Re: [Cfrg] Elliptic Curves - poll on security levels (ends on February 17th)

Yoav Nir <ynir.ietf@gmail.com> Tue, 10 February 2015 16:58 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACsn0cn-wB_0P2Z-MYi-zYpS1wsf=4qDvByRBK9iCnU=OsB1jw@mail.gmail.com>
Date: Tue, 10 Feb 2015 18:57:45 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DD7858CC-8C0D-4B07-BE91-E847CC5CF4C1@gmail.com>
References: <54D9E2E3.4080402@isode.com> <CACsn0cn-wB_0P2Z-MYi-zYpS1wsf=4qDvByRBK9iCnU=OsB1jw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/xXD4Y_IwofqcP1Jtw3Cjchqy2t8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - poll on security levels (ends on February 17th)
Precedence: list

> On Feb 10, 2015, at 5:00 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> On Tue, Feb 10, 2015 at 2:52 AM, Alexey Melnikov
> <alexey.melnikov@isode.com> wrote:
>> CFRG chairs are starting a poll, containing 2 initial questions:
>> 
>> Q1: Should CFRG recommend a curve at the 192-bit security level?
>> 
>> Q2: Should CFRG recommend a curve at the 256-bit security level?
>> 
>> Answering Yes/No to each of these would suffice.
>> 
>> Once this first set of issues is resolved, we will move to choices of prime
>> at the selected security level(s), if any. After that we will be
>> discussing implementation specifics and coordinate systems for
>> Diffie-Hellman. We will then make decisions on signature schemes.
>> Please don't discuss any of these future topics at this time.
> 
> Does this mean that 2^448-2^224-1 is not being considered?
> 
> Does this mean that 2^414-17 is not being considered?
> 
> How much distance from 2^192 is allowed? How much from 2^256? Would
> 2^521-1 be an acceptable prime at the 256 bit level?
> 
> I don't know what the above questions mean, so I can't say yes or no.

+1

I don’t see any point in aiming for a particular security level. Sure, there’s the “weakest link” argument although even that’s more involved as evidenced by the separate sub-thread about PKI vs key agreement vs confidentiality vs MAC, but we can set a security level at, say, 192 bits and require a suite of algorithms at at least that level, as NIST did when specifying the higher Suite-B with AES-256 even though they were aiming for 192-bit.

To the point, there may be a reason for recommending 2^448-2^224-1 or 2^414-17, and there may be a reason for recommending 2^521-1. I don’t see a reason for aiming at 2^192, finding something close and declaring that as “good enough”. I’m not at all convinced that there is a likely scenario where it the foreseeable future Curve25519 will be easily enough broken that  people will lose confidence, but the mysterious 192-bit one will still be considered secure.

Yoav

[Cfrg] Elliptic Curves - poll on security levels … Alexey Melnikov
Re: [Cfrg] Elliptic Curves - poll on security lev… Torsten Schütze
Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
Re: [Cfrg] Elliptic Curves - poll on security lev… Nguyen Dr., Kim
Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
Re: [Cfrg] Elliptic Curves - poll on security lev… Aaron Zauner
Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
Re: [Cfrg] Elliptic Curves - poll on security lev… Christoph Anton Mitterer
Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
Re: [Cfrg] Elliptic Curves - poll on security lev… Paul Hoffman
Re: [Cfrg] Elliptic Curves - poll on security lev… Adam Langley
Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
Re: [Cfrg] Elliptic Curves - poll on security lev… Stephen Farrell
Re: [Cfrg] Elliptic Curves - poll on security lev… Salz, Rich
Re: [Cfrg] Elliptic Curves - poll on security lev… Tony Arcieri
Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Hamburg
Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
Re: [Cfrg] Elliptic Curves - poll on security lev… Kurt Roeckx
Re: [Cfrg] Elliptic Curves - poll on security lev… Alyssa Rowan
Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Hamburg
Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
Re: [Cfrg] Elliptic Curves - poll on security lev… Tony Arcieri
Re: [Cfrg] Elliptic Curves - poll on security lev… Станислав Смышляев
Re: [Cfrg] Elliptic Curves - poll on security lev… Andy Lutomirski
Re: [Cfrg] Elliptic Curves - poll on security lev… James Cloos
Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
Re: [Cfrg] Elliptic Curves - poll on security lev… Damien Miller
Re: [Cfrg] Elliptic Curves - poll on security lev… James Cloos
Re: [Cfrg] Elliptic Curves - poll on security lev… Mike Jones
Re: [Cfrg] Elliptic Curves - poll on security lev… Benjamin Beurdouche
Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
Re: [Cfrg] Elliptic Curves - poll on security lev… David Leon Gil
Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Harkins
Re: [Cfrg] Elliptic Curves - poll on security lev… Olafur Gudmundsson
Re: [Cfrg] Elliptic Curves - poll on security lev… Bindhunadhava
Re: [Cfrg] Elliptic Curves - poll on security lev… Aaron Zauner
Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
Re: [Cfrg] Elliptic Curves - poll on security lev… Manger, James
Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
Re: [Cfrg] Elliptic Curves - poll on security lev… Brian Smith
Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
Re: [Cfrg] Elliptic Curves - poll on security lev… Yoav Nir
Re: [Cfrg] Elliptic Curves - poll on security lev… Daniel Kahn Gillmor
Re: [Cfrg] Elliptic Curves - poll on security lev… Stanislav V. Smyshlyaev
Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
Re: [Cfrg] Elliptic Curves - poll on security lev… Dan Brown
Re: [Cfrg] Elliptic Curves - poll on security lev… Phillip Hallam-Baker
Re: [Cfrg] Elliptic Curves - poll on security lev… Eric Rescorla
Re: [Cfrg] Elliptic Curves - poll on security lev… Annie Yousar
Re: [Cfrg] Elliptic Curves - poll on security lev… Russ Housley
Re: [Cfrg] Elliptic Curves - poll on security lev… Andrey Jivsov
[Cfrg] Why I think 256-level is a bad idea [Was: … Ilari Liusvaara
Re: [Cfrg] Why I think 256-level is a bad idea [W… Adam Langley
Re: [Cfrg] Elliptic Curves - poll on security lev… Michael Scott
Re: [Cfrg] Elliptic Curves - poll on security lev… Simon Josefsson
Re: [Cfrg] Elliptic Curves - poll on security lev… _MiW
Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
Re: [Cfrg] Elliptic Curves - poll on security lev… Olafur Gudmundsson
Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
Re: [Cfrg] Elliptic Curves - poll on security lev… Brian Smith
Re: [Cfrg] Elliptic Curves - poll on security lev… Paterson, Kenny
Re: [Cfrg] Elliptic Curves - poll on security lev… Joseph Salowey
Re: [Cfrg] Elliptic Curves - poll on security lev… Watson Ladd
Re: [Cfrg] Elliptic Curves - poll on security lev… Alexey Melnikov
Re: [Cfrg] Elliptic Curves - poll on security lev… Kurt Roeckx
Re: [Cfrg] Elliptic Curves - poll on security lev… Nex6|Bill