IETF Logo Mail Archive

Re: [Cfrg] Actual security levels for IETF crypto

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 28 October 2014 17:59 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95811A8941 for <cfrg@ietfa.amsl.com>; Tue, 28 Oct 2014 10:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.423
X-Spam-Level: *
X-Spam-Status: No, score=1.423 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R2PdUkGHDBCW for <cfrg@ietfa.amsl.com>; Tue, 28 Oct 2014 10:59:38 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03FC01A9048 for <cfrg@irtf.org>; Tue, 28 Oct 2014 10:56:16 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id pn19so1130249lab.0 for <cfrg@irtf.org>; Tue, 28 Oct 2014 10:56:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=FV+BIkDmRBa4ShHkOAl81TBUvzrDSRBC25dEx1rz2sA=; b=Kc+Yc9O00jBY9bBK/yX16gHMpfQfh00HpO/McSY5eShjSSARkgp7ZTFeEXCol+RqJP a59zwX9Xz7CIrtB3yX8NewQL88cy7kRzv5fisCx28BAQrulaZ5S02FH+bwDQumIp/KS9 mc1DQ14WGKZhFRYP4IFUD+MTM6I5E7wyfY0/TYvL2OXvIwRY+N7Rw/RGl28VgCjOreYO hpMpFuSq5ijc65lY4EErRmZ50tBi01jwvJeFWIU+o6quQ8Btuvsxc23h6J1CXmdiGyVc mUcttBOPLksGHKU/3nZJBq1pVvbO9xb4GMJoArnRIg4SsI2kzdiG7mxr91LB/vH4jsN7 s0Ig==
MIME-Version: 1.0
X-Received: by 10.112.200.34 with SMTP id jp2mr5770416lbc.1.1414518974971; Tue, 28 Oct 2014 10:56:14 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.214.163 with HTTP; Tue, 28 Oct 2014 10:56:14 -0700 (PDT)
In-Reply-To: <544FCFD6.2040501@shiftleft.org>
References: <20141027053452.13077.qmail@cr.yp.to> <544E4832.8030600@cs.tcd.ie> <CACsn0cn_4r67SmR9t+HqBb8YfYXd_r7FPJAxGcue1NRWsf5GBw@mail.gmail.com> <544EE4F1.2070201@cs.tcd.ie> <CAMm+LwiakY0OyxLY4BCwqe8Nq5A-5fQmf_AMCtf8mSNap6S1Bg@mail.gmail.com> <CACsn0cmda=CjaKweFfpD=PxxkKAHKpmHa+y7QCjbD9zCfrZ6yQ@mail.gmail.com> <CAMm+LwgkFOyg-U81u3z7aBgjcNNcsavpvjAqWWSmWHECKQCOqQ@mail.gmail.com> <B05385A6-4F55-4778-B53F-CD886558DC06@gmail.com> <CAMm+LwhanbscYJc9B-fWo4ExGtZB+P_AV2B-+zw8VhnQwE1jhg@mail.gmail.com> <731C763F-D7B9-4FC2-90CE-11217AE82698@gmail.com> <544FCFD6.2040501@shiftleft.org>
Date: Tue, 28 Oct 2014 13:56:14 -0400
X-Google-Sender-Auth: Np68SGFP87Qqqbe3UWeJr6CHPi0
Message-ID: <CAMm+Lwh5yyooHXCiqDVQfwVDG7Vvma84kbDr-SsjN3W-5Cxfiw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Mike Hamburg <mike@shiftleft.org>
Content-Type: multipart/alternative; boundary="001a11c3749e08038705067f5d22"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/pfVtkWeP9G4t6l5DY1mGR6eevDY
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Actual security levels for IETF crypto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 17:59:40 -0000

On Tue, Oct 28, 2014 at 1:18 PM, Mike Hamburg <mike@shiftleft.org> wrote:

>
>  Is it really modest?  P-256 is 4 times as fast as P-521. We don’t have
>> numbers for a 512-bit curve, but Goldilocks is just over 3 times slower
>> than Curve25519, whereas P-521 is 23 times slower.
>>
>> So is there an argument to use #2 that is strong enough to overcome the
>> performance penalty argument?
>>
>> Yoav
>>
>>  Actually, we do have numbers.  They aren't quite apples-to-apples
> because of point formats, point compression, hashing and different
> benchmarking suites, but they're close.  And of course, keep in mind that
> these aren't benchmarks of curves, but of implementations.
>
> Curve25519 takes 194kcy for an ECDH on Sandy Bridge (SUPERCOP).  I'm using
> Sandy Bridge and ECDH because we have the most benchmarks on that
> combination.  Point compression built-in.
>
> Microsoft's ed-256-mers takes 234kcy (Bos et al, published).
>
> P256 takes 374kcy for an ECDH on Sandy Bridge (Gueron and Krasnov,
> published).
>
> ed-384-mers takes 617kcy (Bos et al, published).
>
> Ed448-Goldilocks takes 667kcy (SUPERCOP), just under 3.5x Curve25519.
> Point compression built-in.
>
> ed-512-mers takes 1293kcy (Bos et al, published).
>
> Granger and Scott posted an E-521 implementation and claimed much better
> performance than this, but their implementation is not constant-time and
> their numbers didn't account for TurboBoost. Samuel Neves measured it with
> TurboBoost disabled and got 1030kcy on Sandy Bridge.
>
> I wrote an experimental constant-time implementation of E-521 using
> Goldilocks as a framework, and measured it at 803kcy on Haswell. This would
> probably be in the same neighborhood as that 1030kcy on Sandy Bridge (~15%
> IPC difference and no AVX2).  Point compression built-in.
>
> Trevor Perrin clocked OpenSSL 1.0.2's NIST P-521 at 1714kcy on Haswell,
> which would probably be just under 2MCy on Sandy Bridge.
>
> OpenSSL's NIST-P-384 implementation isn't optimized yet, so it's even
> slower than P-521 at 2.2M Haswell cycles (Trevor again).
>


For the sake of comparison, where do RSA1024 and RSA2048 fit in?

[Accepting that the public/private key advantage flips]

And lets not forget that the performance issues are different for client
and server.


First, lets take the constrained devices off the table. Anything that is
struggling with X25519 is not going to look at anything stronger. So that
leaves non constrained clients and high volume servers.

As far as the client goes, the baseline is the RSA2048 public key
operation. Anything that takes that number of cycles or less is going to be
OK. Its moot anyway as the client does not make the choice.

On the server side things are a little more complex. But either it is
crypto limited or limited by something else. All the curves are going to be
faster than RSA2048 because we get the asymmetric advantage for private key
operations but in the sort term at least, we might lose the crypto
accelerator board advantage.


So I can see a strong argument for ~256 on the server and something much
higher (i.e. ~512). I don't see a case for something that is neither one
nor the other.

v2.46.0 | Report a Bug | By Email | System Status