Re: [Cfrg] Some observations after the ECC interim meeting
Patrick Longa Pierola <plonga@microsoft.com> Wed, 07 May 2014 08:13 UTC
Return-Path: <plonga@microsoft.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 464371A0186 for <cfrg@ietfa.amsl.com>; Wed, 7 May 2014 01:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nx9ixTxEZDBQ for <cfrg@ietfa.amsl.com>; Wed, 7 May 2014 01:13:03 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0203.outbound.protection.outlook.com [207.46.163.203]) by ietfa.amsl.com (Postfix) with ESMTP id 028F01A0164 for <cfrg@irtf.org>; Wed, 7 May 2014 01:13:02 -0700 (PDT)
Received: from BY2PR03MB474.namprd03.prod.outlook.com (10.141.141.149) by BY2PR03MB473.namprd03.prod.outlook.com (10.141.141.143) with Microsoft SMTP Server (TLS) id 15.0.939.12; Wed, 7 May 2014 08:12:44 +0000
Received: from BY2PR03MB474.namprd03.prod.outlook.com ([10.141.141.149]) by BY2PR03MB474.namprd03.prod.outlook.com ([10.141.141.149]) with mapi id 15.00.0939.000; Wed, 7 May 2014 08:12:44 +0000
From: Patrick Longa Pierola <plonga@microsoft.com>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] Some observations after the ECC interim meeting
Thread-Index: Ac9otvg9Q4jf9oA/Q/+gDHHETUQlJwAAgPeAAENMtaA=
Date: Wed, 07 May 2014 08:12:43 +0000
Message-ID: <15095b3897ec4556a3fe3963b70a1010@BY2PR03MB474.namprd03.prod.outlook.com>
References: <efe621d5b6c7430887f433db7092d125@BY2PR03MB474.namprd03.prod.outlook.com> <CACsn0ckYckN-u63kroR+ygOpXNvkuA3-iqVQSsVcs+EkkiTHTg@mail.gmail.com>
In-Reply-To: <CACsn0ckYckN-u63kroR+ygOpXNvkuA3-iqVQSsVcs+EkkiTHTg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.47.83.223]
x-forefront-prvs: 0204F0BDE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(24454002)(13464003)(51704005)(377454003)(189002)(199002)(83072002)(74662001)(80022001)(66066001)(79102001)(74502001)(64706001)(85852003)(74316001)(81342001)(31966008)(33646001)(20776003)(81542001)(86362001)(92566001)(15202345003)(19580395003)(76576001)(77982001)(101416001)(76176999)(54356999)(50986999)(99286001)(77096999)(4396001)(99396002)(46102001)(19580405001)(83322001)(1411001)(76482001)(19273905006)(86612001)(15975445006)(2656002)(561944002)(87936001)(21056001)(24736002)(563064011)(9853045004); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB473; H:BY2PR03MB474.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=plonga@microsoft.com;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/DNZn9_J7RtpF32pBm-bDyCXz1gc
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Some observations after the ECC interim meeting
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 08:13:06 -0000
> Why can't higher security levels follow the lead of the low security levels, even if designed at different times? Consistency of the curve selection (curve form, subgroup structure, prime form, etc.) across the different security levels can have several benefits in practice (e.g., easier-to-implement, easier-to-maintain, easier-to-describe, less error-prone implementations). To give an example on why it might be a bad idea to simply follow the design of the lower security curves when choosing higher security curves in the future: some consistency might be lost if different prime forms are chosen for different security levels. So far there has been very little discussion on the selection of high-security curves and ideally we won't want to limit our options in the future when selecting those curves (are the primes for those curves going to have full-bitlength, pseudo-Mersenne form exactly matching the targeted security level or are they going to have extended or reduced bitlength, or other special forms such as Hamburg's proposal, etc.?). IMO some decisions will be better if are taken when looking at the full solution and spectrum of curves. Regards, Patrick -----Original Message----- From: Watson Ladd [mailto:watsonbladd@gmail.com] Sent: Monday, May 5, 2014 4:23 PM To: Patrick Longa Pierola Cc: cfrg@irtf.org Subject: Re: [Cfrg] Some observations after the ECC interim meeting On Mon, May 5, 2014 at 4:12 PM, Patrick Longa Pierola <plonga@microsoft.com> wrote: > Dear all, > > In our presentation at the CFRG meeting we were especially interested > in drawing some attention to some issues that are very relevant when > using Edwards and Montgomery curves. In particular, > > > > - when computing the Montgomery ladder in constant time there is a > potential failure case if the scalar matches 0 (mod r) or 0 (mod r’), > where r and r’ are the prime orders of the subgroups generated on the > Montgomery curve and its quadratic twist, respectively. We noted that > Curve25519 avoids this issue (together with dealing with subgroup > attacks) by restricting the scalar values to 2^254 + 8{0,1,…,2^251-1}. > This design feature does not match the standard practice in > cryptography that is to allow the scalar value to be in the full range > [1, r-1]. For example, when working with > Ed25519 there is a restriction of scalars to less than half of such > full range. Refer to slide 10 in [1]. > > > > - when using the Montgomery ladder for key exchange (computed with one > variable-base scalar multiplication) there are engineering issues that > need to be addressed: is key generation being computed on the > Montgomery form or the Edwards form? If it is computed using the > Montgomery form then there is a significant performance impact (option > referred to as “hybrid 1” in our presentation; see slides 23-24 in > [1]). One can certainly use the Edwards form instead (this option > corresponds to “Hybrid 2” in the same slides) but one then needs to > deal with issues such as point conversion, special point formatting > for transmission, etc. Another potential issue with this second > alternative is that good solutions might be protocol-specific, instead > of generic. Our performance results indicate that there is no need to > deal with these potential issues (issues that are relevant, e.g., to > the TLS handshake using PFS, and that might be even more difficult to > deal with in different > protocols) because all the computations can be performed purely on the > twisted Edwards form of the curve. This also brings to the table the > possibility of using only one curve form (twisted Edwards) for > signatures and key exchange (and any other possible ECC operations), > instead of defining different curve forms for different ECC > operations. This unification might bring several benefits in practice. > > > > Finally, we point out that the current effort of moving forward with > only one curve targeting *one security level* (i.e., 128-bit) might > bring the risk of having inconsistencies once future additions are > done at other security levels. We suggest instead to first have a > solid curve selection that includes all the security levels, with > strong consistency in the design. Why can't higher security levels follow the lead of the low security levels, even if designed at different times? It would seem that using the twisted Edwards form uniformly (and as a wire format) avoids all the issues you mentioned. Furthermore, fast implementations can take advantage of isogenies, restrict scalars, etc. even if the standards recommend an algorithm that doesn't. Sincerely, Watson Ladd > > > > Best regards, > > > > Patrick > > > > > > [1] Patrick Longa, “Selecting Elliptic Curves for Cryptography”, talk > given at the interim teleconference meeting, April 2014. > http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curv > es_for_Cryptography.pdf > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Some observations after the ECC interim me… Patrick Longa Pierola
- Re: [Cfrg] Some observations after the ECC interi… Watson Ladd
- Re: [Cfrg] Some observations after the ECC interi… Patrick Longa Pierola