El movimiento social de las comunidades negras

If one’s bound for saturated security and saturated efficiency are higher than all one’s known algorithms, or even if one has no doubly-saturated, algorithms, then rather than trying to optimize only one of security and efficiency, as above in §B.6, one can instead attempt to unify the metrics into a single objective to optimize.

One reasonable unified metric is the work ratio w, which is security times efficiency

w = se. This metric can be called the work ratio because efficiency is an inverse of the user’s work, so the work ratio is the adversary’s work divided by the user’s work.

Note that for work ratio to make any sense, it is important to use absolute metrics—not metrics that are artificially relative to something like curve size.

In the security-efficiency plane, the constant work ratio contours are hyperbolas. But if we plot these contours using the logarithm of security as the x-axis, then the contours become reverse exponential functions to the base two. See Figure 4. In this plane, if the defective efficiency level is non-negligible, the nearly vertical slope of these contours makes work ratio appear quite similar to log-security. Note that this is vertical appearance is preserved under scaling of efficiency and translation of log-security. These exponential functions are of course what happens to the hyperbola contour as the security compressed into the log-security axis.

320 efficiency

log−security −64 0 64 128 192 256

Figure 4: Work Ratio: Constant Value Contour Curves Nearly Vertical in the Log-Security- Efficiency Plane

Remark B.5.Figures can be misleading, but so can numbers. It is common to refer to security in bits, or in powers of two. Hence this report’s use of log-security in the figures. Also, it is common to consider a range of security levels that cannot fit into any meaningful plot.

On the one hand, one might think the steep slopes of work ratio contours as a misleading image. The steepness is partially an artifact of the tremendous compression that happens when viewing log-security instead of security. We will see later another intermediate metric with less steep slopes. On the other hand, using log-security numbers is misleading in the sense of under-representing larger

security levels, e.g. 2256_{or 256-bit, security is substantially more than than 2}128_{or 128-bit security.} As much as a person tries to remember that one is thinking about log-security, not security, it is so easy to slip into the thought that the gain is small.

If the figures in this report used security on the horizontal axis instead of log-security, and showed a 2256 security level, the security levels 2128 and 0 would be closer together than a proton.

More specifically, the work ratio in elliptic curve cryptography usually depends mainly on the curve sizen. Suppose that curvesCandDhave nearly the same ordersnC ≈nD ≈n, but clearly different efficiencies eC > eD. A DH-based efficiency metric usually means that the group operation will be proportional to the DH operation. The Pollard rho algorithm will take a time ofC√ngroup operations (but perhaps with an extra factor depending on

n). In this case, the ratio wC will be proportional to about √

n

log(n) and depend only on n.

So, wC ≈ wD. In particular, the effect of the curve efficiency eC will be cancelled out of the the work ratio. (This may be counter-intuitive, but see the next section on progressive ratio.)

So, using work ratio for comparing curves will usually favor larger curves, maximizing the curve sizenC, always assuming prime order curve sizes. (This may change for different cofactor values.)

Curves can be arbitrarily large, as the curve size increases, its size will reach the point where either:

• efficiencyeC ≈e0 becomes almost defective, and thus barely tolerable, overriding the

benefit of work ratio; or

• securitysC ≈s1 becomes almost saturated, and thus one can safely optimize efficiency

without worrying any more about work ratio;

or perhaps both. The latter case in which security continues to grow with size hinges on the widely accepted belief that generic group algorithms represent the main way in security depends on the elliptic curve choice.

Given a choice between two or more curves (algorithm) with the equally good work ratio, they will necessarily be mutually non-dominating, because of the negative slope of the work ratio contours. If none of the curve choices have both security and efficiency saturated, and if not all have the saturated security, and if not all have saturated security, then the trading methods above can be used, but these are not ideal. The next intermediate metric might be useful in this context.

Remark B.6.The near vertical slope of the work ratio contours creates a misleading impression that climbing up the slope leads to much greater gain than descending it. This is an artifact of the compression used in drawing log-security. One should not base a curve choice on such an artificial sketch, I think.

Remark B.7.Given the previous observation that work ratio depends mainly on curve size. It seems that work ratio ties will arise mainly between of very similar sizes.

It seems to be a tradition in ECC to favor efficiency in this situations. Consider the NIST curve P256 which uses a special Solinas prime to be more efficient.

This would be perfectly justifiable if one thinks security saturated, but another tradition in ECC is to consider two or more different security levels, which indicates that at least the lower levels

among the list are not saturated. For example, the NIST recommended curves and the Suite B subset of these.

Because smaller-sized curves are considered in these lists, it seems that work ratio is not being optimized. Perhaps these multiple security levels represent different estimates on what constitutes saturated security. But that seems unlikely, since the estimates for saturated involve simple powers of two for the approximate curve sizes, rather than some kind of assumptions about computing power and so on.

Therefore, the current tradition seems not to follow the strategy of work ratio. This seems to be mistake.

Remark B.8.Another example of curves with similar work ratios are the ten NIST binary curves. They group in five pairs, a random curve and a Koblitz with nearly the same size. It suspect that the Koblitz has a smaller work ratio, because the speed-up of Pollard rho due to the Frobenius endomorphism is greater than the speed-up of scalar multiplication. If this is true, then one should prefer the random curves, unless the random curve has defective efficiency, or the corresponding Koblitz curve has saturated security.