7

There is a plethora of elliptic curves that are close to the 256-bit security level (i.e., fields and groups of approximately 512 bits). Examples are Curve448, P-521, Brainpool-P512.

The standard rationale for 256-bit symmetric ciphers is to protect against Grover's algorithm, which would halve the security level. However, in such a post-quantum setting, Shor's algorithm would destroy both 256-bit curves (with 128 bit security, e.g. Curve25519 or P-256) and 512-bit curves.

In the pre-quantum setting, breaking 128 bit security is most probably out of reach for mankind, and 256 bit security is astronomically further away.

Seemingly, neither post-quantum nor pre-quantum worlds have any benefit to using elliptic curves that achieve more than the standard 128 bit security level, then what is the point of their existence and their standardization?

Ruben De Smet
  • 2,530
  • 15
  • 27

2 Answers2

7

what is the point of their existence and their standardization?

I would agree with your assessment; I also don't see the point of nonspecial [1] curves significantly larger than 256 bits.

However, based on my observations, I see two attempted justifications:

  • What if someone found a 'weakening' of the elliptic curves (but not to a point that they're totally broken); a 256 bit curve might become weak, but a circa 500 bit curve might retain enough strength.

  • Some people have a superstition about 'mismatched cryptography' - if one part of your system has '256 bits of security', then all your components ought to have 256 bits of security, otherwise, well, perhaps you'll end up misleading people about how strong your system is (or something).

I don't personally consider either argument that persuasive, but that's what I've heard...

[1]: I'm not counting pairing friendly curve (which need to be somewhat larger to account for recent attacks) or curves used for supersingular isogenies; you're also not thinking of those cases; just thought to be thorough...

poncho
  • 154,064
  • 12
  • 239
  • 382
0

For JWT tokens, ES512 is relatively common. But I ran into this, where if you want to share a certificate that's used by TLS, then you get stuck with ES256. I thought that TLS used to have the larger curve, and it got removed as "excessive". I just picked ES512 for my tokens because I had read that P-256 has some weakness. The fact that 512 is "excessive" indicated that maybe that's what I should be using. I did notice that if I didn't cache such tokens that my profiler was showing me that the CPU was getting monopolized doing a big.Int divide operation. So legitimate operations can be slow; but it was perfectly fine for my uses, since I cached tokens while they were unexpired.

Rob
  • 349
  • 1
  • 13