> -----Original Message-----
> From: Paul Hoffman / VPNC [mailto:paul.hoffman@vpnc.org]
> Sent: Tuesday, March 12, 2002 11:01 AM
> To: andrew.krywaniuk@alcatel.com; ipsec@lists.tislabs.com
> Subject: RE: Remove SHOULD for elliptic curve groups in IKEv2
>
>
>
> In the IETF, SHOULDs are supposed to reflect reality.
Exactly, the reality. The reality is that to implement AES at full strength, the most credible argument's I have seen suggest better than 3K bits using "classical" MODP for 128 bit key, better than 8K bits for 192, and better than 15K for 256 bits. (I know, one doesn't have to use full equivalent strength key generation, still should key generation be that much weaker?).
The reality. The reality is the need for speed is increasing while the need for larger primes for RSA and MODP are increasing. The case was made a few months back in this group that hardware acceleration is reaching its limits in terms of bit size. At the same time, devices with severly limited memory sizes are being put out by commercial interests and some of these need to operate in a secure environment.
So, an alternative is needed. I hear objections that ECC doesn't have a bunch of implementations, so it can't be readily acceptable. But one more reality:
The reality. The reality is that alternatives to RSA and MODP discrete logs are hard and costly to implement. At least most interests don't want to commit the resources to ECC if the standards aren't there, and now the standards bodies don't want to commit if the implementations aren't there.
If not ECC, what?