[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove SHOULD for elliptic curve groups in IKEv2





Eric Rescorla wrote:


> The particular paper you refer to, while interesting, unfortunately,
> is a little difficult to draw direct conclusions from:
> 
> 	(1) It doesn't describe the technique you use for performing
> 	the DH key agremement you're comparing to. 


It's compared to doing modular exponentiation, i.e., g^x mod p,
using apples-to-apples on all implementation aspects outside
the core operation.  E.g. the exponentiation table precomputation,
was the same in base cases.


> 	(2) The timings you describe are on such outdated platforms
> 	(granted, they weren't outdated at the time) that it's very
> 	difficult to compare them with implementations on modern
> 	platforms.


Use the ratio of the cycle speeds for a rough measure.  It depends
on little more than the time to do a multiply.  And the time to
multiply bignums depends roughly on the square of their
lengths.  That's why EC makes so much sense as the security requirement 
increases - the modulus length increases linearly, while modexp
increases cubically.  The numbers in the '95 paper were near the
breakeven point and were trying to match DES security.  Today, you
need more strength, and EC makes more and more sense, at least in
the computational sense of sense.

Hilarie