[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove SHOULD for elliptic curve groups in IKEv2



Hi Phill,

I'm not a cryptographer, so bear with me. 

> "Hallam-Baker, Phillip" wrote:
<trimmed...> 
>I am still waiting for someone to provide a good reason for making ECC
> more than a MAY. The key length argument is fatuous. Concern about
> brute force attack is not a good reason to use the longer key lengths,
> the additional encryption rounds are.

I can think of two reasons to use ECC: 

1) It reduces the computational overhead of the DH computation for IKE
and IPsec tunnels. This is valuable today on either a high-end box
supporting bazillions of tunnels, or on a computationally constrained
device where MODP might take 2-3 minutes. This is true for DES, 3DES, or
AES key lengths.

2) It reduces computational overhead of the computation for longer key
lengths when compared to MODP calculations, if one actually desires a
bit-strength comparable to key length (and so, would use much longer
moduli/exponents if MODP were used instead). This belief is based upon
the notion that to provide keys which are not susceptible to anything
short of brute strength attack, we need to use longer moduli/exponents
for MODP.

You seem to be saying that (2) is invalid. If this is what you mean to
say, can you explain why this is so?

Thanks,

Scott