On Thu, Jul 10, 2014 at 5:33 AM, Kurt Roeckx <k...@roeckx.be> wrote:
>
> [snip]
> An other alternative is using curve25519. It's also not standardized yet,
> but at this time it seems more likely to be standardized first.
Thanks for bringing up curve25519. I'd like to share a recent paper
written by Daniel J. Bernstein, Chitchanok Chuengsatiansup, and Tanja
Lange:
"Curve41417: Karatsuba revisited.''
http://cr.yp.to/papers.html#curve41417
Section 1.5, "Is high security useful?" is particularly interesting.
I think it is likely the case that Curve25519 solves the wrong
problem*: it tries to be faster than NIST P-256 but only the same
strength, but I think a new standard curve should be the same speed as
NIST P-256 but much stronger. My thinking is that now, when Curve25519
isn't an option, everybody is using P-256 without significant
performance complaints. This shows that we don't really need something
faster than P-256. Further, as the paper states in section 1.5, there
are quite a few reasons to want to have a security level higher than
~125 bits, if we can get it with reasonable performance and without
compromising other security goals, which we apparently can, according
to this paper.
By the way, an extra notable merit of this paper is that they focused
on ARM performance
I would like to hear what others think about this, including what
people think Gecko should do.
Cheers,
Brian
* Besides performance, Curve25519 solves other problems, but in
general all of the other new alternatives like curve41417 solve them
too.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
