Re: [Cfrg] Curve manipulation, revisited

[Mike Hamburg <mike@shiftleft.org>]

On 12/29/2014 10:59 AM, Benjamin Black wrote:
>
> I can only go on the things he puts in writing and they say the opposite.
>
> >Rather than
> >blaming the implementor, we eliminate these security failures by
> >
> >   * adding twist security, for both Montgomery and Edwards, and
> >   * switching to single-coordinate ladders.
>
> That is not a suggestion folks be allowed to implement the ladder if 
> they choose to. It is a requirement that they not be allowed to use 
> anything else. If they are allowed to use anything but 
> single-coordinate ladders, then, in his own words, we have not 
> eliminated these "security failures" and will be back to "blaming the 
> implementor". If he means something else he should say something else.
>
>
> b

Look, do you really want to argue one single message to death?  If so, 
maybe you should at least quote the whole message.  DJB wrote:
> Benjamin Black writes:
> > The concerns do not apply to the twisted Edwards curve we generated,
> > only to the isogenous Montgomery curve.
>
> False.
>
> Invalid-curve attacks completely break the simplest DH implementations
> in Montgomery coordinates _and_ in Edwards coordinates. Rather than
> blaming the implementor, we eliminate these security failures by
>
>     * adding twist security, for both Montgomery and Edwards, and
>     * switching to single-coordinate ladders.
>
> This is the primary motivation for twist security (and a closer look,
> as I've explained in detail, shows a twist-security criterion that's met
> by Curve25519 and not by PinkBikeShed). This has nothing to do with the
> superficial differences between the Montgomery x and the Edwards y, both
> of which support ladders.
>
> If you disagree, please explain why you're requiring _any_ type of twist
> security for Edwards curves. Why aren't you saying something like "The
> larger d forced by 'twist security' is a violation of rigidity" and
> objecting to the whole concept of twist security for Edwards curves?
>
> ---Dan
This is in the context of an argument against a cofactor-4 curve with a 
cofactor-8 twist (with Z8 torsion).  It is not about requiring ladders 
vs windows or combs.  The argument is that twist security is part of a 
strategy to secure single-coordinate ladders, so we should make sure 
that it actually does that.

To be clear, I'm ambivalent on this particular argument.  But if you 
read it as an argument that every implementation of ECDH should be 
banned except for single-coordinate ladders, then I believe that you are 
intentionally and obstinately misreading it.

And to think, I used to wonder why standards committees are so slow.

-- Mike