Re: [Cfrg] Comparing ECC curves

Michael Hamburg <> Wed, 23 July 2014 23:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B3DEA1A011E for <>; Wed, 23 Jul 2014 16:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.755
X-Spam-Level: **
X-Spam-Status: No, score=2.755 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_15=0.6, J_CHICKENPOX_35=0.6, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WqTjWk4GFZYg for <>; Wed, 23 Jul 2014 16:07:15 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4884D1A0373 for <>; Wed, 23 Jul 2014 16:07:15 -0700 (PDT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id F00C43AA13; Wed, 23 Jul 2014 16:05:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=sldo; t=1406156719; bh=ZhwtT2vGPmUY3mnTkK5W0UvwXyJzTmAP2y5gOkF2KrI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=DshVkXWAi2tUE6wbL6RViD5M4IoM3hC62a+LhPw9RQPEXD9GuxR0G042XSX+AjFNN Hi2uoV5hR5EPCfLtAqsZQSoBGipQud9eX6+KtNoxw21ScNm4dT4TPkYKH7kwBBg6Y0 GVWrOrv1NsW46I8NMus+u9eprJiPKjFKA3Svihbw=
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Hamburg <>
In-Reply-To: <>
Date: Wed, 23 Jul 2014 16:07:06 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Phillip Hallam-Baker <>
X-Mailer: Apple Mail (2.1878.6)
Subject: Re: [Cfrg] Comparing ECC curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Jul 2014 23:07:16 -0000

Hi Phillip,

This has also been discussed on the list.  Trevor Perrin and I have discussed roughly the following:

There’s nothing magical about 128, 192 or 256-bit security levels.  We are hedging against improvements in the math of attacking ECC, not against specific levels of improved compute power.  So other things being equal, a bigger group order is better, but the question is how big a group order (and thus how good a hedge) can be bought for a given performance budget.  DJB has also advanced this argument in favor of Curve41417, and I’ve advanced it in favor of Ed448-Goldilocks.

Obviously we want only a few curves of fairly different security levels, so something aimed at 2^160 work isn’t interesting.  We should pay attention to which curves are efficient, i.e. attain the best security level compared to their performance.  Ideally, it would be best to select only two new curves instead of three, i.e. a 128-ish-bit secure one and a much stronger one.

Since Karatsuba multiplication is suitable for the curves in question, we should expect EC software to take time proportional to T(group size) := log(group size) ^ (1 + log 3 / log 2) time.  So a simple benchmark would be that, other things being equal, we should look especially closely at curves where T(group size) / (time for ECDH or sign or verify) is largest.  Obviously this will vary by platform and implementation, but it seems like a reasonable benchmark between security levels.

For example, on Intel Sandy Bridge, Microsoft’s Ed-384-mers takes 617kcy to compute a shared secret (not counting decompression).  Ed448-Goldilocks takes 674kcy (counting decompression) and Ed-512-mers takes 1293kcy (not counting decompression).  So their “efficiency” scores on that platform are roughly 7.7, 10.5, and 7.7 respectively.

This is why Trevor and I (and perhaps also DJB?) believe that a fast, ordinary-security curve like Curve25519 and a high-security curve like Goldilocks or Curve41417 would be a good pair of alternatives in future deployments.

— Mike

On Jul 23, 2014, at 3:28 PM, Phillip Hallam-Baker <> wrote:

> Thanks to all the presenters, some thoughts on comparing like with like:
> 1) How do we compare algorithm A taking X cycles and offering a work
> factor 2^Y with algorithm B taking 2X cycles and offering a work
> factor 2^(Y+Z)?
> My answer here is that I am interested in the yield ratio i.e.
> [attacker work factor] / [defender effort]. so having the defender do
> twice as much work to get an improvement of one bit is not a win.
> We can define an exclusion rule: B, is definitely not going to be
> interesting as an alternative to A if Z >= 1. Doubling the work factor
> is not a win if I have to do twice as much work.
> But that still leaves open the question of how much defender effort it
> is worth to increase the difficulty by a factor of two.
> 2) Should the security levels be maximums or minimums?
> Looking through the Microsoft presentation I see that they have chosen
> work factors of 128, 192 and 256 bits. This is reasonable of course
> but maybe not the best way to compare like with like. Because the real
> limitations here are the machine resources which nowadays come in
> units of 64 bits.
> What I am really interested in is how much security you can provide
> for an n*64 bits wide datapath. I do not want to have to mess about
> with a129 bits to achieve 128 bits security. If someone can do the
> math significantly faster then I'll take 127 bits. But I certainly
> don't want to go below 120 bits unless the advantages were phenomenal.
> 3) Do we need to consider 2^192 work factor?
> I can't see any case where I am interested in a work factor of 2^192.
> Either I am willing to make some concession to performance or I want
> it gold plated and 2^256. I would quite like to see the 2^192 work
> factor nuked.
> The only reason for going above 2^128 is that I don't trust the
> algorithm. Its not about increasing the work factor by 2^64, its about
> increasing the safety margin in the case of a cryptanalytic attack. I
> have seen attacks that reduce the work factor to the root of the
> intended one (i.e. 2^n becomes 2^(n/2)). I can't think of a better one
> that has been discovered offhand (most are not that good of course).
> So 2^256 makes me feel like I am sufficiently protected against
> algorithm compromise while 2^192 is kinda marginal.
> _______________________________________________
> Cfrg mailing list