Re: [Cfrg] Elliptic curve evaluation truths
Watson Ladd <watsonbladd@gmail.com> Tue, 25 November 2014 16:34 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E031ACDD0 for <cfrg@ietfa.amsl.com>; Tue, 25 Nov 2014 08:34:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k07gSxyOknZ4 for <cfrg@ietfa.amsl.com>; Tue, 25 Nov 2014 08:34:56 -0800 (PST)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBDE51ACDC7 for <cfrg@irtf.org>; Tue, 25 Nov 2014 08:34:55 -0800 (PST)
Received: by mail-yh0-f46.google.com with SMTP id t59so439097yho.19 for <cfrg@irtf.org>; Tue, 25 Nov 2014 08:34:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=gpCNb7iFky4QHIQNPsiy+uzkyFGCrKlvY6923aAZiYw=; b=DEvpEgGUECIG2dCGDEx9JEqOHa/H1LAmqi3/+kunKEF9d8NcQ6dbBNzPe/Vo5aWKSe I5cmGVa63eylx8JbZLNUGFrY3IQ21S8CFvLLx/CkEJNFvRtnALumKVeKL88otB8HsG3O DLhS1sZdDDmI5PDUDhxahtrvWiEdh+SdgjMleHaKMWwrw8lXZ1wCjK3/EqCZ6KIqKvmd JP/v1CayndeiCsTYTqD0xqcBt4T6uYXzs09WdHDrF7WUvwea6Vswkdad11BiOi6UUuW3 QXedA4as7iDbj8LCFAzrRnmPldbEO1/PIkbAb7pxydpWaPh6+1mdRU6Z7SMDRHWE7rPb Ak+w==
MIME-Version: 1.0
X-Received: by 10.236.63.66 with SMTP id z42mr10932487yhc.49.1416933295033; Tue, 25 Nov 2014 08:34:55 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Tue, 25 Nov 2014 08:34:54 -0800 (PST)
In-Reply-To: <2FBC676C3BBFBB4AA82945763B361DE60BF9B858@MX17A.corp.emc.com>
References: <2FBC676C3BBFBB4AA82945763B361DE60BF9B858@MX17A.corp.emc.com>
Date: Tue, 25 Nov 2014 08:34:54 -0800
Message-ID: <CACsn0ck=0meRduRi7gCpX=Lp2NffKjQJQhY-QR+erEg2WbKkZg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Parkinson, Sean" <sean.parkinson@rsa.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/0miM0FgKeN8-tztsWi5R0_flXDk
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic curve evaluation truths
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 16:35:00 -0000
On Mon, Nov 24, 2014 at 11:56 PM, Parkinson, Sean <sean.parkinson@rsa.com> wrote: > In hopes of reaching consensus, I thought I might start a list of known > truths. > > Please don’t just argue against each point but instead look to refine the > statements where possible. > > > > 1. Only curves over prime fields are being considered. > > 2. Good, efficient implementations of Twisted Edwards curves will > faster than good, efficient implementations of short Weierstrass with the > same prime. > > 3. Good, efficient Montgomery curve implementations are simpler than > good, efficient Twisted Edwards and short Weierstrass curve implementations. > > 4. Montgomery curves cannot be used for signing/verification > operations. This is incorrect: see DJB's "Curves, Coordinates and Computation emails". One can retrieve y-coordinates from the Montgomery ladder. In fact, 2 and 3 both need to be reworked in light of this email. The correct statement is that curves with a complete addition law are easy to work with, and that the Montgomery ladder is also very simple. Curves have a complete addition law if they are isomorphic to Edwards curves, which is almost the same as having a point of order 4. The Montgomery ladder works for curves with a point of order 4. (I may have gotten the conditions somewhat wrong: this is morally correct) How the curve is presented on the wire doesn't change this: one does a few fast calculations to put the point retrieved from the wire in the preferred form for calculation, and a few fast ones at the end to put it back in the form on the wire. This is also missing security considerations: it's easy to get multiplication correct with a complete addition law, much harder without one. Edwards curves always have a complete addition law, while Twisted Edwards may or may not, depending on the value $a$ being a quadratic residue or not. > > 5. Small co-factor curves are no weaker, in terms of small subgroup > attacks, than co-factor 1 curves. > > 6. Twisted Edwards and short Weierstrass but not Montgomery curves > support pools of points for ephemeral DH. What do you mean by pools of points? Do you mean fast fixed-based exponentiation? In that case one can do a fast fixed-based exponentiation on the isomorphic or isogenous Edwards curve, and use a few fast computations to get the point on the Montgomery curve. > > 7. NIST curves are going to be in use for some time. > > 8. One curve at about WF-128 is required. > > 9. At least one curve with WF greater than 128 is required. > > 10. Good, efficient implementations of curves using special primes are > significantly faster than good, efficient implementations using random > primes. > > 11. There are steps in performance based on the number of words used. > > 12. There are a few special primes that are significantly faster than the > step they are on. > > 13. The curves chosen will be used for ECDH and ECDSA. > > 14. The curves will be used in TLS and certificates. > > > > If you have more truths then please add to this list. > > > Sean > > -- > > Sean Parkinson | Consultant Software Engineer | RSA, The Security Division > of EMC > > Office +61 7 3032 5232 | Fax +61 7 3032 5299 > > www.rsa.com > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Elliptic curve evaluation truths Parkinson, Sean
- Re: [Cfrg] Elliptic curve evaluation truths Watson Ladd
- Re: [Cfrg] Elliptic curve evaluation truths Parkinson, Sean
- Re: [Cfrg] Elliptic curve evaluation truths Parkinson, Sean
- Re: [Cfrg] Elliptic curve evaluation truths Michael Hamburg
- Re: [Cfrg] Elliptic curve evaluation truths Paterson, Kenny
- Re: [Cfrg] Elliptic curve evaluation truths Parkinson, Sean