Re: [CFRG] Why we use ECDH instead of traditional DH
"D. J. Bernstein" <djb@cr.yp.to> Fri, 22 March 2024 16:58 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1C9EC14F6A0 for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2024 09:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITCv1Hw_WBCd for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2024 09:58:41 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id ADEB7C14F6A5 for <cfrg@irtf.org>; Fri, 22 Mar 2024 09:58:41 -0700 (PDT)
Received: (qmail 11169 invoked by uid 1010); 22 Mar 2024 16:58:40 -0000
Received: from unknown (unknown) by unknown with QMTP; 22 Mar 2024 16:58:40 -0000
Received: (qmail 768668 invoked by uid 1000); 22 Mar 2024 16:58:30 -0000
Date: Fri, 22 Mar 2024 16:58:30 -0000
Message-ID: <20240322165830.768666.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CANuRxefUceYt4z_2QDrWz+=RFiVgjksREsgkxfYhQXSvZgYbfw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3s7I_g8Ey0G61DypQeXC3QnuoVg>
Subject: Re: [CFRG] Why we use ECDH instead of traditional DH
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 16:58:46 -0000
Daniel Brown writes: > Beyond historical interest, is the main point here ("why ECDH, not FFDH") > to help work out clearer criteria for future CFRG decisions? There was a claim that "Any work that can be pushed up the pyramid should be, because it reduces duplication". I was giving a counterexample to both "should" and "reduces": namely, taking traditional DH instead of ECDH pushes work from implementors up to security reviewers, but increases the total amount of work and, more importantly, increases security risks. To be clear, I'm not saying the claim is _always_ wrong. Over the years I've pointed out many examples where shifting work from implementors to designers reduces total work and reduces failures. Obviously designers should talk to implementors and think about what designers can do to help implementors. But a rule that forces a regression from ECDH to traditional DH is going too far. [ regarding large discriminants ] > Nonetheless, I'd hope for more clarity on: > 1) the level of risk difference, > 2) specific rationale for the relative risk assessment, The rationale is that fast automorphisms play a central role in many attacks---sometimes giving just small speedups such as fast negation in ECDL, but sometimes leading to outright disasters such as fast low-characteristic multiplicative-group discrete logs---so we should take those away from the attacker when we can. Obviously this is stating only the direction of this risk, not the magnitude. Quantifying risks takes more work, as in my recent paper https://cr.yp.to/papers.html#qrcsp: you need large enough samples for statistical validity, criteria that avoid "p-hacking", etc. > On 1) risk difference, I quote [KKM, Sec. 11, p.30]: "Rather, our point is > that conventional wisdom may turn out to be wrong and that, as far as > anyone knows, either choice has risks. The decision about what kind of > curve to use in ECC is a subjective one based on the user's best guess > about future vulnerabilities." This quote comes from setting up a comparison between two options where one option gets rid of one type of fast morphism and another option gets rid of another type of fast morphism (with the algorithms available at that time). Choosing between the options (in the absence of other considerations and in the absence of an option avoiding both risks simultaneously) means deciding which risk is more important. I see no justification in KKM for the conclusion that decisions are subjective. Evaluating factors that point in multiple directions is a standard engineering problem, and the literature on risk analysis is full of examples of rationally weighing multiple risks. Furthermore, as illustrated by DES and DSA and Dual EC, sabotage of security standards is continually accompanied by hyping of some risks and downplaying of others; our best defense against this is setting up objective, transparent procedures for evaluating risks. A standard idea in computer security is to design TCBs to be simple to review; the point is that if the TCB is complicated to review then we'll miss vulnerabilities. TCB size is often used as an easy-to-measure proxy for the cost of review. In cryptography, it's more obvious that security review isn't just looking at code, but we can still evaluate the review complexity and pick the easiest-to-review options. For the KKM examples, it's easy to see that that the special curves considered in KKM incur higher review cost than typical curves. > Does there hold a general correlation between discriminant size and the > availability of a pairing needed for a MOV-type attack? If so, is that the > specific rationale for deeming greater risk of small-discriminant curves? Field discriminants are an important predictor of performance of a wide range of algorithms in algebraic number theory. CM computations in setting up pairings are one example of this. > So, how much and why is using a special-form field in ECDH less risky than > using a special-equation low-discriminant curve in ECDH? These are not orthogonal questions. If you choose a small embedding degree then you should be able to make NFS run faster by also choosing a prime represented by a small polynomial. But the overhead from a large polynomial contributes only a small factor to the final NFS norm size, while embedding degrees make an exponential contribution. A reviewer working through the failure of index calculus (and xedni calculus) for, say Curve25519 doesn't bother looking at this overhead: the attack already fails when the overhead is ignored. > Note that GLV proposed using low-discriminant special-equation curves > for their greater efficiency, by way of efficient endomorphisms. Indeed. Also, GLV curves acquired a big application after the patent expired in 2020. But if I try https://github.com/bitcoin-core/secp256k1 on a Zen 3 core running at 2.3GHz then I see 21.1 us and 38.0 us for "ec_keygen" and "ecdh" respectively, around 50000 and 87000 cycles. For comparison, X25519 on the same machine is 26000 and 73000 cycles with lib25519, or 26000 and 90000 cycles with the formally verified code from https://github.com/awslabs/s2n-bignum (which you can also include in lib25519 with the new use-s2n-bignum option). > i) As to "avoid any risk". Is this claiming that the risk of the > preferred alternative is lower? >From the risk source specified after "risk from", yes. > ii) As to "large". Does this mean "typically large" or "especially > large"? I meant typically large. Computing the field requires checking for the occasional square divisors of t^2-4p, but will basically never find a big square divisor---unless you use CM to force t^2-4p to be something small times a big square in the first place. > iii) As to "automorphism". Should this have been "efficient > endomorphism"? I was thinking about the speed of automorphisms of the group. Of course, fast curve endomorphisms are a big source of fast group automorphisms, and the curve structure is useful for understanding pairings etc. ---D. J. Bernstein
- [CFRG] Why we use ECDH instead of traditional DH Daniel Brown
- Re: [CFRG] Why we use ECDH instead of traditional… D. J. Bernstein