Re: [Cfrg] revised requirements for new curves
Alyssa Rowan <akr@akr.io> Sun, 14 September 2014 19:20 UTC
Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6A071A019B for <cfrg@ietfa.amsl.com>; Sun, 14 Sep 2014 12:20:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Te6ZWoIlC0vM for <cfrg@ietfa.amsl.com>; Sun, 14 Sep 2014 12:20:38 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D0031A0196 for <cfrg@irtf.org>; Sun, 14 Sep 2014 12:20:38 -0700 (PDT)
Message-ID: <5415EA8A.1000102@akr.io>
Date: Sun, 14 Sep 2014 20:20:42 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: cfrg@irtf.org
References: <D0333B6F.2C8CF%kenny.paterson@rhul.ac.uk> <CAMm+Lwi9rgAQNGW1k3TW52syexFUBOL1O48GizmLpcARrhBhgg@mail.gmail.com>
In-Reply-To: <CAMm+Lwi9rgAQNGW1k3TW52syexFUBOL1O48GizmLpcARrhBhgg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/vI0347FEJEoViLle1R7jikUplVk
Subject: Re: [Cfrg] revised requirements for new curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Sep 2014 19:20:40 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 08/09/2014 11:23, Paterson, Kenny wrote: > Intellectual Property > > IP1. Required: securely, simply and efficiently implementable > world-wide under royalty-free licensing terms. [C] > > IP2. Desired: securely, simply and efficiently implementable > world-wide in a patent-free manner. [RC] I think it'd be invaluable for potential proposals to have a clear statement about the patent status of a (secure, simple and efficient) reference implementation, at least - otherwise, it's hard to know how we can best evaluate these criteria, particularly alongside PE1 and PE2? It'd be even more helpful for adoption downstream if those reference implementations were suitable, and permissable, for wide practical use. Would a patent search help? Someone recently said to me that elliptic curve cryptography was a [patent] minefield (albeit less so as some older patents, such as point-compression, expire) - and if we can clear, or at the very least map, as much of that minefield as possible, many potential barriers to adoption could be removed. On 08/09/2014 15:42, Phillip Hallam-Baker wrote: > I didn't see consensus that we needed 192 bit curves. > > These seem superfluous to me If I want speed then I will go to 128 > bits. If I want high assurance I will go to 256. 192 is neither > fish nor fowl. > > In a perfect world folk can make fine tuned choices between speed > and security but I only have two security levels: paranoid and > till the sun goes supernova secure level paranoid. I concur entirely with this, agl's points, and Markulf's. ≈WF128 curves can I think deliver the strong, but very efficient functions IETF protocols are going to want for cryptography everywhere. ≈WF256 curves can deliver about the best we can probably expect from elliptic curves, until quantum computers eventually show up and crash that party. If you want to be extra-careful, and some do, that's the way to go. ≈WF192 is not a great compromise either way IMHO, especially as there are no convenient 2^x-n primes with very small n in the immediate vicinity of 384-bit. Plus, 2 new curves are easier to specify and implement correctly than 3. (1 is of course easier still - as with agl, if we had to pick one, I'd pick ≈WF128 - but I'd suggest keeping ≈WF256, too.) If it's optional, I definitely say drop 192 from requirement SE6. You don't exactly see people queuing up to use AES-192, do you (or even SHA-384 for anything but NSA Suite B)? - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUFeqKAAoJEOyEjtkWi2t6Cu8P/iT6XNwwPSCqQBZXKvD0NwpB Fa37gNWkozQvbF6elk4tGllH/fhRlxD3/6DZQeTm8ZHW/WpH4q2XF3o6V3gk/Pl7 GCri7xpGcizPdfmQ2HvgJnK6uVqzcyRGpvjz/lsbrq8vDBlPO5O0NffIWrMSUQ6B oB1RZBU0D8Y9C79Cd0PoTyF/CfXh0ktj3eke/8tHli/Jepn3L+3TnilXODYXYRX9 deoxA/fTJ3xAZQx29iEwVMCmMi9Wj4L1naVmEpj0yh/Gy5JRHtKG2uT076Nux/DG adHYdy9rAIFRMtTWPNbJxQyblrgede+W05kd3fkn0IuuUHxY0QVeGpViruP8HB3I EPHon7wBTOE11CfOnmhIm6jurVwz1HXtSJehRE3Z+tVo9pJ+vq1FGpanj0g8PgXj h3vAIcOY00IrltzAxuj9YsQuSyl9Gxz4Krd5ri3RZU+7Xs2Z1iLEr3e3Jg6p1D1D tTcHAobcJ4zrm/FS750rQAFma6Ze5tydhsDmQAsfmlb8OyYws0reTNkKzxAH0NRt vVhVa/Tel49cC6wZf4psdjUAs1CAh6ACTw5n0FokHoMADKnnx7iWDYY4zkm2O7et nwi92g5XjddtlWStc9Yy+RR4cHJwcZvutgeineHCwNcGtjrhFswpDJnqNH8xI/8o QEWL8wRCRsV7hu22Brzb =ppd9 -----END PGP SIGNATURE-----
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves William Whyte
- Re: [Cfrg] revised requirements for new curves Manuel Pégourié-Gonnard
- Re: [Cfrg] revised requirements for new curves Phillip Hallam-Baker
- Re: [Cfrg] revised requirements for new curves Stephen Farrell
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Watson Ladd
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves David Jacobson
- Re: [Cfrg] revised requirements for new curves Manuel Pégourié-Gonnard
- Re: [Cfrg] revised requirements for new curves D. J. Bernstein
- Re: [Cfrg] revised requirements for new curves Michael Hamburg
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Adam Langley
- Re: [Cfrg] revised requirements for new curves Paterson, Kenny
- Re: [Cfrg] revised requirements for new curves Adam Langley
- Re: [Cfrg] revised requirements for new curves Damien Miller
- Re: [Cfrg] revised requirements for new curves Damien Miller
- Re: [Cfrg] revised requirements for new curves Torsten Schuetze
- Re: [Cfrg] revised requirements for new curves Eric Rescorla
- Re: [Cfrg] revised requirements for new curves Markulf Kohlweiss
- Re: [Cfrg] revised requirements for new curves Phillip Hallam-Baker
- Re: [Cfrg] revised requirements for new curves Alyssa Rowan
- Re: [Cfrg] revised requirements for new curves Michael Hamburg
- Re: [Cfrg] revised requirements for new curves Phillip Hallam-Baker
- Re: [Cfrg] revised requirements for new curves Michael Hamburg
- Re: [Cfrg] revised requirements for new curves Andrey Jivsov
- Re: [Cfrg] revised requirements for new curves Andrey Jivsov