Re: [Cfrg] Curve manipulation, revisited

Benjamin Black <b@b3k.us> Mon, 29 December 2014 21:07 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8FC1A8ACD for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 13:07:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OVI55kAt02I for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 13:07:43 -0800 (PST)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4121A900B for <cfrg@irtf.org>; Mon, 29 Dec 2014 13:07:43 -0800 (PST)
Received: by mail-wi0-f175.google.com with SMTP id l15so23039924wiw.8 for <cfrg@irtf.org>; Mon, 29 Dec 2014 13:07:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=lCDtxRv/+sNeGQ5sCKiBzsbOCWeutRxF3HIEEILiHmI=; b=GcNKgqfJVEDp6bEQQHhtmUND1J6diqOnTPZMYL28iroA6aKAqbJG1gP6DL+bniFbcp DCyss1Xg6aLWWeuHGXPx1+vu0kKSNAvJ/U9TNqiVmdjQ3HNm1Hf9kbx0mDNvuc3JqZVg Sp1uN31wuQzJnzTpO9QlQSPm09Bo/t7yCfqzfOFGoubTess1mVKnBI2ypLqEPrgzQCdH WzTB8025+lrPyq9H7P5fKGRRLbolTVHrphm16R0xrU/jsglRofcSUo4azSPx7UXnkElC lG/r9p1Z6rfTs/WInoCKOsTUgr4qkjWaK3u5+A8b2pkdIQ2Eh7z2Pb45onPcecQ9OSnP /p4g==
X-Gm-Message-State: ALoCoQnrcZt5VqJ1AcxY+oaSmRU/KWj8uqzpS+iPC3uoPq+xWgbsAXjypefO7ThdDIKbIwSSiKkk
X-Received: by 10.180.90.16 with SMTP id bs16mr98084915wib.4.1419887262048; Mon, 29 Dec 2014 13:07:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.190.139 with HTTP; Mon, 29 Dec 2014 13:07:21 -0800 (PST)
In-Reply-To: <54A1C150.6080307@shiftleft.org>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <CAMfhd9XEqMwFzJ4sK4aHGbke6REZb26uaEEv9gbM5v_goDzwUA@mail.gmail.com> <CA+Vbu7zO3OatbC+cXiV58hvJCuqiTYvnsSuyopDXum4qBX54fw@mail.gmail.com> <EBD3350E-93CA-4D85-91C0-560D17187572@shiftleft.org> <CA+Vbu7zxGm3EE7h3K2mg5WoziUf4bmjoaCAVzFgaaGsE=kLFpQ@mail.gmail.com> <54A1C150.6080307@shiftleft.org>
From: Benjamin Black <b@b3k.us>
Date: Mon, 29 Dec 2014 13:07:21 -0800
Message-ID: <CA+Vbu7yXj-+oaZa83w187cSNw9aJxeaDEycaoBGDS1GPf3wR7Q@mail.gmail.com>
To: Mike Hamburg <mike@shiftleft.org>
Content-Type: multipart/alternative; boundary=f46d043c7e20e03756050b61433c
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/1QMtUTDAvLXkaYY7gLSjeV65plo
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 21:07:46 -0000

Sorry, Mike, that's how I read it. Let's agree to disagree.

On Mon, Dec 29, 2014 at 1:02 PM, Mike Hamburg <mike@shiftleft.org>; wrote:

>
> On 12/29/2014 10:59 AM, Benjamin Black wrote:
>
>
> I can only go on the things he puts in writing and they say the opposite.
>
>  >Rather than
> >blaming the implementor, we eliminate these security failures by
> >
> >   * adding twist security, for both Montgomery and Edwards, and
> >   * switching to single-coordinate ladders.
>
>  That is not a suggestion folks be allowed to implement the ladder if
> they choose to. It is a requirement that they not be allowed to use
> anything else. If they are allowed to use anything but single-coordinate
> ladders, then, in his own words, we have not eliminated these "security
> failures" and will be back to "blaming the implementor". If he means
> something else he should say something else.
>
>
>  b
>
>
> Look, do you really want to argue one single message to death?  If so,
> maybe you should at least quote the whole message.  DJB wrote:
>
> Benjamin Black writes:
> > The concerns do not apply to the twisted Edwards curve we generated,
> > only to the isogenous Montgomery curve.
>
> False.
>
> Invalid-curve attacks completely break the simplest DH implementations
> in Montgomery coordinates _and_ in Edwards coordinates. Rather than
> blaming the implementor, we eliminate these security failures by
>
>    * adding twist security, for both Montgomery and Edwards, and
>    * switching to single-coordinate ladders.
>
> This is the primary motivation for twist security (and a closer look,
> as I've explained in detail, shows a twist-security criterion that's met
> by Curve25519 and not by PinkBikeShed). This has nothing to do with the
> superficial differences between the Montgomery x and the Edwards y, both
> of which support ladders.
>
> If you disagree, please explain why you're requiring _any_ type of twist
> security for Edwards curves. Why aren't you saying something like "The
> larger d forced by 'twist security' is a violation of rigidity" and
> objecting to the whole concept of twist security for Edwards curves?
>
> ---Dan
>
>  This is in the context of an argument against a cofactor-4 curve with a
> cofactor-8 twist (with Z8 torsion).  It is not about requiring ladders vs
> windows or combs.  The argument is that twist security is part of a
> strategy to secure single-coordinate ladders, so we should make sure that
> it actually does that.
>
> To be clear, I'm ambivalent on this particular argument.  But if you read
> it as an argument that every implementation of ECDH should be banned except
> for single-coordinate ladders, then I believe that you are intentionally
> and obstinately misreading it.
>
> And to think, I used to wonder why standards committees are so slow.
>
> -- Mike
>