Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 02 March 2015 14:28 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7FC71A877D for <cfrg@ietfa.amsl.com>; Mon, 2 Mar 2015 06:28:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPqcc01_ZMGh for <cfrg@ietfa.amsl.com>; Mon, 2 Mar 2015 06:28:46 -0800 (PST)
Received: from emh04.mail.saunalahti.fi (emh04.mail.saunalahti.fi [62.142.5.110]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B2761A8774 for <cfrg@irtf.org>; Mon, 2 Mar 2015 06:28:45 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh04.mail.saunalahti.fi (Postfix) with ESMTP id 83EA51A263A; Mon, 2 Mar 2015 16:28:43 +0200 (EET)
Date: Mon, 2 Mar 2015 16:28:43 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <20150302142843.GA32307@LK-Perkele-VII>
References: <54EDDBEE.5060904@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <54EDDBEE.5060904@isode.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/rad60yxdiCTQPLjPb0JnaJJwSMY>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Rerun: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2015 14:28:48 -0000

On Wed, Feb 25, 2015 at 02:27:58PM +0000, Alexey Melnikov wrote:
> CFRG chairs are starting another poll:
> 
> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or
> "no") for each curve specified below:

Considering entiere space for high-security curve...
 
> 1) 448 (Goldilocks)

Prefer (high-performance curve with well-characterized performance
characteristics, easy to construct signatures).

> 2) 480

No (bad performance on 32-bit[1], marginal with signatures)

> 3) 521

No (too slow and large for signatures, uncertain security benefits[2]).

> 4) other curve (please name another curve that you "prefer" or "accept", or
> state "no")

p=2^414-17  (accept[3])



[1] This is in contrast to stellar performance at 64-bit. And 32-bit
performance still looks to matter (mobile, which is already loaded and
slow!)

[2] The rho complexities are so high that I think it is meaningless to
compare those. Basically, I think that is reasonably likely that anything
that can break any one of these curves can break them all (especially at
WF200+)[4].

[3] There have been decent amount of performance characterization of this
prime, even if there is no good software available. It is WF200+ too.

[4] Some examples:

1) Major advances to ECC cryptoanalysis (no telling what that does to
   ECC)
2) Large quantum computers (totally breaks ECC).
3) Fundamential physics breakthroughs allowing far surpassing current
   theoretical limits (no telling what that does to computational
   capability; however I think this is less likely than large QC).


-Ilari