On Thu, Jul 10, 2014 at 09:57:56AM -0700, Brian Smith wrote: > On Thu, Jul 10, 2014 at 5:33 AM, Kurt Roeckx <k...@roeckx.be> wrote: > > > > [snip] > > An other alternative is using curve25519. It's also not standardized yet, > > but at this time it seems more likely to be standardized first. > > Thanks for bringing up curve25519. I'd like to share a recent paper > written by Daniel J. Bernstein, Chitchanok Chuengsatiansup, and Tanja > Lange: > > "Curve41417: Karatsuba revisited.'' > http://cr.yp.to/papers.html#curve41417 > > Section 1.5, "Is high security useful?" is particularly interesting. > > I think it is likely the case that Curve25519 solves the wrong > problem*: it tries to be faster than NIST P-256 but only the same > strength, but I think a new standard curve should be the same speed as > NIST P-256 but much stronger. My thinking is that now, when Curve25519 > isn't an option, everybody is using P-256 without significant > performance complaints. This shows that we don't really need something > faster than P-256. Further, as the paper states in section 1.5, there > are quite a few reasons to want to have a security level higher than > ~125 bits, if we can get it with reasonable performance and without > compromising other security goals, which we apparently can, according > to this paper. > > By the way, an extra notable merit of this paper is that they focused > on ARM performance > > I would like to hear what others think about this, including what > people think Gecko should do.
I think it looks promosing. But like the paper indicates it needs time for other people to review it before it's going to see any adoption. Curve25519 on the other hand is almost 10 years old now, and provides the security I currently think is at a good level, and is fast. So I think we should try to adopt curve25519 and later see if we should adopt Curve41417. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
