[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regrouping for IPSEC WORKING GROUP LAST CALL



[For those who don't read PostScript, the relevant section of the cited 
 paper by M\"{u}ller and Paulus says that "...for composite fields... 
 there might be better methods" for attacking the elliptic curves.]

Paul Lambert writes:
> The specification currently has field sizes of  155 and 185 exponents.
> ANSI has 163, 191, 239, 359 and 431.  ANSI strongly reccomends against
> using field sizes less than 160!
> 
> So, I propose that in the current IKE draft that:
[...]
> 2) Two additional groups be added from the existing ANSI definitions 
> (163 and 239).

I'm in favor of adding curves over field sizes of 163 and 239. 
However I oppose including the specific curves defined in ANSI.
(Are these defns. from NCITS, or X9.62, or some other group?) 
Those curves already present relatively rich targets for 
precomputation attacks by virtue of their inclusion in an ANSI
standard. Let's put the IPSEC eggs in separate baskets by 
generating some fresh curves for IKE with the requisite field sizes.

-Lewis  <pseudonym@acm.org>  <http://www.cs.umass.edu/~lmccarth>


References: