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Date: Tue, 25 Nov 2014 02:56:06 -0500
Thread-Topic: Elliptic curve evaluation truths
Thread-Index: AdAIhUScn/JQkG3QSJOURMsxShDNUw==
Message-ID: <2FBC676C3BBFBB4AA82945763B361DE60BF9B858@MX17A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_2FBC676C3BBFBB4AA82945763B361DE60BF9B858MX17Acorpemccom_"
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd03.lss.emc.com
X-RSA-Classifications: public
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/oYTLav5IDMEBHWcmtUXZOqIZjRU
Subject: [Cfrg] Elliptic curve evaluation truths
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 07:56:29 -0000

In hopes of reaching consensus, I thought I might start a list of known truths.
Please don't just argue against each point but instead look to refine the statements where possible.

1.       Only curves over prime fields are being considered.

2.       Good, efficient implementations of Twisted Edwards curves will faster than good, efficient implementations of short Weierstrass with the same prime.

3.       Good, efficient Montgomery curve implementations are simpler than good, efficient Twisted Edwards and short Weierstrass curve implementations.

4.       Montgomery curves cannot be used for signing/verification operations.

5.       Small co-factor curves are no weaker, in terms of small subgroup attacks, than co-factor 1 curves.

6.       Twisted Edwards and short Weierstrass but not Montgomery curves support pools of points for ephemeral DH.

7.       NIST curves are going to be in use for some time.

8.       One curve at about WF-128 is required.

9.       At least one curve with WF greater than 128 is required.

10.   Good, efficient implementations of curves using special primes are significantly faster than good, efficient implementations using random primes.

11.   There are steps in performance based on the number of words used.

12.   There are a few special primes that are significantly faster than the step they are on.

13.   The curves chosen will be used for ECDH and ECDSA.

14.   The curves will be used in TLS and certificates.

If you have more truths then please add to this list.

Sean Parkinson | Consultant Software Engineer | RSA, The Security Division of EMC
Office +61 7 3032 5232 | Fax +61 7 3032 5299