IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)

Dan Brown <dbrown@certicom.com> Thu, 12 March 2015 21:04 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8121A1A9082 for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 14:04:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5MW9YV3au7q for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 14:04:07 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE161A90D0 for <cfrg@irtf.org>; Thu, 12 Mar 2015 14:04:00 -0700 (PDT)
Received: from xct103cnc.rim.net ([10.65.161.203]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 12 Mar 2015 17:03:52 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT103CNC.rim.net ([fe80::b8:d5e:26a5:f4d6%17]) with mapi id 14.03.0210.002; Thu, 12 Mar 2015 17:03:51 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'agl@imperialviolet.org'" <agl@imperialviolet.org>, "'crypto@brainhub.org'" <crypto@brainhub.org>
Thread-Topic: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)
Thread-Index: AQHQV5x2tv+uOz4J70SIOXPNx3fD6p0Zhp+AgAAJpICAAAMMgIAAA5QA///AgrA=
Date: Thu, 12 Mar 2015 21:03:51 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5D75FAD@XMB116CNC.rim.net>
References: <54F8E735.2010202@isode.com> <5501E6A5.5040608@brainhub.org> <CAMfhd9VNM7q7PKfxDdZPOFAMBsyKfREUOotxtYycozvsS9UvxA@mail.gmail.com> <5501F149.2070008@brainhub.org> <CAMfhd9WnQpPFhkco5F+j9yLPa_FRxk=_PtBU-CA6wCEjG1jPUQ@mail.gmail.com>
In-Reply-To: <CAMfhd9WnQpPFhkco5F+j9yLPa_FRxk=_PtBU-CA6wCEjG1jPUQ@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_001B_01D05CE6.83708FD0"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/GawsHlDafnR3OIK06QouYwypX6A>
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 21:04:08 -0000

> -----Original Message-----
> From: Adam Langley
> 
> pitfalls. Here the pitfall would be omitting to check that (u,v) is a point on the
> curve—something that sending compressed points avoids.

 [DB] Compressed points are not really what protects against bad points (though I've also forgotten that fact a few times too).  For Curve25519, the protection is from the XZ (oops UW?) coordinates, i.e. the Montgomery ladder, plus twist security. In other words, upon receiving v for ECDH, just discard v.  (* Well, maybe there's protection from the field size too, see below.)
 
Last fall, I sent CFRG an example of an order 11 compressed bad point for P256 (perhaps some people manually/automatically ignore my messages, understandably ;-)

I have not worked out the details of a similar example for Curve25519. To be applicable, some Curve25519 user would have to decompress to XYZ (oops UVW) coordinates.  I'm not aware of anybody using XYZ coordinates for Curve25519, or any good reason to do so.  But bad compressed points could probably be found for some XYZ coordinate addition rules. (* Well, I didn't check if there's a realistic bad decompression for 5 mod 8 fields, i.e. a natural way to produce false square roots).

v2.23.0 | Report a Bug | By Email