IETF Logo Mail Archive

Re: [Cfrg] A big, big Elliptic Curve

John Mattsson <john.mattsson@ericsson.com> Mon, 15 January 2018 13:43 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E4F9128959 for <cfrg@ietfa.amsl.com>; Mon, 15 Jan 2018 05:43:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPz50WA8_o2i for <cfrg@ietfa.amsl.com>; Mon, 15 Jan 2018 05:43:03 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0383E12762F for <cfrg@irtf.org>; Mon, 15 Jan 2018 05:43:02 -0800 (PST)
X-AuditID: c1b4fb25-473ff7000000341b-ad-5a5cafe4a616
Received: from ESESSHC022.ericsson.se (Unknown_Domain [153.88.183.84]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id AF.35.13339.4EFAC5A5; Mon, 15 Jan 2018 14:43:01 +0100 (CET)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.84) with Microsoft SMTP Server (TLS) id 14.3.352.0; Mon, 15 Jan 2018 14:43:00 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=K3dTsCJbmYPRcfv0XnPrf/8J1NTVNyF+e8nj98fxtTA=; b=EHVLKy7zVV1szaefWeG9qHnlm/D92Of1CfTYPo/SjaxO+YATE0z/3yHSdN+kvT9udJn1gPQjIhAnLYAUO39gSEYY+223L/fWrp9f+SBWDhIRtGGeTjQTZx3M59/1ieHpkngRH6Uz3tvNfpbb1YMfsSuP/wxUrbvjwghjxP30uGw=
Received: from HE1PR0701MB2011.eurprd07.prod.outlook.com (10.167.189.149) by HE1PR0701MB2203.eurprd07.prod.outlook.com (10.168.36.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.428.9; Mon, 15 Jan 2018 13:42:59 +0000
Received: from HE1PR0701MB2011.eurprd07.prod.outlook.com ([fe80::b8af:635a:701a:fa6f]) by HE1PR0701MB2011.eurprd07.prod.outlook.com ([fe80::b8af:635a:701a:fa6f%13]) with mapi id 15.20.0428.014; Mon, 15 Jan 2018 13:42:59 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Tanja Lange <tanja@hyperelliptic.org>, Phillip Hallam-Baker <phill@hallambaker.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] A big, big Elliptic Curve
Thread-Index: AQHRkzmK48EAIBfR9Eu8iRl9B+veLp+D+rwAg/T9CgA=
Date: Mon, 15 Jan 2018 13:42:58 +0000
Message-ID: <536A3EF0-93AE-4F40-BBC6-BBCB117B1709@ericsson.com>
References: <CAMm+LwgK6rxuwT23+OsBB1Z1=GEd2JmawrjVFDcAqgEQWcpNJg@mail.gmail.com> <20160411032220.GB2556@ein.win.tue.nl>
In-Reply-To: <20160411032220.GB2556@ein.win.tue.nl>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.29.0.171205
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.81]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0701MB2203; 7:ELb47L43U5vucj4lcwjKFLdP4hTpLu4AxsM3KawN3UabnNfRSM87Cc+35idn/wkMVEQLSLLjckPIge6POpYQrZFe9hNF7XhwSgFht/dQ5EimGM8eNyOmNZq1ykA9x8P38PySlicxzWNaonfozPU0byPC5IJgY3yVSUR4xjoh0XP10/pUpshwJhlO5SGdqEc4psUNTF6DNpJazkoGEiM26EUFoR/IUQTAyY9xNlCCMCK81b/OKtfQmY9NnwgP0Z5I
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 846db737-95d5-4f54-e1be-08d55c1de3fa
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:HE1PR0701MB2203;
x-ms-traffictypediagnostic: HE1PR0701MB2203:
x-microsoft-antispam-prvs: <HE1PR0701MB2203F4CD91AA51D402ED1E0E89EB0@HE1PR0701MB2203.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(127643986962959)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(3231023)(944501161)(3002001)(93006095)(93001095)(10201501046)(6041268)(20161123562045)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011); SRVR:HE1PR0701MB2203; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HE1PR0701MB2203;
x-forefront-prvs: 0553CBB77A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(39380400002)(346002)(396003)(376002)(377424004)(199004)(189003)(24454002)(66066001)(305945005)(5660300001)(7736002)(82746002)(33656002)(2906002)(229853002)(3280700002)(6116002)(5250100002)(3660700001)(3846002)(2900100001)(59450400001)(53936002)(76176011)(99286004)(102836004)(53546011)(6506007)(6486002)(6512007)(6436002)(6306002)(316002)(4326008)(6246003)(36756003)(110136005)(966005)(58126008)(83716003)(97736004)(14454004)(25786009)(478600001)(86362001)(106356001)(2950100002)(105586002)(8676002)(81156014)(81166006)(83506002)(8936002)(68736007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2203; H:HE1PR0701MB2011.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ZKop0rNNPn2TlBStDdRr1VbUOqRVAlII3Xb/IRoWOyec8g5mwCVLWLtcagY0eYhftvUo6Ia4+z5hxxS8oqg5kQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <966ED79BF535524FBD1A23CACC342499@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 846db737-95d5-4f54-e1be-08d55c1de3fa
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2018 13:42:59.0376 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2203
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTYRTHee692+7ExeN07mQINbE3dGr2QaLXL7lK0bCohqFLL77NKXcm KURTGIVW+JbOZSoalBYObamZlc4Qp4JiKUYlLa2cKPZiGmjWrndB337nnP85/+ccHpqUmgR+ dJouh2F1Gq1C6EFVn+04FfzJEq8OfdNHRBT/6iUiSr/eRhGL9uOHSdXog5+E6sPiaVV5a58w llR77E9mtGm5DBtyMNEjtXZtVZhtll8qmzEKDWjYtwiJacB7wWJdERQhD1qK+xC0rRgoPhhA UPnSIOICCt8gYWi+zV2pJKBrvoXggy8ISladFDdMiEPhTrdByLEPPgfWijURxyQOgAbLAMGx Nw6GwSmbi2mXRgmmJ5E87oOp2VROQeFAcD5vJTmW4EPQaXdssBTnwfRMlYBjMQ6H6697NiYi 7Asrgw8J3kkOhUtNAn41DHe7R0ieZeCcXt/Iy1yus8MTIr73PBiNVW79Vug3NVE8+8NYXTHi VgTcTsDY72WCLyjhcekC4jka+hs7CV5UiaBhfdztFgTL1xaEPGfB+GeLuyEKHI52Ad9gIeH+ XD1VgsLM/73c7DoGiXeBpSuET6ugwDFE8LwNKoodIvPGYbzAXj1D1SNBM5LpGf2FzJQ94UqG TUvS67N0Sh2T04Zc/6XXuhrYiV7NH7EhTCOFp8RaE6+WCjS5+rxMGwKaVPhICuJcKUmyJi+f YbMS2ItaRm9DW2hKIZfYj0nUUpyiyWEyGCabYf9VCVrsZ0AFHbmjuU+bp7xPSpOjuobCKmrD qLrFwrnIgISagoSgd4mTUcT2lqQltXh452gnkq1Nidsnvn/Lmb+5w6vnRQMZoyrLiDVu8tSO lTdNhl6GmPz0KyW3Gu0pfXI2LjpWnv6x+KqX8t5R5zMZNf2oYfPIiR+mM/n+0vC3A9kH/gy/ V1D6VE3YbpLVa/4C8Zbf0SsDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rIKL5Lhw7_HPrNRO5Q7yz6Csjmg>
Subject: Re: [Cfrg] A big, big Elliptic Curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2018 13:43:05 -0000

Hi,

I noticed that Roetteler et al. have now published their work and that the verdict seems to have changed again. The current understanding is now that RSA offers slightly more quantum security than ECC (at a comparable classical security level), but that the margin is much smaller than previously claimed by Proos and Zalka.

https://arxiv.org/pdf/1706.06752.pdf

An overview of the required number of qubits and Toffoli gates can be found in Table 2.

Cheers,
John

On 2016-04-11, 05:22, "Cfrg on behalf of Tanja Lange" <cfrg-bounces@irtf.org on behalf of tanja@hyperelliptic.org> wrote:

    > As mentioned in the meeting, QC attacks don't use the same algorithms
    > as conventional attacks and so the difficulty of breaking Curve 25519
    > is considerably less than breaking RSA2048.
    > 
    
    Could you point me to sources for this? There is an old paper by
    Proos and Zalka which has claims like this, but more recent work
    by Roetteler and Steinwandt properly considers reversibility and 
    ends up taking longer (time & qubits) for a 160 bit curve than 
    1024 bit RSA. They did detailed work for binary curves and last
    I talked to them were looking into odd characteristic. The jury
    is still out for larger curves and larger RSA but between a
    256-bit curve DLP and a 2048 RSA; I'd be surprised if RSA was 
    harder.
    
    > Interpreting the NSA advice is error prone. But the straight reading
    > would be 'we think it more likely that a quantum computer will be
    > built that can break current ECC schemes before someone works out how
    > to break RSA 3096.
    >
    If I take them at face value they basically say: Don't complain 
    if we ask you to upgrade to new crypto soon; here, as a concession 
    you may continue using the old stuff as long as it is not super 
    small. 
    
    I'd rather not speculate about their intention and whether those 
    are in our interest or not.
    
    	Tanja 
    
    _______________________________________________
    Cfrg mailing list
    Cfrg@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email