Add 521 bit curve for equivalent security level as symmetric 256 bit

[Darkspirit]

As long as there are no alternative curves with that long-term security level, I would like to use secp521r1 both for ECDSA and ECDHE. So please do not use this for future Mozilla products, unless this security level is given. This should be worth for an extra donation to Mozilla for developer motivation.

[briansmith]

Thanks for the suggestion.

As long as there are no alternative curves with that long-term security level, I want to use secp521r1 both for ECDSA and ECDHE.

I made some design decisions in ring that make it kind of painful to support P-521. In particular, supporting P-521 would increase the memory and stack size requirements for P-256 and P-384.

Also, the optimal implementation strategy for P-521 field operations (especially modular multiplication and squaring) is very different from the strategy used in ring. Code would need to be refactored to support alternate implementation strategies, or P-521 would be quite inefficient. Not very appealing either way.

I'm not saying I'd never add P-521, but right now I think the cost:benefit ratio is too low, as far as I understand all the factors.

So please do not use this for future Mozilla products, unless this security level is given. This should be worth for an extra donation to Mozilla for developer motivation.

This is not a Mozilla project.

Thanks again for the suggestion!