Re: [Cfrg] CFRG feedback on signing with secp256k1 curve
Richard Barnes <rlb@ipv.sx> Mon, 16 July 2018 21:39 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4BBE131251 for <cfrg@ietfa.amsl.com>; Mon, 16 Jul 2018 14:39:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vm2YVAHMBiHf for <cfrg@ietfa.amsl.com>; Mon, 16 Jul 2018 14:39:46 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2A17131289 for <cfrg@irtf.org>; Mon, 16 Jul 2018 14:39:45 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id s198-v6so77672891oih.11 for <cfrg@irtf.org>; Mon, 16 Jul 2018 14:39:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K2cb6gGQxBQ9Zi0jpsDLwGHrcIy+3fp9nE+pSFSdtIY=; b=lfcRqKFYtdOJAh2ASx/tzb3NG8U2yQuf6gQCdS8NZDNGq6rChA2ZdwF+hRI7hyJMju GZBHZlPusVCYj4TYQspyT6uQMm9bGJi0TUeW3K1yDpXqSK4+2iKDI5Xcoa8KAYLF3Cpu d0hTmpB4i55AVHcsVYHQiSIBMj9pUP3KkY5w3YiZTNYR+gOpv3d3rqtOPbY+R/NGM1QK h5+YrzWnkAi53Vm0Zxdpe1YA/HL9OZYcEqMEzy5u/OAo/Qskpto236iYGO2oJBj/YSOV vOgcoxpN4a2giE041F4wDk2/cMq/rKLk1gigXBKazG7TUkJFkindAmGfUZqdcvKCVF4B eoww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K2cb6gGQxBQ9Zi0jpsDLwGHrcIy+3fp9nE+pSFSdtIY=; b=Ts6ejzDh5Usd372SL+pL4WWVlES9n+xl7ux98ZvEQdybJ1d1KAp+iNhl+LBVtXoV8U whxHHQ7Yh5Flx5P1vuahDGewjNbt5DmPlcSd7+hEW3fF7pVa32iW43sTZ8JYOGwcMllX 5l3NcteyRChx7dj6dXY5fxmGJw9kLezky2n264JXfCVXfru6dvlmuD9RN756seYWAzgB sYzN1OwBBDSWUzZOd5nU1RgiHR92jwqcqehrkv2oijOTJDTKcfCZ/pKeiec2fgNd/zZq 6bz92yzUzDEuNbECrNo9RZRNaUMC/aXitkqX/uJkSaQBRz9dKO5hxujyldYwq5qY8bW1 9Apg==
X-Gm-Message-State: AOUpUlE2qqu2GlsJWBTZN/8qezcv60rOUT7YNETFrYq/ks4UF5+fdS4d lCcs9ORE5Krx7Pd7YCFdKuaNBpCyz3CTfFxmpASPUw==
X-Google-Smtp-Source: AAOMgpdjYkcUK9Pe1Oi0vBWKW/Lyx5h0mo7V4QF7ET5BAZD/eCX1yu8hiOFkrPnE+lcLGWKPUmetRq/aZH4J4YJ3aOg=
X-Received: by 2002:aca:5a45:: with SMTP id o66-v6mr1052777oib.155.1531777185057; Mon, 16 Jul 2018 14:39:45 -0700 (PDT)
MIME-Version: 1.0
References: <MW2PR00MB0300CA51291C5238E7272C52F57F0@MW2PR00MB0300.namprd00.prod.outlook.com> <20180613132505.8654932.52182.25755@blackberry.com>
In-Reply-To: <20180613132505.8654932.52182.25755@blackberry.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 16 Jul 2018 17:39:26 -0400
Message-ID: <CAL02cgTb=hAmq6zs4xzVqX+BzEvTJK07ABf1eHzO520fkZL+RA@mail.gmail.com>
To: danibrown@blackberry.com
Cc: Michael.Jones=40microsoft.com@dmarc.ietf.org, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000fda06e057124aa73"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9XP8zx4yggA8AaUUQSd-2YUH2pA>
Subject: Re: [Cfrg] CFRG feedback on signing with secp256k1 curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 21:40:01 -0000
On Wed, Jun 13, 2018 at 9:25 AM Dan Brown <danibrown@blackberry.com> wrote: > Hi Mike, > > Well, secp256k1 has cofactor 1, same as NIST P256. So it does not map to > Montgomery or Edwards form, and may be more prone to side channel attacks. > Offhand I don't have references, but I think they can be found. > > It has also special structure: j-invariant 0 and efficient endomorphism. > There is no known attack on ECDLP for this feature, but the consensus is > that it may be riskier than a less special curve. Again, I could probably > find refs. It is implicit in that NIST did not recommend it. > > Gallant-Lambert-Vanstone found a way to speed up Pollard rho attacks on > ECDLP given an efficient endomorphism, but the speedup for secp256k1 would > be very little, maybe *2, i.e. 1 bit of security, but don't quote me. > > Menezes-Okamoto-Vanstone attacked various special curves, including > supersingular curves with j=0, but secp256k1 is not affected. Nonetheless, > the shared feature of j=0 with an MOV-attacked curve, is an informal red > flag, aka early warning sign, aka crack in the concrete. > > Indeed, in 1985, Miller suggested using special curves, but also cautioned > they could be risky. > > Despite the consensus about the risk of special curves, they have been > proposed for their other benefits. Pairing curves are special too, but > secp256k1 does not have a pairing. Yet others have proposed special curves > for their speed. Koblitz, Koblitz and Menezes suggested special curves > might better survive a collapse in regular curves.. > > That all said, I'm not aware of a specific study of secp256k1. If none > exist, then it's a bit odd. > Here's study that looks at secp256k1 in ECDSA in OpenSSL, which claims to recover private keys in 200 signatures using side channels. https://eprint.iacr.org/2014/161.pdf (To be fair: I haven't looked deep enough to tell whether it's an implementation issue or an inherent issue with the curve.) --Richard > > Well, I hope that helps. I can try to figure the exact references later. > > Best regards, > > Dan > > *From: *Mike Jones > *Sent: *Monday, June 11, 2018 8:03 PM > *To: *cfrg@irtf.org > *Subject: *[Cfrg] CFRG feedback on signing with secp256k1 curve > > Dear CFRG, > > > > You’ll recall that the “secp256k1” elliptic curve is described by Dan > Brown and Certicom in “SEC 2: Recommended Elliptic Curve Domain Parameters” > http://www.secg.org/sec2-v2.pdf (the same document that described the > secp256r1 curve – a.k.a., P-256). > > > > I recently wrote > https://tools.ietf.org/html/draft-jones-webauthn-secp256k1-00 > <https://tools.ietf...org/html/draft-jones-webauthn-secp256k1-00> with a > very specific and narrow purpose: to register JOSE and COSE curve > identifiers for the SECG secp256k1 elliptic curve and associated algorithm > identifiers for signing. This curve is already being used by FIDO UAF, > the W3C Verifiable Claims interest group, and several blockchain projects. > I want to get standard identifiers registered so these projects can use > standards-based, rather than ad-hoc, cryptographic representations. A path > forward for this document is being discussed at secdispatch@ietf.org. > > > > As part of the SECDISPATCH evaluation, Ekr had suggested that I ask the > CFRG for references to security analyses of secp256k1. No matter what > you or I may think of Blockchain, because Blockchain is using secp256k1 and > is under tremendous scrutiny, it’s my assumption that if major security > flaws were known, people would be widely talking about them. But I’d like > to replace my assumption with an actual security analysis or two and > thoughts from the CFRG, if possible. > > > > Thanks, > > -- Mike > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Peter Gutmann
- Re: [Cfrg] CFRG feedback on signing with secp256k… denis bider
- [Cfrg] CFRG feedback on signing with secp256k1 cu… Mike Jones
- Re: [Cfrg] CFRG feedback on signing with secp256k… Richard Barnes