[Cfrg] Handling invalid points
"D. J. Bernstein" <djb@cr.yp.to> Fri, 21 November 2014 23:12 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 832B51A8F3D for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 15:12:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYJbvrIE_A4V for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 15:12:42 -0800 (PST)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id B61D81A8F4A for <cfrg@irtf.org>; Fri, 21 Nov 2014 15:12:41 -0800 (PST)
Received: (qmail 24510 invoked by uid 1017); 21 Nov 2014 23:13:00 -0000
Received: from unknown (unknown) by unknown with QMTP; 21 Nov 2014 23:13:00 -0000
Received: (qmail 18475 invoked by uid 1001); 21 Nov 2014 23:12:33 -0000
Date: Fri, 21 Nov 2014 23:12:33 -0000
Message-ID: <20141121231233.18473.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/3co2iEaaeKRDixtML3OKo9aV9cU
Subject: [Cfrg] Handling invalid points
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 23:12:46 -0000
My goal for curve selection, as I explained in Toronto, is to minimize tensions between speed, simplicity, and security. My impression is that there's consensus on at least one part of this: choosing a curve that can be expressed in Edwards form, i.e., a curve that has a point of order 4. Microsoft has made a broader spectrum of proposals, apparently to be prepared in case CFRG instead wants a curve of cofactor 1, but hasn't actually been arguing that cofactor 1 is preferable. Nigel Smart claimed at one point that cofactor 1 is "vital to avoid mistakes" but has never given details. Meanwhile many people have pointed to the undisputed benefits of Edwards curves, such as a very fast complete addition law. I think CFRG could reasonably declare that a point of order 4 is a requirement, simplifying subsequent discussion. However, http://eprint.iacr.org/2014/832.pdf claims that cofactor 1 is desirable because cofactors larger than 1 create "an additional overhead" and "a source for implementation weaknesses" if a certain "check is omitted or just forgotten". Similarly, a recent Oberthur message claims that cofactor 1 should be "mandatory" to avoid "small subgroup attacks" in careless implementations. I find these claims quite puzzling, for several reasons: * Cofactors are already allowed by all of the usual ECC standards from IEEE, ANSI, and NIST. FIPS 186-4 sets the cofactor limit at 2^14 for 255-bit primes. Certicom's pet SEC 1 standard has always allowed cofactor 4, and in 2009 started allowing even more. * Small-subgroup attacks were a big issue for pre-ECC discrete-log systems because those systems typically have huge cofactors---but for ECC everybody uses curves with vastly smaller cofactors, so the small-subgroup attacks learn almost nothing, even if nobody bothers defending against them. Invalid-curve attacks are a different story, but they have nothing to do with the minor difference between, e.g., cofactor 1 and cofactor 8 for the original curve. * The major ECC standards already eliminate _all_ of the information leakage from small-subgroup attacks. For example, ECDH in ANSI X9.63 computes a shared secret as "P=hdQ", where h is the cofactor and d is the secret key. Notice that the cofactor multiplication in ANSI X9.63 etc. isn't a "check" that can be "forgotten" by a careless implementation: such an implementation would flunk every normal test vector for shared-secret generation. For comparison, a static-ECDH (or reused-ephemeral-ECDH) implementation that doesn't check an incoming (x,y) against the curve equation will leak its _entire_ secret key to a very fast attack. This huge security problem _won't_ be caught by typical test vectors. This is vastly more important than small-subgroup attacks. Oberthur claims that checking the curve equation to stop these attacks is "insignificant" compared to cofactor multiplication, but this is exaggerating a tiny performance issue while ignoring the likelihood of an omitted test and the security damage caused by the omission. We have enough trouble getting crypto right without adding unnecessary traps! The right way to eliminate the invalid-curve problem has two steps: (1) Require compressed points in protocols. This syntactically limits the input point to two curves: the original curve and its twist. (2) Choose twist-secure curves. This also has many further benefits. Compressed points on curves with points of order 4 also allow unmatched ECDH simplicity, at an excellent performance level, via the Montgomery ladder. Serious hardware analyses such as http://mhutter.org/papers/Wenger2011HardwareProcessorSupporting.pdf consistently praise the Montgomery ladder---using compressed inputs and outputs---for its simplicity, speed, and small resource consumption in hardware. Of course, compressed points also reduce network traffic. Why would anyone talk about small-subgroup attacks as being stopped by a "check" that might be "forgotten", the same way that a curve-equation check can stop invalid-curve attacks but might be forgotten? Answer: What I've described so far is * a computational (robust) defense against small-subgroup attacks, * a verifying (not robust) defense against invalid-curve attacks, and * a computational (robust) defense against invalid-curve attacks, but there's also * a verifying (not robust) defense against small-subgroup attacks. Specifically, instead of multiplying the incoming point Q by h, one can check whether hQ = 0. This check runs a serious risk of being omitted, the same way that a curve-equation check runs a serious risk of being omitted, although the resulting damage is much less severe. Note that Certicom's dwindling patent portfolio has a not-quite-dead-yet patent 6563928 on this inferior method ("determining whether said public information ... lies within a subgroup ... having less than a predetermined number of elements and rejecting messages utilizing said public information if said public information lies within such a subgroup"), which makes it particularly strange that anyone would talk about this as the normal thing to do. Does Oberthur have a license for this patent? Anyway, if there really are reasons that CFRG should seriously consider curve proposals with cofactor 1 then I think it's important for those reasons to be made clear. ---Dan
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley