Re: [Cfrg] Curve manipulation, revisited

Adam Langley <agl@imperialviolet.org> Thu, 25 December 2014 12:14 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D35C51A87B0 for <cfrg@ietfa.amsl.com>; Thu, 25 Dec 2014 04:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.422
X-Spam-Level: *
X-Spam-Status: No, score=1.422 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8igf2TDdxNmh for <cfrg@ietfa.amsl.com>; Thu, 25 Dec 2014 04:14:35 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E75A1A87A3 for <cfrg@irtf.org>; Thu, 25 Dec 2014 04:14:35 -0800 (PST)
Received: by mail-lb0-f176.google.com with SMTP id p9so7578538lbv.7 for <cfrg@irtf.org>; Thu, 25 Dec 2014 04:14:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=cSG1YkNdmZyUQaPbZ8zWAedVA363lJNGQJqJmz8lwQM=; b=fM64yq4XQ3LaLebGYlHEdQtfx2mSoqn0IhUud2lb8UQ0MmwBl56DgCaGUR8e6GI6KP 2Fwq3TOQHfloJEwJvlMtetY/y9dL2p0OqB8vMX3pRx4/OwR+fXNHIg5vOzcnyQo0hwv3 2eHsZEuUfuUcOaPoXlWpB4CWORqE+d9fI9T/OCUTKwb9tdJZKbQCEbwStcxq2qWLuRYb 34YyWFn0VqSjt7IImGdk3iubUz5MizIW/wKRs33oYnEil173RaFQSGpv3uojDmK44a3W Z3JFSmLGFGHP4CdJ3oEgPn/hSh830gidcdAbFjotGnz0N56Dz1Nnzz4OB73y+18A4m/0 FFKw==
MIME-Version: 1.0
X-Received: by 10.152.30.6 with SMTP id o6mr39302399lah.64.1419509673487; Thu, 25 Dec 2014 04:14:33 -0800 (PST)
Sender: alangley@gmail.com
Received: by 10.112.114.225 with HTTP; Thu, 25 Dec 2014 04:14:33 -0800 (PST)
In-Reply-To: <20141224224708.27815.qmail@cr.yp.to>
References: <20141224224708.27815.qmail@cr.yp.to>
Date: Thu, 25 Dec 2014 12:14:33 +0000
X-Google-Sender-Auth: l7lXbQXqP27sHXH8HkMaMBY_Yvs
Message-ID: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6tK4j72GqzWk_NtUU5aNU2NIrgk
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Dec 2014 12:14:38 -0000

On Wed, Dec 24, 2014 at 10:47 PM, D. J. Bernstein <djb@cr.yp.to>; wrote:
> This process began in September 2013, after news of NSA sabotage of
> cryptographic standards: Patrick Pelletier wrote
>
>    Given the doubt that's recently been cast on the NIST curves, is it
>    time to revive the idea of adding curve25519 as a named curve?
>
> on the TLS mailing list. Doug Stebila followed up to say that the
> reasons to support Curve25519 were "efficiency and resistance to
> side-channel attacks" rather than concerns about backdoors. Nick
> Mathewson wrote

Nobody knowledgeable in ECC (that I know of) seriously believes that
the NIST curves are backdoored. But I've observed that the less
knowledgeable people are, the more likely they are to believe it.

Dual-EC had the subtlety of Wile E. Coyote leaving a pile of "Free
Bird Seed" on the road but, prior to 2013, I think most people
(certainly including myself) applied Hanlon's razor and disbelief that
the NSA would do something so stupid and concluded that there was
likely an innocent explanation for it. But many outside of
cryptography circles draw strong parallels between Dual-EC and NIST
curves, I think because they can't see the huge difference: there was
clearly room for a backdoor in Dual-EC, the question was "would they
really?", but a backdoor in P-256 would be alien technology.

Because of this, I suspect that Microsoft feel a need to assuage the
worries of their customers (who will generally fall into the
"less-knowledgeable" group) and provide a "NIST free" option for them.
However, because they are a US company, I imagine that they also feel
the need to demonstrate that they can't have "cooked" the alternative.
(This is all presumption—I'm obviously not familiar with Microsoft's
customer relations nor deliberations.)

But I think this (and a soupçon of ego; something that applies to
everyone) explains Microsoft's continuing strong preference for
"rigidity" in their curves. A conflict arises because Microsoft's
original drive for "rigidity" excluded everything else; including
applying any intelligence to the choice of prime or assigning any
weight to existing practice.

Yourself, myself and others want to replace P-256 not to assuage
backdoor fears, but because a replacement can be significantly faster,
safer and simpler. And we're not hand cuffing ourselves because we're
afraid of being accused of having cards up our sleeves. Finally,
although curve25519 is now pretty common in our world (SSH, OpenPGP,
QUIC etc), it has no presence in the Microsoft ecosystem at all.

You've pointed out, with bada55, that claims of rigidity are, in
general, rather limited and you're correct that Microsoft's movements
towards curve25519 and other changes are highlighting that. But that's
because we didn't accept the choices that were based on their fitness
function. I think they are trying to maintain their larger curve as
being more "rigid" (which, remember, is to convince people who don't
really understand) while accepting something more reasonable (to us)
at the 128-bit level in the hopes of getting the RFC done.

And it would be good to get something done. At present, it's unclear
whether this WG effort will manage to produce anything at all and
failure would mostly benefit P-256. Curve25519 certainly has
increasing presence, but that's in places that will do the smart thing
anyway. But there are lot of places that are less visible to
cryptographers that go with P-256 because it's "standard".
(BluetoothLE-based systems keep popping up in my view.) A failure of
this WG will probably ensure that continues.

It would be also be good to have Microsoft onboard. Microsoft software
is pretty common after all, even if people like us don't see it much.
Although I think we pass the IETF/IRTF bar of "rough consensus"
without them, I don't know if the chairs agree and it would be sad
outcome even if they did.

Curve25519 is sufficiently common now (in our side of the world, at
least) that it's not going away and each different curve supported is
quite a lot of work. (More, I think, than most people realise.) So I
want something very close (or equal) to curve25519 at ~128-bits in
order to minimise implementation, confusion and code size and achieve
the speed, simplicity and robustness that were the point of the whole
exercise.

I'm skeptical that a larger curve is actually useful. I think ~128 and
~192 bit curves have shared fate to the point where the risks from
supporting any extra curve outweigh the benefits. I don't plan on
supporting any larger curve that this WG may produce (even more so if
it's an "ugly" curve). If nothing else, P-384 isn't going away.

So I would be happy with this WG producing curve25519 and a "rigid"
curve at ~192 that Microsoft need. But, even to get there (and it's
unclear whether anyone else would be happy with that) there are still
questions at the ~128 bit level. At the moment, although Kenny has
asked MS to adopt the curve/twist cofactor criteria that results in
curve25519 being produced, Microsoft's generation procedure results in
a different base point and has an isogenous Edwards curve while the
rest of the world uses an isomorphic one. Ed25519 already has a number
of public, private and signature formats[1] however, so perhaps the
isogeny/isomorphism doesn't matter if the conversion can be done "for
free" when converting to affine anyway, but I'm not a cryptographer
and am not comfortable concluding anything here.

[1] https://blog.mozilla.org/warner/files/2011/11/key-formats.png


Cheers

AGL