ECDH security vs. type of elliptic curve

xrfang

3/27/24, 1:36 AM

While using ECDH key exchange, we can choose to use different kind of elliptic curve, e.g. P224, P256 or P384 etc. (btw, I am using go).

My question is, what is the criteria to choose different kind of elliptic curve? Is it related to desired security level? If yes, what is the "rule of thumb" to choose between the curves?

114

1 + 4

diffie-hellman

Maarten Bodewes

3/27/24, 4:23 AM

It's the key *strength*, you can check this strength on [keylength.com](https://keylength.com). Very basically: P224 delivers ~112 bits of security (and should not be used anymore), P256 has 128 bits of security, etc. That's against attacks using regular computers, not full fledged quantum computers; for that ECDSA is broken. Fortunately, those don't exist yet (but for long term security...)

fgrieu

3/27/24, 5:24 AM

Notice that "full fledged quantum computer" breaking ECDSA (aka [Cryptographically Relevant Quantum Computers](https://crqc.grieu.fr)) do not exist yet. It remains hypothetical that they are possible.

poncho

3/27/24, 7:02 AM

@fgrieu: yes, we don't know that CRQC's will ever exist, however I don't know if the security assumption that 'there will never be one" is a tenable one, at least in the long term...

fgrieu

3/27/24, 7:48 AM

@poncho: agreed it's imprudent to assume there will be no CRQC in the long term. I'm all in for 1) Research on Post-Quantum Cryptography now. 2) Early adoption of PQC on top of tried-and-tested asymmetric crypto when stakes are high and even a low risk of break within a decade or two would be a concern. 3) For all other applications (that is, most), building crypto-agility in new designs. 4) Beefing-up symmetric key and perhaps block size in symmetric crypto, because we can, and there is proof (bitcoin…) that Moore-like laws survive Gordon Moore.

Score:0

Crypto

bk2204

3/27/24, 7:46 PM

For most elliptic curves in general use, the security level in bits is approximately half the number of bits in the curve. Thus, X25519 and P256 provide about 128-bit security, P384 provides 192-bit security, X448 provides 224-bit security, and P521 provides approximately 256-bit security.

In general, we believe 128-bit security to be sufficient for current and future needs, but smaller levels are not. Generally, the recommendation is to use X25519 or X448 unless you know you need something else, because these are almost always implemented in a constant-time way and thus more likely to be secure in practical implementations. P224 is too small, but P256, P384, and P521 are also fine if implemented in a constant-time manner. You can use larger curves if you'd like to hedge against further classical computational advances, but of course that comes with a performance cost.

Note that any use of elliptic curve cryptography would be broken by a cryptographically relevant quantum computer, which does not yet exist (and whose future existence is possible but unknown).

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: ECDH security vs. type of elliptic curve

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.