On Thu, Jul 6, 2017 at 10:46 AM, Gervase Markham via dev-security-policy < [email protected]> wrote:
> On 05/07/17 14:49, Alex Gaynor wrote: > > Is it really true that additional curves are just additional parameters? > I > > That was my assumption; additional clue on this point would be welcome. As Alex mentioned - it's generally not the case. While you can implement with generic parameters, this can create both security and performance issues, and so the preference within cryptographic libraries is to maintain optimized versions (optimized for constant time, which is not always easy, but also optimized for performance). For NSS, consider the contributions from Intel - https://bugzilla.mozilla.org/show_bug.cgi?id=1073990 , the performance analysis in https://bugzilla.mozilla.org/show_bug.cgi?id=1125028 , the performance optimizations in https://bugzilla.mozilla.org/show_bug.cgi?id=653236 , and the performance issues in https://bugzilla.mozilla.org/show_bug.cgi?id=1293936 . In short, it generally gravitates towards per-platform, per-curve optimizations. I think it's also worthwhile to consider the performance impact - https://www.imperialviolet.org/2010/12/21/eccspeed.html . Note where P-521 falls on that graph. While this is 7 years ago, the numbers have not (to my knowledge) substantially improved in relation to eachother. It's also useful to think of this similar to RSA. The Baseline Requirements do not set a maximum bound on the RSA modulus size - merely specifying a minimum of 2048. However, in practice, >= 8096 is not supported, due to limitations that many platforms impose, due to the computational cost. So the Web PKI does determine an effective limit, even if NSS supports up to 16K RSA moduli sizes (but imposes 16K as the limit, again, for performance reasons). So the Web PKI certainly imposes limits - for performance, security, and interoperability - so it's not unreasonable to impose this same limit. The performance gulf, and the added overhead, do not make it significantly compelling to add support for, and the security boundary between 192-bits and 256-bits is somewhere in the "heat death of the universe" level security (see https://www.imperialviolet.org/2014/05/25/strengthmatching.html ) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
