On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:
> >We obviously don't know which is stronger against hypothetical
> >unpublished attacks, EDH at 2048-bits or the P-256 curve. Feel
> >free to roll the dice. Against publically known attacks P-256 is
> >both more secure and more computationally efficient than 2048-bit
> >EDH.
>
> I think 384-bit ECDSA keys might be my choice then?
I don't have any interoperability information for NIST P-384 (i.e.
secp384r1). Like its P-256 cousin it is part of Suite B, and thus
generally also supported by software that supports P-256, but it
likely not as widely used as P-256. If there are any practical
unpublished attacks on P-256, one might guess they would be due to
the curve being "cooked" to be vulnerable. In that case, it would
seem prudent to assume that P-384 is also suspect. If you're
sufficiently paranoid, there is nothing you can trust.
I don't see any compelling reason to prefer P-384 over P-256, but
also know of no reasons to avoid it. P-384 has higher CPU cost,
but this is generally tolerable in MTAs, since unlike web servers
the SMTP connection rate is generally well below CPU performance
limits.
--
Viktor.
