On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote: > >We obviously don't know which is stronger against hypothetical > >unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel > >free to roll the dice. Against publically known attacks P-256 is > >both more secure and more computationally efficient than 2048-bit > >EDH. > > I think 384-bit ECDSA keys might be my choice then?
I don't have any interoperability information for NIST P-384 (i.e. secp384r1). Like its P-256 cousin it is part of Suite B, and thus generally also supported by software that supports P-256, but it likely not as widely used as P-256. If there are any practical unpublished attacks on P-256, one might guess they would be due to the curve being "cooked" to be vulnerable. In that case, it would seem prudent to assume that P-384 is also suspect. If you're sufficiently paranoid, there is nothing you can trust. I don't see any compelling reason to prefer P-384 over P-256, but also know of no reasons to avoid it. P-384 has higher CPU cost, but this is generally tolerable in MTAs, since unlike web servers the SMTP connection rate is generally well below CPU performance limits. -- Viktor.