The basic assumption that EC is based on is that it is harder to cryptanalyse EC parameters than modular parameters of the same length. The problem is that this assumption may not be valid. EC is a pretty new field and interest in EC algorithms has been pretty sparse. We have several centuries of experience with modular arithmetic however. People are still comming up with fundamental theorems in the EC space such as the 'Fermats Last theorem' proof that demonstrated all Elliptic curves are Modular. What if someone can convert one to the other in acceptable time for the classes of EC we use in crypto? Len Addleman has been cautioning folk against using EC for several years. I strongly suspect he is working on the topic again after he showed that hyper eliptic curves are no stronger than those in 2D. While I don't have a major problem with using EC in place of 1024 bit RSA for performance, but performance alone is unlikely to persuade the group that the algorthms are SHOULD and not MAY. I do have a major problem with people using EC in place of RSA or DSA for higher levels of security. That is the justification being made for their inclusion as SHOULD instead of MAY. I find the argument on that score to be less than compelling. If you are using 256 bit AES the computational issues of 2048 bit RSA should be irrelevant to you and the computational issues of 3072 or 4096 should not be a major issue. Phill Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 > -----Original Message----- > From: Scott G. Kelly [mailto:skelly@SonicWALL.com] > Sent: Thursday, March 14, 2002 12:41 PM > To: Hallam-Baker, Phillip > Cc: 'Mark Winstead'; 'Andrey Jivsov'; Chris Trobridge; > ipsec@lists.tislabs.com > Subject: Re: Remove SHOULD for elliptic curve groups in IKEv2 > > > Hi Phill, > > I'm not a cryptographer, so bear with me. > > > "Hallam-Baker, Phillip" wrote: > <trimmed...> > >I am still waiting for someone to provide a good reason for > making ECC > > more than a MAY. The key length argument is fatuous. Concern about > > brute force attack is not a good reason to use the longer > key lengths, > > the additional encryption rounds are. > > I can think of two reasons to use ECC: > > 1) It reduces the computational overhead of the DH computation for IKE > and IPsec tunnels. This is valuable today on either a high-end box > supporting bazillions of tunnels, or on a computationally constrained > device where MODP might take 2-3 minutes. This is true for > DES, 3DES, or > AES key lengths. > > 2) It reduces computational overhead of the computation for longer key > lengths when compared to MODP calculations, if one actually desires a > bit-strength comparable to key length (and so, would use much longer > moduli/exponents if MODP were used instead). This belief is based upon > the notion that to provide keys which are not susceptible to anything > short of brute strength attack, we need to use longer moduli/exponents > for MODP. > > You seem to be saying that (2) is invalid. If this is what you mean to > say, can you explain why this is so? > > Thanks, > > Scott >
Phillip Hallam-Baker (E-mail).vcf