Re: [Cfrg] Curve manipulation, revisited
Adam Langley <agl@imperialviolet.org> Thu, 25 December 2014 12:14 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D35C51A87B0 for <cfrg@ietfa.amsl.com>; Thu, 25 Dec 2014 04:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.422
X-Spam-Level: *
X-Spam-Status: No, score=1.422 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8igf2TDdxNmh for <cfrg@ietfa.amsl.com>; Thu, 25 Dec 2014 04:14:35 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E75A1A87A3 for <cfrg@irtf.org>; Thu, 25 Dec 2014 04:14:35 -0800 (PST)
Received: by mail-lb0-f176.google.com with SMTP id p9so7578538lbv.7 for <cfrg@irtf.org>; Thu, 25 Dec 2014 04:14:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=cSG1YkNdmZyUQaPbZ8zWAedVA363lJNGQJqJmz8lwQM=; b=fM64yq4XQ3LaLebGYlHEdQtfx2mSoqn0IhUud2lb8UQ0MmwBl56DgCaGUR8e6GI6KP 2Fwq3TOQHfloJEwJvlMtetY/y9dL2p0OqB8vMX3pRx4/OwR+fXNHIg5vOzcnyQo0hwv3 2eHsZEuUfuUcOaPoXlWpB4CWORqE+d9fI9T/OCUTKwb9tdJZKbQCEbwStcxq2qWLuRYb 34YyWFn0VqSjt7IImGdk3iubUz5MizIW/wKRs33oYnEil173RaFQSGpv3uojDmK44a3W Z3JFSmLGFGHP4CdJ3oEgPn/hSh830gidcdAbFjotGnz0N56Dz1Nnzz4OB73y+18A4m/0 FFKw==
MIME-Version: 1.0
X-Received: by 10.152.30.6 with SMTP id o6mr39302399lah.64.1419509673487; Thu, 25 Dec 2014 04:14:33 -0800 (PST)
Sender: alangley@gmail.com
Received: by 10.112.114.225 with HTTP; Thu, 25 Dec 2014 04:14:33 -0800 (PST)
In-Reply-To: <20141224224708.27815.qmail@cr.yp.to>
References: <20141224224708.27815.qmail@cr.yp.to>
Date: Thu, 25 Dec 2014 12:14:33 +0000
X-Google-Sender-Auth: l7lXbQXqP27sHXH8HkMaMBY_Yvs
Message-ID: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6tK4j72GqzWk_NtUU5aNU2NIrgk
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Dec 2014 12:14:38 -0000
On Wed, Dec 24, 2014 at 10:47 PM, D. J. Bernstein <djb@cr.yp.to> wrote: > This process began in September 2013, after news of NSA sabotage of > cryptographic standards: Patrick Pelletier wrote > > Given the doubt that's recently been cast on the NIST curves, is it > time to revive the idea of adding curve25519 as a named curve? > > on the TLS mailing list. Doug Stebila followed up to say that the > reasons to support Curve25519 were "efficiency and resistance to > side-channel attacks" rather than concerns about backdoors. Nick > Mathewson wrote Nobody knowledgeable in ECC (that I know of) seriously believes that the NIST curves are backdoored. But I've observed that the less knowledgeable people are, the more likely they are to believe it. Dual-EC had the subtlety of Wile E. Coyote leaving a pile of "Free Bird Seed" on the road but, prior to 2013, I think most people (certainly including myself) applied Hanlon's razor and disbelief that the NSA would do something so stupid and concluded that there was likely an innocent explanation for it. But many outside of cryptography circles draw strong parallels between Dual-EC and NIST curves, I think because they can't see the huge difference: there was clearly room for a backdoor in Dual-EC, the question was "would they really?", but a backdoor in P-256 would be alien technology. Because of this, I suspect that Microsoft feel a need to assuage the worries of their customers (who will generally fall into the "less-knowledgeable" group) and provide a "NIST free" option for them. However, because they are a US company, I imagine that they also feel the need to demonstrate that they can't have "cooked" the alternative. (This is all presumption—I'm obviously not familiar with Microsoft's customer relations nor deliberations.) But I think this (and a soupçon of ego; something that applies to everyone) explains Microsoft's continuing strong preference for "rigidity" in their curves. A conflict arises because Microsoft's original drive for "rigidity" excluded everything else; including applying any intelligence to the choice of prime or assigning any weight to existing practice. Yourself, myself and others want to replace P-256 not to assuage backdoor fears, but because a replacement can be significantly faster, safer and simpler. And we're not hand cuffing ourselves because we're afraid of being accused of having cards up our sleeves. Finally, although curve25519 is now pretty common in our world (SSH, OpenPGP, QUIC etc), it has no presence in the Microsoft ecosystem at all. You've pointed out, with bada55, that claims of rigidity are, in general, rather limited and you're correct that Microsoft's movements towards curve25519 and other changes are highlighting that. But that's because we didn't accept the choices that were based on their fitness function. I think they are trying to maintain their larger curve as being more "rigid" (which, remember, is to convince people who don't really understand) while accepting something more reasonable (to us) at the 128-bit level in the hopes of getting the RFC done. And it would be good to get something done. At present, it's unclear whether this WG effort will manage to produce anything at all and failure would mostly benefit P-256. Curve25519 certainly has increasing presence, but that's in places that will do the smart thing anyway. But there are lot of places that are less visible to cryptographers that go with P-256 because it's "standard". (BluetoothLE-based systems keep popping up in my view.) A failure of this WG will probably ensure that continues. It would be also be good to have Microsoft onboard. Microsoft software is pretty common after all, even if people like us don't see it much. Although I think we pass the IETF/IRTF bar of "rough consensus" without them, I don't know if the chairs agree and it would be sad outcome even if they did. Curve25519 is sufficiently common now (in our side of the world, at least) that it's not going away and each different curve supported is quite a lot of work. (More, I think, than most people realise.) So I want something very close (or equal) to curve25519 at ~128-bits in order to minimise implementation, confusion and code size and achieve the speed, simplicity and robustness that were the point of the whole exercise. I'm skeptical that a larger curve is actually useful. I think ~128 and ~192 bit curves have shared fate to the point where the risks from supporting any extra curve outweigh the benefits. I don't plan on supporting any larger curve that this WG may produce (even more so if it's an "ugly" curve). If nothing else, P-384 isn't going away. So I would be happy with this WG producing curve25519 and a "rigid" curve at ~192 that Microsoft need. But, even to get there (and it's unclear whether anyone else would be happy with that) there are still questions at the ~128 bit level. At the moment, although Kenny has asked MS to adopt the curve/twist cofactor criteria that results in curve25519 being produced, Microsoft's generation procedure results in a different base point and has an isogenous Edwards curve while the rest of the world uses an isomorphic one. Ed25519 already has a number of public, private and signature formats[1] however, so perhaps the isogeny/isomorphism doesn't matter if the conversion can be done "for free" when converting to affine anyway, but I'm not a cryptographer and am not comfortable concluding anything here. [1] https://blog.mozilla.org/warner/files/2011/11/key-formats.png Cheers AGL
- [Cfrg] Curve manipulation, revisited D. J. Bernstein
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Mike Hamburg
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Tony Arcieri
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Nico Williams
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman
- Re: [Cfrg] Curve manipulation, revisited Harry Halpin
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman