IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

John Mattsson <john.mattsson@ericsson.com> Sat, 30 March 2019 21:32 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 428421202E3 for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2019 14:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yhnBQx7CYEko for <cfrg@ietfa.amsl.com>; Sat, 30 Mar 2019 14:32:12 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130058.outbound.protection.outlook.com [40.107.13.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 078C21202D1 for <cfrg@irtf.org>; Sat, 30 Mar 2019 14:32:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TvL26aOCqT1ZwcrI286+ATycjYJqu3oV2LYNBZiUZGo=; b=krd/225v7q34444x1DGXErH6SabU5yKahphsvAdpS4ynF4hJLmnhU5zqj5t/uE/MMdfYKxoofdMlHa0mOaQONWpb9Qfrr1gRyRatCJ+vuGYwpcfEGVZ8/PNneja7T5b2wAkphYIbm5Si5qfDE1A35dvkx9q7SjubO2eqd340jPA=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3306.eurprd07.prod.outlook.com (10.170.246.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.8; Sat, 30 Mar 2019 21:32:07 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc%5]) with mapi id 15.20.1771.007; Sat, 30 Mar 2019 21:32:07 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
Thread-Index: AQHU50AGoOWyqWstcE2SDI+8Lu9ATQ==
Date: Sat, 30 Mar 2019 21:32:07 +0000
Message-ID: <923D7F5E-19E1-4235-8CB2-4BF9EEF7EDFF@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [212.24.152.234]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 64a91ba5-8696-4963-ade4-08d6b5572921
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3306;
x-ms-traffictypediagnostic: HE1PR07MB3306:
x-microsoft-antispam-prvs: <HE1PR07MB330688C4C99A058ED1D37F5F895B0@HE1PR07MB3306.eurprd07.prod.outlook.com>
x-forefront-prvs: 09928BEC91
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(396003)(136003)(346002)(366004)(199004)(189003)(53936002)(102836004)(97736004)(6246003)(6486002)(229853002)(316002)(186003)(256004)(14444005)(26005)(86362001)(6512007)(58126008)(476003)(71200400001)(71190400001)(83716004)(486006)(6436002)(66066001)(106356001)(6116002)(25786009)(33656002)(105586002)(2906002)(3846002)(44832011)(2616005)(82746002)(305945005)(14454004)(7736002)(81156014)(6916009)(81166006)(68736007)(478600001)(99286004)(36756003)(8676002)(5660300002)(8936002)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3306; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: tJ22ZJPrOmYtZ45+oUzc+sCy8Gsrv2oGIXfB3/2XvP0RWV/rC02Ng4IrQQ3InXhlkpxdWC+cRbqoO72MAIarY/7CoN/xIzLFQXRrZZpCB5PwT/f+0nwGgptzV7akQvtkCm3kuyADwX75+Om4zyqEVq2ToO54uZJeWF7zupdq20Rt1czpFfq3j/35uS3bVxSZ6sfmBZh5rGiz32TAv1NNz17Yl9X2RLXZHyQpDkTcbaRdgrfu06Y5PP6n2vruZpXQ9/LUuto9ZxaBcTfcKcqSWMjKJfpy3C87v4kh4teoQ1qQNCYgw+yW7jXXJpK/xWWl8yu6FEXCw4OJ772TppnCjhfPgsklWe/FBftvKN46QaA8bjzAIjo0QesA4MMKMjAs+2xI2LXc73eipELUMTPq4OwpjeZ/1qNlU9zOAEM2n88=
Content-Type: text/plain; charset="utf-8"
Content-ID: <DB743D2597D3E943AE78145DFA24480C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 64a91ba5-8696-4963-ade4-08d6b5572921
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2019 21:32:07.4988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3306
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yHGzVOQx27PLWpFWDyUWTyJxkcU>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2019 21:32:15 -0000

Very well-written draft for only being in version -01

A few comments.

- ”MAY use BN256.”

I don’t know how practical/unpractical the exTNFS algorithm is in terms of memory etc. but as you write below “100 bits of security is no longer secure” (which I assume refers to curves like BN256) it seems like the recommendation should at least be SHOULD NOT. 

- “For security, we introduce 100 bits, 128 bits and 256 bits of
security.  We note that 100 bits of security is no longer secure and
recommend 128 bits and 256 bits of security for secure applications.
We follow TLS 1.3 [34] which specifies the cipher suites with 128
bits and 256 bits of security as mandatory-to-implement for the
choice of the security level.”

My understanding and experience is that a 192-bit security level is more common for asymmetric crypto than a 256-bit level. As an example, the US CNSA suite for protection of up to TOP SECRET information, uses P-384 for ECDHE and ECDSA. I don’t think anybody needs more than that in practice. Many TLS libraries did not even support P-521 until recently. For AES-192 and AES-256 the performance penalty is small, but for asymmetric crypto the performance difference between 192 and 256 bit security is often quite large. I would recommend that the draft follows TLS 1.3 and specifies curves with 128, 192, and 256 bits of security. If I had to choose two, 128 and 192 would be the most important.

“Hence, we consider BLS48 for 256 bits of security.”

I think it is better if you just wrote the estimated security level… ( ≈ 581 / 2 / 1.33 = 218 ? )

Cheers,
John

v2.23.0 | Report a Bug | By Email