[Cfrg] A big, big Elliptic Curve

Phillip Hallam-Baker <phill@hallambaker.com> Sun, 10 April 2016 14:59 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AED3312D16C for <cfrg@ietfa.amsl.com>; Sun, 10 Apr 2016 07:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9M7iiENSoPuI for <cfrg@ietfa.amsl.com>; Sun, 10 Apr 2016 07:59:04 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F231C12D1A5 for <cfrg@irtf.org>; Sun, 10 Apr 2016 07:59:03 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id j11so127237243lfb.1 for <cfrg@irtf.org>; Sun, 10 Apr 2016 07:59:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to; bh=h2D29Rb2Q1v7K8ziJFFgLDzcBVY1MYwH5mIfVOoyZbE=; b=SpkKhoaNxBfbCrEiIGHIeDMaZaKY+wxlpTXm1/1niDlr3NLAofTwWAQH3SE7fcCUrY 1x3KcGWxVrNurePnrvX1I4e05vZwULSk4YHsUKkdWvQRPfwpoQFl7Fk/P3HM4/HSDfL5 R2XLCoalAV3sywCQFrsH3CVN9e3kRo4drzZnM9SziFplyya5G6vr+j/SoPhUxBsDLEwQ tTAa8y974VYGoodmL5uncQpkTFYFxBpu6ZA58JoSatrfiZciZ3VjtrC/xHQVGoiNoRat kJewryC23tol3sVSmk3tx01P+t3AtvLRUT0Bmq7xxgYF/4y1mtwpzOTNbfyJ0NziPSI3 p9/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to; bh=h2D29Rb2Q1v7K8ziJFFgLDzcBVY1MYwH5mIfVOoyZbE=; b=KUQti/2GQipsRQ+be+9N732Yu+59NarBNkZ0aJuNM/sA2EP6jMspt18iLGQ6CLsCCF 6L+FDcgYJRcQt3RZdIUnrl+iqNKX9aoozuiyTAq8jTkjY9Dn+SJ5Og1qIC6gaRyiNAAu hqGm7H4rpesYEvmSFcHAU0h2KIjW/tS9bFDnzPPnCnDnPR8Dex6V+WjReiWY2p4t9Dv8 MxAMkyHClVMBYgUd8mIkQOy6yb+v/3ERVTQw3Qn1lp9qTbIqUQQHwg3vR0/88+8FDchc tfw0inFjoZYRmLaC8sGtaq68HGHMRIU3MgbgbnO0OwvUeY3W0nZXvjD0WGqV4FDcqAtJ hqqQ==
X-Gm-Message-State: AD7BkJIOB90FIFum9hyJIPDkVhrCWhvRP8jPzTS+Y3yE08Rl3oNZXj/oaSD+aU6vK3ZnMQEtzKuSaUglWsPZlg==
MIME-Version: 1.0
X-Received: by 10.25.37.136 with SMTP id l130mr6854344lfl.153.1460300342122; Sun, 10 Apr 2016 07:59:02 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.151.67 with HTTP; Sun, 10 Apr 2016 07:59:02 -0700 (PDT)
Date: Sun, 10 Apr 2016 11:59:02 -0300
X-Google-Sender-Auth: foZHkgMleQPIlWrtxSJQ1PAKZis
Message-ID: <CAMm+LwgK6rxuwT23+OsBB1Z1=GEd2JmawrjVFDcAqgEQWcpNJg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/uQyswOpOlfGG1xBl9e7J2-Od2Q8>
Subject: [Cfrg] A big, big Elliptic Curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Apr 2016 14:59:06 -0000

Following our discussion on QC hardening. Among the range of
responses, perhaps we should consider an Elliptic Curve with a QC
difficulty comparable to that of RSA.

As mentioned in the meeting, QC attacks don't use the same algorithms
as conventional attacks and so the difficulty of breaking Curve 25519
is considerably less than breaking RSA2048.

Interpreting the NSA advice is error prone. But the straight reading
would be 'we think it more likely that a quantum computer will be
built that can break current ECC schemes before someone works out how
to break RSA 3096.

So maybe what we need is Curve2048 or Curve3096, just to be sure. It
would be slow of course. But it could be useful.