13

I have for a while used Koblitz curve (sect571k1), in ECDH and ECDSA. But I have started wonder if it is the most secure. I prefer security over efficiency. So the curve doesn't have to be the most efficiency curve.

I'm not looking for a curve that is only secure today, and the next few years. The compute power increases rapidly today, and I'm looking for a curve that is secure as far as possible in the future. So if someone is able to steal my encrypted data today, they should not be able to crack it in next 20 years, hopefully longer.

BufferOverflow
  • 365
  • 5
  • 10

5 Answers5

13

There is no such thing as the most secure curve. For one you can always come up with a larger curve if you need one. For another there are many measures of security and not all curves are directly comparable.

If you wanted the curve for which the current best known attack is the slowest, then by that measure sect571k1 is actually the most secure out of the curves that are in use.

However, that is not necessarily a very useful requirement, because any curve for which the best known attack is slower than ~128-bit strength equivalent will never be broken without either advances in attacks or the arrival of practical quantum computers. Those advances need not apply equally to all curves, while quantum computers would break all curves regardless of strength.

Binary field curves like the one in question are sometimes considered more risky because better attacks are known than for prime field curves of similar size, so it is thought that new attacks are more likely. That is a judgement call.

Likewise there are other measures of security that do not apply to all curves. Perhaps the most talked about is the potential for some kind of backdoor in the parameters, which makes some distrust NIST curves in particular and any curves without a good explanation for the parameters in general. Also things like ease of secure implementation may matter in practice.

Community
  • 1
otus
  • 32,462
  • 5
  • 75
  • 167
4

Beyond weaknesses in specific curves, it is hard to give a scientific answer to this. Personally, I am quite conservative. I always prefer prime curves over binary field curves. I also think that the NIST curves P-256 and so on have been around long enough to give us strong confidence. (And they are fast enough for most applications.)

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86
4

You might want to look at Ed448-Goldilocks, a new 448-bit Edwards curve that has been approved for use in standards like TLS by the CFRG, designed "as an alternative to both secp384r1 and secp521r1": https://eprint.iacr.org/2015/625.pdf

Deirdre Connolly
  • 340
  • 2
  • 9
3

The curve sect571k1 is not listed in the SafeCurves (http://safecurves.cr.yp.to/rho.html), but in theory it should be the most secure from the "SEC 2 ver2" curves (http://www.secg.org/sec2-v2.pdf), because its order is 02000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 131850E1 F19A63E4 B391A8DB 917F4138 B630D84B E5D63938 1E91DEB4 5CFE778F 637C1001, which is 571-bit number (the highest in the SEC 2 ver2 standard).

The Pollard rho algorithm can solve the ECDLP problem for 571-bit private key in 2^280 group operations, so the security level of the curve sect571k1 is 280 bits (learn why from this article: https://eprint.iacr.org/2009/086.pdf).

Svetlin Nakov
  • 131
  • 3
-1

There's no @secure@ cipher : everything is crackable, it's just a question of time and resources. The "longer the key"/"bigger the block"/"more bits" - the more difficult and laborious is to crack the system. Use the longer/bigger variants.

Alexey Vesnin
  • 226
  • 5
  • 8