[144609] in cryptography@c2.net mail archive
Re: 112-bit prime ECDLP solved
daemon@ATHENA.MIT.EDU (Zooko Wilcox-O'Hearn)
Mon Jul 20 19:36:15 2009
In-Reply-To: <p06240807c6892318e048@[10.20.30.158]>
Cc: Cryptography List <cryptography@metzdowd.com>
From: Zooko Wilcox-O'Hearn <zooko@zooko.com>
Date: Sun, 19 Jul 2009 18:06:41 -0600
To: Paul Hoffman <paul.hoffman@vpnc.org>
On Sunday,2009-07-19, at 13:24 , Paul Hoffman wrote:
> At 7:54 AM -0600 7/18/09, Zooko Wilcox-O'Hearn wrote:
>> This involves deciding whether a 192-bit elliptic curve public key
>> is strong enough...
>
> Why not just go with 256-bit EC (128-bit symmetric strength)? Is
> the 8 bytes per signature the issue, or the extra compute time?
Those are two good guesses, but no. The main concern is the size of
the public key. This is why (if I understand correctly),
hyperelliptic curves might eventually offer public key signatures
which are twice as good for the purposes of TahoeLAFS as elliptic
curves. (By which I mean, the keys are half as big.) I discussed
this topic a bit in a subsequent message to the cryptography mailing
list entitled "Why hyperelliptic curves?".
Actually, the computation time matters, too. Our measurements on an
ARM 266 MHz embedded system showed a significant penalty for 256-bit
ECDSA vs. 192-bit:
http://allmydata.org/pipermail/tahoe-dev/2009-June/002083.html
Regards,
Zooko
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
