Re: [Cfrg] Curve manipulation, revisited
Benjamin Black <b@b3k.us> Mon, 29 December 2014 21:07 UTC
Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8FC1A8ACD for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 13:07:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OVI55kAt02I for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 13:07:43 -0800 (PST)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4121A900B for <cfrg@irtf.org>; Mon, 29 Dec 2014 13:07:43 -0800 (PST)
Received: by mail-wi0-f175.google.com with SMTP id l15so23039924wiw.8 for <cfrg@irtf.org>; Mon, 29 Dec 2014 13:07:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=lCDtxRv/+sNeGQ5sCKiBzsbOCWeutRxF3HIEEILiHmI=; b=GcNKgqfJVEDp6bEQQHhtmUND1J6diqOnTPZMYL28iroA6aKAqbJG1gP6DL+bniFbcp DCyss1Xg6aLWWeuHGXPx1+vu0kKSNAvJ/U9TNqiVmdjQ3HNm1Hf9kbx0mDNvuc3JqZVg Sp1uN31wuQzJnzTpO9QlQSPm09Bo/t7yCfqzfOFGoubTess1mVKnBI2ypLqEPrgzQCdH WzTB8025+lrPyq9H7P5fKGRRLbolTVHrphm16R0xrU/jsglRofcSUo4azSPx7UXnkElC lG/r9p1Z6rfTs/WInoCKOsTUgr4qkjWaK3u5+A8b2pkdIQ2Eh7z2Pb45onPcecQ9OSnP /p4g==
X-Gm-Message-State: ALoCoQnrcZt5VqJ1AcxY+oaSmRU/KWj8uqzpS+iPC3uoPq+xWgbsAXjypefO7ThdDIKbIwSSiKkk
X-Received: by 10.180.90.16 with SMTP id bs16mr98084915wib.4.1419887262048; Mon, 29 Dec 2014 13:07:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.190.139 with HTTP; Mon, 29 Dec 2014 13:07:21 -0800 (PST)
In-Reply-To: <54A1C150.6080307@shiftleft.org>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <CAMfhd9XEqMwFzJ4sK4aHGbke6REZb26uaEEv9gbM5v_goDzwUA@mail.gmail.com> <CA+Vbu7zO3OatbC+cXiV58hvJCuqiTYvnsSuyopDXum4qBX54fw@mail.gmail.com> <EBD3350E-93CA-4D85-91C0-560D17187572@shiftleft.org> <CA+Vbu7zxGm3EE7h3K2mg5WoziUf4bmjoaCAVzFgaaGsE=kLFpQ@mail.gmail.com> <54A1C150.6080307@shiftleft.org>
From: Benjamin Black <b@b3k.us>
Date: Mon, 29 Dec 2014 13:07:21 -0800
Message-ID: <CA+Vbu7yXj-+oaZa83w187cSNw9aJxeaDEycaoBGDS1GPf3wR7Q@mail.gmail.com>
To: Mike Hamburg <mike@shiftleft.org>
Content-Type: multipart/alternative; boundary="f46d043c7e20e03756050b61433c"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/1QMtUTDAvLXkaYY7gLSjeV65plo
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 21:07:46 -0000
Sorry, Mike, that's how I read it. Let's agree to disagree. On Mon, Dec 29, 2014 at 1:02 PM, Mike Hamburg <mike@shiftleft.org> wrote: > > On 12/29/2014 10:59 AM, Benjamin Black wrote: > > > I can only go on the things he puts in writing and they say the opposite. > > >Rather than > >blaming the implementor, we eliminate these security failures by > > > > * adding twist security, for both Montgomery and Edwards, and > > * switching to single-coordinate ladders. > > That is not a suggestion folks be allowed to implement the ladder if > they choose to. It is a requirement that they not be allowed to use > anything else. If they are allowed to use anything but single-coordinate > ladders, then, in his own words, we have not eliminated these "security > failures" and will be back to "blaming the implementor". If he means > something else he should say something else. > > > b > > > Look, do you really want to argue one single message to death? If so, > maybe you should at least quote the whole message. DJB wrote: > > Benjamin Black writes: > > The concerns do not apply to the twisted Edwards curve we generated, > > only to the isogenous Montgomery curve. > > False. > > Invalid-curve attacks completely break the simplest DH implementations > in Montgomery coordinates _and_ in Edwards coordinates. Rather than > blaming the implementor, we eliminate these security failures by > > * adding twist security, for both Montgomery and Edwards, and > * switching to single-coordinate ladders. > > This is the primary motivation for twist security (and a closer look, > as I've explained in detail, shows a twist-security criterion that's met > by Curve25519 and not by PinkBikeShed). This has nothing to do with the > superficial differences between the Montgomery x and the Edwards y, both > of which support ladders. > > If you disagree, please explain why you're requiring _any_ type of twist > security for Edwards curves. Why aren't you saying something like "The > larger d forced by 'twist security' is a violation of rigidity" and > objecting to the whole concept of twist security for Edwards curves? > > ---Dan > > This is in the context of an argument against a cofactor-4 curve with a > cofactor-8 twist (with Z8 torsion). It is not about requiring ladders vs > windows or combs. The argument is that twist security is part of a > strategy to secure single-coordinate ladders, so we should make sure that > it actually does that. > > To be clear, I'm ambivalent on this particular argument. But if you read > it as an argument that every implementation of ECDH should be banned except > for single-coordinate ladders, then I believe that you are intentionally > and obstinately misreading it. > > And to think, I used to wonder why standards committees are so slow. > > -- Mike >
- [Cfrg] Curve manipulation, revisited D. J. Bernstein
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Mike Hamburg
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Tony Arcieri
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Nico Williams
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman
- Re: [Cfrg] Curve manipulation, revisited Harry Halpin
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman