Re: [Cfrg] Summary

Michael Hamburg <mike@shiftleft.org> Thu, 01 January 2015 18:01 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF1021A0252 for <cfrg@ietfa.amsl.com>; Thu, 1 Jan 2015 10:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.454
X-Spam-Level: ***
X-Spam-Status: No, score=3.454 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FEwujYZC6cGp for <cfrg@ietfa.amsl.com>; Thu, 1 Jan 2015 10:01:40 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8607E1A024E for <cfrg@irtf.org>; Thu, 1 Jan 2015 10:01:40 -0800 (PST)
Received: from [192.168.1.117] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 5790D3AA43; Thu, 1 Jan 2015 09:59:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1420135166; bh=kTb09K1vkxRrf+WA1oBiNOD4H3rVgmGe5uTkT7zCPsM=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=feGWcuHxlXxviMph2AgeG+jm8+0FLHBp5VXvo/LbkS7tQoQC+pEB736sMS2CH/MGu xaR5frPRnduwlFBtgreHHQ9jRMrHNvsEKzbljcNiHvpZH9iJXqwE0eP3eGF4Te5eyP hendFGuBxF+MN+9FOtI9EPgOK+IuGQ5BTPOHJuUU=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2064\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <1420133158.4562.12.camel@scientia.net>
Date: Thu, 1 Jan 2015 10:01:38 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <6C4A6915-495A-403F-899B-A114375A348F@shiftleft.org>
References: <20150101144926.GA4784@roeckx.be> <CACsn0ckip8ZK=wYEAPJGAxwxBEBkXkSJQi9uPZQ7dmXPo77bGQ@mail.gmail.com> <1420133158.4562.12.camel@scientia.net>
To: Christoph Anton Mitterer <calestyo@scientia.net>
X-Mailer: Apple Mail (2.2064)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/vojbFb4DcgZaWgJiCamUkhoXVqU
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Summary
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jan 2015 18:01:41 -0000

> On Jan 1, 2015, at 9:25 AM, Christoph Anton Mitterer <calestyo@scientia.net> wrote:
> 
> On Thu, 2015-01-01 at 10:50 -0500, Watson Ladd wrote: 
>> Above 255 bits, life gets more interesting. Assuming we want to use
>> X-coordinate Montgomery (sorry Mike) for ECDH and compressed Edwards
>> for sigs, we've got 3 or 4 different proposals for around 380, and 1
>> for 521.

Heh.  My alternative point encoding stuff is just an experiment.

>> -For 521 it's E521 as described on safecurves.cr.yp.to, the prime being 2^521-1

> Is this going to be followed up?

Yes, at some point.

> I'd really love so see a trustworthy curve that has an extremely high
> security margin... something like "as long as there are no quantum
> computers and no other break through against the base paradigms is found
> - no collected computing power will 'ever' be able to break this"...
> that could be used in fields like OpenPGP... for long-term key signing,
> where performance doesn't matter that much.


I agree.  That said, 521 bits is overkill for this.    For a 384-bit prime, you already need an amount of energy equal to many stars’ outputs over their entire lifetimes.  (The Universal Security paper would suggest about a million Sun-like stars, but I don’t recall what temperature they’re assuming the computation will take place at.)  Even in a science-fiction world where humanity is capable of such feats, it will not be worth snuffing stars to break your PGP key.

I consider every prime past 2^256, and certainly every prime past say 2^320, to be a hedge against limited math breakthroughs and not against faster computers.  So it’s really tricky to evaluate where to set the security levels.

Cheers,
— Mike