Re: [Cfrg] Curve selection revisited

Watson Ladd <watsonbladd@gmail.com> Sat, 26 July 2014 17:59 UTC

MIME-Version: 1.0
In-Reply-To: <CABqy+spNJYWyBHLY5YL3kh6PcDm_tTbqyN0tpDNs-Bme7de1hg@mail.gmail.com>
References: <CA+Vbu7xroa68=HOZtbf=oz7kK2EeUv_z1okpnjxHPR0ZtHD5cA@mail.gmail.com> <CFF7E184.28E9F%kenny.paterson@rhul.ac.uk> <53D2781B.8030605@sbcglobal.net> <CACsn0ckqFigWoH2+OOEHSd2VWPp8y6=m8H5OsFRyjXmjK7+m4w@mail.gmail.com> <CABqy+srxMNuG0AaQd0SaegHvZWgbW762EQq+iAHL_fbu6sOJJQ@mail.gmail.com> <CACsn0ck-nmwtKVmoC=qTuWwJWDZPE6SwKreeJjjdyew+mAcfYw@mail.gmail.com> <CABqy+spNJYWyBHLY5YL3kh6PcDm_tTbqyN0tpDNs-Bme7de1hg@mail.gmail.com>
Date: Sat, 26 Jul 2014 10:59:29 -0700
Message-ID: <CACsn0cm7_d0XBz-E7trOgH_J0RcpyLJLm-uy6AmE2rL0peQ=bQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Robert Ransom <rransom.8774@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/EvNVlCSDjucpfIGzcUxI3Oa2qRY
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve selection revisited
Precedence: list

<choping irrelevent stuff>

>
> “Easy” does not mean “low-cost”.  Adding support for Edwards-form
> input points to a Montgomery-ladder implementation is easy, but has a
> high performance cost (1I per scalarmult).  Adding support for
> Montgomery-form input points to an implementation which operates on
> Edwards form is easy, and has much smaller performance cost.

By "easy" I meant that as the field arithmetic is already done, which
is the vast
bulk of the difficulty, the additional code is smaller. Adding the
Montgomery ladder
as a routine on top of the arithmetic is not hard: it's 10 function
calls and a loop more or less.
>
>
>> (there is an additional question of small parameters: a Montgomery
>> curve with small
>> parameter is birationally equivalent to a twisted Edwards curve of
>> small parameter, but
>> the converse is not (obviously) true. Most generated curves seem to be
>> in Edwards form
>> however.)
>
> Curve25519 chose (A+2)/4 to be a small integer because Edwards curves
> had not been published yet.  All new curves should be chosen to have
> Edwards d be a small integer, because that makes the Edwards-form
> unified addition formulas faster at no cost to the Montgomery ladder
> on the isomorphic Montgomery curve.  (I've mentioned this to CFRG
> before; I wish more people had listened to me.)

Doesn't A become a ratio of small integers rather than a small integer? Although
this is still pretty fast.

>
>>>> one caches ephemeral DH
>>>> parameters so the cost of fixed-base exponentiation is amortized
>>>> across connections. OpenSSL does this anyway, and this affects
>>>> technique
>>>> slightly.
>>>
>>> This is good for performance even if you use a table to optimize
>>> fixed-base scalar multiplications.
>>
>> Very true: the NUMS performance results are thus dead wrong in ECDHE costs,
>> which are two variable-base multiplications plus a very amortized
>> fixed-base multiplication, not
>> the fixed+variable base they used.
>
> I don't see anything wrong with what MSR states as the cost of ECDHE
> -- they're consistent across the implementations, and not reusing
> ephemeral keys is the simplest implementation strategy.  (If they did
> change their figures to take key reuse into account, though, the cost
> would be only one variable-base scalar multiplication, not two.)

The numbers are right, but the conclusions are thus wrong since a
common optimization
is neglected. In particular, the absence of Montgomery form from the
proposal is based on
performance measures including a fixed based exponentiation.

Sincerely,
Watson Ladd

>
>
> Robert Ransom



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

[Cfrg] Curve selection revisited Benjamin Black
Re: [Cfrg] Curve selection revisited Yoav Nir
Re: [Cfrg] Curve selection revisited Paterson, Kenny
Re: [Cfrg] Curve selection revisited David Jacobson
Re: [Cfrg] Curve selection revisited Watson Ladd
Re: [Cfrg] Curve selection revisited Robert Ransom
Re: [Cfrg] Curve selection revisited Watson Ladd
Re: [Cfrg] Curve selection revisited Robert Ransom
Re: [Cfrg] Curve selection revisited Robert Ransom
Re: [Cfrg] Curve selection revisited Watson Ladd
Re: [Cfrg] Curve selection revisited Andrey Jivsov
Re: [Cfrg] Curve selection revisited Ilari Liusvaara
Re: [Cfrg] Curve selection revisited Robert Ransom
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Michael Hamburg
Re: [Cfrg] Curve selection revisited Michael Jenkins
Re: [Cfrg] Curve selection revisited Michael Hamburg
Re: [Cfrg] Curve selection revisited Hannes Tschofenig
Re: [Cfrg] Curve selection revisited Hannes Tschofenig
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Stephen Farrell
Re: [Cfrg] Curve selection revisited Michael Hamburg
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Michael Hamburg
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Paul Lambert
Re: [Cfrg] Curve selection revisited Paul Lambert
Re: [Cfrg] Curve selection revisited Mike Hamburg
Re: [Cfrg] Curve selection revisited Robert Ransom
Re: [Cfrg] Curve selection revisited Andrey Jivsov
Re: [Cfrg] Curve selection revisited Robert Ransom
Re: [Cfrg] Curve selection revisited Robert Ransom
Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
Re: [Cfrg] Curve selection revisited Robert Moskowitz
Re: [Cfrg] Curve selection revisited Russ Housley
Re: [Cfrg] Curve selection revisited Salz, Rich
Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
Re: [Cfrg] Curve selection revisited Salz, Rich