Re: [Cfrg] What constitutes a curve with a 256-bit security level?

Michael Hamburg <mike@shiftleft.org> Wed, 18 February 2015 22:14 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E765D1A1B4F for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 14:14:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mf7bBPdl8ZBs for <cfrg@ietfa.amsl.com>; Wed, 18 Feb 2015 14:14:34 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5391A1A1B47 for <cfrg@irtf.org>; Wed, 18 Feb 2015 14:14:34 -0800 (PST)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 7F88F3AA12; Wed, 18 Feb 2015 14:13:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1424297587; bh=M4bZhWceiMZrXaNc1vGjZZtS52OrpYaOuvL0MlUCleQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Vpua4ivZUnFMDtFEGnuwtcOgu554iJUxUcleyoPVUBd4yARxtFziMHpFSngiCh/tA wA3dDvdpNz3NVU/m8jSZkDF2lrLq4Gv3ErRJVlMi7pHeFlmGvzmXWhHJA/8jeypL9K sSoz1HAAZ6t0IaCT2bcNW4ftkCTimE340cWCEBbk=
Content-Type: multipart/alternative; boundary="Apple-Mail=_AB830115-12C0-4FCA-846B-E775812F066B"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <CAHOTMVKSQHSP_=_VreCbXhdE+jkLBq8qJ9S_hquwQEoofB5c4g@mail.gmail.com>
Date: Wed, 18 Feb 2015 14:14:31 -0800
Message-Id: <A5B5FC81-DBA3-4FC1-9DFB-FA3D5AD575BD@shiftleft.org>
References: <CAHOTMVJKqMcddZ0DEdgh7gVedFR5TPfZHZaVNVmMMUnvTfpLzA@mail.gmail.com> <E64DFFE5-92AE-40EF-8B9D-BD8DA57F0D31@shiftleft.org> <CAHOTMVKSQHSP_=_VreCbXhdE+jkLBq8qJ9S_hquwQEoofB5c4g@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/xFpwNZoLSXaL6w9vjoyb1HkEn9c>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] What constitutes a curve with a 256-bit security level?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 22:14:36 -0000

> On Feb 18, 2015, at 11:55 AM, Tony Arcieri <bascule@gmail.com> wrote:
> 
> On Wed, Feb 18, 2015 at 11:21 AM, Michael Hamburg <mike@shiftleft.org <mailto:mike@shiftleft.org>> wrote:
> I believe the chairs have explicitly stated that Ed448-Goldilocks will not be eligible, because it is almost exactly between WF192 and WF256, and because they feel that curves must be voted off the island in order to make progress.  Though I am curious — is the same also true of Ed480-Ridinghood?
> 
> Correct me if I'm wrong, but aren't there issues around signatures for Ridinghood that aren't problematic for Goldilocks?

… no?

It may be that you’re thinking SHA512-and-truncate won’t be uniform enough mod the order of Ridinghood.  But in fact it will, because the order of Ridinghood is 2^480 - O(2^240), and so the deviation from uniformity will be O(2^-(240+32)).  The same would not be true for a prime with a large coefficient like NIST P-256.

> Also note: Having good answers to questions like this is a reason why I feel that signatures should take priority over a higher security curve.
> 
> -- 
> Tony Arcieri


Agreed.

Cheers,
— Mike