Re: [Cfrg] Curve manipulation, revisited

[Benjamin Black <b@b3k.us>]

Sorry, Mike, that's how I read it. Let's agree to disagree.

On Mon, Dec 29, 2014 at 1:02 PM, Mike Hamburg <mike@shiftleft.org> wrote:

>
> On 12/29/2014 10:59 AM, Benjamin Black wrote:
>
>
> I can only go on the things he puts in writing and they say the opposite.
>
>  >Rather than
> >blaming the implementor, we eliminate these security failures by
> >
> >   * adding twist security, for both Montgomery and Edwards, and
> >   * switching to single-coordinate ladders.
>
>  That is not a suggestion folks be allowed to implement the ladder if
> they choose to. It is a requirement that they not be allowed to use
> anything else. If they are allowed to use anything but single-coordinate
> ladders, then, in his own words, we have not eliminated these "security
> failures" and will be back to "blaming the implementor". If he means
> something else he should say something else.
>
>
>  b
>
>
> Look, do you really want to argue one single message to death?  If so,
> maybe you should at least quote the whole message.  DJB wrote:
>
> Benjamin Black writes:
> > The concerns do not apply to the twisted Edwards curve we generated,
> > only to the isogenous Montgomery curve.
>
> False.
>
> Invalid-curve attacks completely break the simplest DH implementations
> in Montgomery coordinates _and_ in Edwards coordinates. Rather than
> blaming the implementor, we eliminate these security failures by
>
>    * adding twist security, for both Montgomery and Edwards, and
>    * switching to single-coordinate ladders.
>
> This is the primary motivation for twist security (and a closer look,
> as I've explained in detail, shows a twist-security criterion that's met
> by Curve25519 and not by PinkBikeShed). This has nothing to do with the
> superficial differences between the Montgomery x and the Edwards y, both
> of which support ladders.
>
> If you disagree, please explain why you're requiring _any_ type of twist
> security for Edwards curves. Why aren't you saying something like "The
> larger d forced by 'twist security' is a violation of rigidity" and
> objecting to the whole concept of twist security for Edwards curves?
>
> ---Dan
>
>  This is in the context of an argument against a cofactor-4 curve with a
> cofactor-8 twist (with Z8 torsion).  It is not about requiring ladders vs
> windows or combs.  The argument is that twist security is part of a
> strategy to secure single-coordinate ladders, so we should make sure that
> it actually does that.
>
> To be clear, I'm ambivalent on this particular argument.  But if you read
> it as an argument that every implementation of ECDH should be banned except
> for single-coordinate ladders, then I believe that you are intentionally
> and obstinately misreading it.
>
> And to think, I used to wonder why standards committees are so slow.
>
> -- Mike
>