[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Re: P1363: prudent fields]

To: Hilarie Orman <HORMAN@volera.com>
Subject: Re: [Fwd: Re: P1363: prudent fields]
From: Yuri Poeluev <ypoeluev@certicom.com>
Date: Tue, 03 Jul 2001 09:42:45 -0400
CC: sandy@storm.ca, ipsec@lists.tislabs.com
Organization: Certicom Corp.
References: <FC360665953E429685256A78004D1326.004D421F85256A78@certicom.com>
Sender: owner-ipsec@lists.tislabs.com

The security risk justified by performance should never be taken,
especially given the fact that there is no significant difference
in performance while comparing 155-bit and 163-bit curves.

Thanks,
Yuri


Hilarie Orman wrote:
> 
> Composite exponents permit implementation using field
> towers and lead to performance advantages.
> 
> Hilarie
> 
>  >>> Sandy Harris <sandy@storm.ca> 06/26/01 11:48AM >>>
> Hilarie Orman wrote:
>  >
>  > Given that the groups have no demonstrated mathematical
>  > weaknesses
> 
> However, enough problems with composite exponents have shown up
> that we just got this advice from a wel--known crytographer:
> 
> | More generally, we recommend that elliptic curves over GF(2^n)
> | where be n is composite be avoided, including elliptic curves
> | over GF(2^185).
> 
>  > and that they have significant computational performance advantages,
> 
> If performance depends only on the size of exponent, then those
> groups --  2^155 and 2^185 -- have about the same performance as
> the group using 2^163.
> 
>  > there appears to be no reason to drop them.
> 
> I'd say there's enough doubt that the cautious course would be to
> drop them.

Prev by Date: RE: Is Anyone in the IPsec WG Writing a Draft RFC Using AES CBC MAC for ESP Integrity?
Next by Date: Question on Section 3.8 of draft-ietf-ipsec-udp-encaps-00.txt
Prev by thread: RE: Is Anyone in the IPsec WG Writing a Draft RFC Using AES CBC MAC for ESP Integrity?
Next by thread: Re: [Fwd: Re: P1363: prudent fields]
Index(es):
- Main
- Thread