IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

Shoko YONEZAWA <yonezawa@lepidum.co.jp> Mon, 22 April 2019 10:35 UTC

Return-Path: <yonezawa@lepidum.co.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1334D12006E for <cfrg@ietfa.amsl.com>; Mon, 22 Apr 2019 03:35:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lepidum-co-jp.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duSmR0kL-x_V for <cfrg@ietfa.amsl.com>; Mon, 22 Apr 2019 03:35:33 -0700 (PDT)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 496C9120047 for <cfrg@irtf.org>; Mon, 22 Apr 2019 03:35:33 -0700 (PDT)
Received: by mail-pg1-x536.google.com with SMTP id y3so5662961pgk.12 for <cfrg@irtf.org>; Mon, 22 Apr 2019 03:35:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lepidum-co-jp.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=DuTpaRntl0VlXPKiRlsHK8q/oN55zMo1UA7+mXZ7d7s=; b=c366Bqx2DhSbFvqN24agv+MfPKA/QUSUzvnTStXIfVreBtWGr7S5KMPIECUBH2DosN A9/g5iFlgEl0wu2Q33Kn6NhIfaCu/ntm31Yp0kv+zp/MQ8qqVS/O6dNaiPM4jnrY3Wwd ZcJGOAa8qMgbRt8TWPJkgjkXaF6WluS3UvqGyuSNuHyGnyFYRCB+FHLB9s6UEdp57jp0 rwm7gCzKSDRwkAxODF+BnMlV0TQ9I1OkyuwwN4tEXdBGdttR6YSChQCnuKGzBsBgPV97 OpQfsaSEAMOQxHS8Xpga4Z3X0L1T9ay+UI98j43FWnO57LFoIDQIR3DX0C+Wmc1/ijTN oNuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=DuTpaRntl0VlXPKiRlsHK8q/oN55zMo1UA7+mXZ7d7s=; b=EFxumJT+2vT5gsEy46yB5Pile28KCN2l+Of7WvUILTzpRcR4xUKRdPh2nnTOT2xx2i Bm8kq/0xJX5IJPW0Duwl+iGlMOfkoz++O+cuRX5+IH1pC1bt1iNkgnMlvdmeMRun4Wot HrfVpUina1x5pgft8HScnNl1DmW17I8SGXRhs8OebWuCSR9FiFDKk708j5JWsnH0xzCL l4/WW2/X2X+GSEPnrl1fvUe0nkSVbOEa7NyKAV9OtZmKD3wVmWgu5K6BfHrWWchmw25M RNKpgKVA2Le6Fc7yZHkbvrz0BNQhxE3GK8kQVzJxjSw+Qiu1qZRJ/Ux/t7jsVyl4Jx1f 34Uw==
X-Gm-Message-State: APjAAAWTpCuVrgLvvt/XblF+CR0il9tCRjDV0ZjwmL2ow94gpbKjrb56 oGUlcb0KMoC0du3iSxoBp5f76nGQXf5m88GTAAL+rEHhAXYCkiDvA1eXt5tMNZCGdXsA7kHSEqO 9lEeeLROT5Z3RQecMisfjLnjdloeVHtWbujbXVK/5pWrO8phDlRjhKcMoJYs=
X-Google-Smtp-Source: APXvYqz4w5okwAca0G/GPs2vltQVMH0egQNimOdb1ex9DkKPTGEq6z+JSbsuZxJ6mWiDLPagUdvGjA==
X-Received: by 2002:a63:c0e:: with SMTP id b14mr18187536pgl.308.1555929332287; Mon, 22 Apr 2019 03:35:32 -0700 (PDT)
Received: from ShokonoMacBook.local (M111108027067.v4.enabler.ne.jp. [111.108.27.67]) by smtp.gmail.com with ESMTPSA id d68sm29486666pfg.16.2019.04.22.03.35.30 for <cfrg@irtf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Apr 2019 03:35:31 -0700 (PDT)
To: cfrg@irtf.org
References: <923D7F5E-19E1-4235-8CB2-4BF9EEF7EDFF@ericsson.com>
From: Shoko YONEZAWA <yonezawa@lepidum.co.jp>
Message-ID: <088ddbff-4a19-2fd1-0a88-134533c4e463@lepidum.co.jp>
Date: Mon, 22 Apr 2019 19:35:29 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <923D7F5E-19E1-4235-8CB2-4BF9EEF7EDFF@ericsson.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/pcrs3uNpv_XW0GBDH4ma9AVtq0w>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 10:35:36 -0000

Dear John,

Thank you very much for your comments
and I'm sorry to be late for the response.

 > - ”MAY use BN256.”
 >
 > I don’t know how practical/unpractical the exTNFS algorithm is in 
terms of memory etc. but as you write below “100 bits of security is no 
longer secure” (which I assume refers to curves like BN256) it seems 
like the recommendation should at least be SHOULD NOT.

In our draft, we allow the curves with 100 bits of security (e.g. BN256)
only if an application does not require higher security level.
For new applications, we recommend they "SHOULD NOT use" such curves.

The main concern we are worrying about is the case where the curves like 
BN256 have been already deployed and difficult to keep interoperability 
if BN256 is not allowed.
For the next version of our draft, we will describe the use of BN256
like "implementers SHOULD NOT use BN256, but MAY use BN256 only if they 
need to keep interoperability with the old implementations".

 > My understanding and experience is that a 192-bit security level is 
more common for asymmetric crypto than a 256-bit level. As an example, 
the US CNSA suite for protection of up to TOP SECRET information, uses 
P-384 for ECDHE and ECDSA. I don’t think anybody needs more than that in 
practice. Many TLS libraries did not even support P-521 until recently. 
For AES-192 and AES-256 the performance penalty is small, but for 
asymmetric crypto the performance difference between 192 and 256 bit 
security is often quite large. I would recommend that the draft follows 
TLS 1.3 and specifies curves with 128, 192, and 256 bits of security. If 
I had to choose two, 128 and 192 would be the most important.

Thank you for the reference.
We now understand the needs for 192 bits of security
and will add the curves for this level.

The reason we first omitted 192 bits of security
is that people may use aymmetric crypto with 256 bits of security
rather than 192 bits of security.
According to SSL Pulse Trends, site owners tend to choose
ECDH 521bit (5.29%) rather than ECDH 384bit (4.72%).

https://kjur.github.io/www/sslpulsetrend/index.html#kxecdh

Best regards,
Shoko

On 2019/03/31 6:32, John Mattsson wrote:
> Very well-written draft for only being in version -01
> 
> A few comments.
> 
> - ”MAY use BN256.”
> 
> I don’t know how practical/unpractical the exTNFS algorithm is in terms of memory etc. but as you write below “100 bits of security is no longer secure” (which I assume refers to curves like BN256) it seems like the recommendation should at least be SHOULD NOT.
> 
> - “For security, we introduce 100 bits, 128 bits and 256 bits of
> security.  We note that 100 bits of security is no longer secure and
> recommend 128 bits and 256 bits of security for secure applications.
> We follow TLS 1.3 [34] which specifies the cipher suites with 128
> bits and 256 bits of security as mandatory-to-implement for the
> choice of the security level.”
> 
> My understanding and experience is that a 192-bit security level is more common for asymmetric crypto than a 256-bit level. As an example, the US CNSA suite for protection of up to TOP SECRET information, uses P-384 for ECDHE and ECDSA. I don’t think anybody needs more than that in practice. Many TLS libraries did not even support P-521 until recently. For AES-192 and AES-256 the performance penalty is small, but for asymmetric crypto the performance difference between 192 and 256 bit security is often quite large. I would recommend that the draft follows TLS 1.3 and specifies curves with 128, 192, and 256 bits of security. If I had to choose two, 128 and 192 would be the most important.
> 
> “Hence, we consider BLS48 for 256 bits of security.”
> 
> I think it is better if you just wrote the estimated security level… ( ≈ 581 / 2 / 1.33 = 218 ? )
> 
> Cheers,
> John
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
> 

-- 
Shoko YONEZAWA
Lepidum Co. Ltd.
yonezawa@lepidum.co.jp
TEL: +81-3-6276-5103

v2.23.0 | Report a Bug | By Email