19

Found a few issue threads, notably for Chrome (Chromium issue #478225), and the browser does appear to have dropped support for the secp521r1 curve (can test your browser using SSLLabs). There were other issue threads for other software packages that also claim that the curve will not be supported as of certain releases earlier this year.

I do not recall reading about any cryptographic issues or deprecation of this curve, so wondering why this change occurred. I did not see any conclusion on that issue thread pertaining to Chrome.

AJAr
  • 2,352
  • 1
  • 14
  • 22

1 Answers1

24

The main culprit is NSA Suite B -- or, rather, people who read that document as something that it is not. NSA Suite B says that NSA uses curves P-256 and P-384. Some people have chosen to interpret that as "don't use any other curve". P-521 (aka "secp521r1") is not one of these curves, hence its removal.

There is nothing wrong with P-521, except that it is, in practice, useless. Arguably, P-384 is also useless, because the more efficient P-256 curve already provides security that cannot be broken through accumulation of computing power (see this answer for a discussion on that subject). Yet people and even NSA uses P-384, which goes a long way to show that the choice of what elliptic curve to use in a given cryptographic protocol is not fully a matter of pure rational logic and security assessment. People who are in the position to decide whether a given curve is acceptable or not will make choices based on their perception of how their choices will be perceived by other people who themselves are not necessarily the most logical of thinkers (or not at least perceived to be such).

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • Thank you for the response. I just wondered about it after looking into the available curves in my OpenSSL installation, curious why this curve saw a revocation of prior support. Answered the question, and I agree that there is no good reason to use P-384 or P-521 vs. P-256 given what is realistic to break as an isolated curve apart from the others. – AJAr Sep 24 '15 at 07:15
  • 1
    FIPS 140-2 calls out P-256 and P-384. However, the assertion that P-384 is "useless" is no longer valid see https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf for details. It is highly recommend at this point to switch from prime256v1 to secp384r1. – EagleEye208 Nov 19 '15 at 23:28
  • Switching from 256 to 384 bit ECC doesn't cost much, so why not use it? It's still faster than non-EC cryptography used today. – Smit Johnth Jan 01 '16 at 02:04
  • 1
    @hackajar that paper only seems to recommend using elliptic curves, but I can't find any mention of which curves they would recommend? – Stefan L Aug 29 '17 at 08:23
  • 3
    Support for [x25519](https://en.wikipedia.org/wiki/Curve25519) seems to be fairly good today if you want to avoid using those from NSA Suite B. – Christopher Schultz Jan 09 '18 at 15:54
  • 1
    AFAIK P-521 is used for data that should be secret also in a few more years. Imagine some country was able to get nuke data encrypted with p256 in few more years when the computers will be stronger it may become possible, P521 decrease this possibility by many times. – igor Apr 03 '18 at 06:11
  • Firefox did the same thing: "it's not Suite B, so it should be removed". https://bugzilla.mozilla.org/show_bug.cgi?id=1128792 – schroeder Jan 23 '20 at 09:25