IETF Logo Mail Archive

Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices

Watson Ladd <watsonbladd@gmail.com> Thu, 20 November 2014 15:21 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 150651A1A79 for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 07:21:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_21=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZFrkXQawCwN for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 07:21:51 -0800 (PST)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29BBE1A1A67 for <cfrg@irtf.org>; Thu, 20 Nov 2014 07:21:51 -0800 (PST)
Received: by mail-yh0-f45.google.com with SMTP id f10so1409989yha.4 for <cfrg@irtf.org>; Thu, 20 Nov 2014 07:21:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Tx0cwLuabSmS1QtQjGYNlj4l4Cx9q/oC+Oqch3EqpLI=; b=Qw2jp9ayI65bj+SBj0pujpRErUBaIKeKurTp5lZ3yZIUPPthAC2DUseBmbbL+nfxht LMwcA4Qn/ED/Z5c1onUyBl3uoJwYf3ZoVKQoELpj49czWdFhLqyj35G/DQiSs+1AF5jh +h/uGBq45Oh160DmgiKgt0A48fr6muP4W+RQdp41j3nbIEvkfjWFes37OFCl0eff0pQZ h2KMCsn1/Su21eAcwkpe0z+jU3GXU11urEAHMwrjtiEbdlpOVyTC1/GQCo4A/yQQoEuY PQ7AqSUGOpikWnMSs+6om3bTqdla1TTQ4YbaxP1xFp2PMgEn8UJwI9AWsyoj0aFJLs0U idlg==
MIME-Version: 1.0
X-Received: by 10.236.11.19 with SMTP id 19mr44093665yhw.4.1416496910349; Thu, 20 Nov 2014 07:21:50 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Thu, 20 Nov 2014 07:21:50 -0800 (PST)
In-Reply-To: <201411200901.53517.manfred.lochter@bsi.bund.de>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <CACsn0ckxtztdnBYEF3jtXFizAjkX5mbeciVz=+7dRYjjvNhf0A@mail.gmail.com> <201411200901.53517.manfred.lochter@bsi.bund.de>
Date: Thu, 20 Nov 2014 07:21:50 -0800
Message-ID: <CACsn0cmV6aOMx+eiLa0iP7rYiU4ZVmeDbNPhTSz_a6oU1=kWjA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/IGdxWW39iqXKhTI0Dp_pU_2g61o
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 15:21:57 -0000

On Thu, Nov 20, 2014 at 12:01 AM, Lochter, Manfred
<manfred.lochter@bsi.bund.de> wrote:
>
>
>
>
>
>
>> Of course, you don't need to take my word for it: Cloudflare was very
>> clear that widespread ECDSA support was essential to making TLS free.
>> Mobile devices are having issues with verification times for NIST
>> P384. V2V proposals involves a staggering number of verifications a
>> second, but oddly enough don't use batching or efficient signatures,
>> thus forcing larger, more expensive hardware.
>>
>
> Is there really a requirement for mobile devices to use a 384 bit curve? Why
> is 256 not sufficient? In which scenarios do you see the neccessity to use
> P-384? Which specific mobile devices are having issues with verification
> times? Are they having these problems only in connection with the proposed
> protocols you mention?

When my mobile phone's browser connects to a website whose certificate
is signed by P384, a P384 verification better take place. Not
supporting P384 introduces an interoperability problem.

>>
>> I have never seen an adequate explanation of why p random is needed
>> for security. What I have seen is an explanation of particular
>> blinding measures that only work with p random. But there are blinding
>> measures that don't depend on random p, that are more efficient.
>> Furthermore, if hardware already deals with the NIST curves, it has to
>> deal with nonrandom p already.
>
> Which specific more efficient blinding measures are you addressing? Could you
> provide sources?
> What does efficient mean for these countermeasures? A better protection
> against SCA or higher speed? Or lower cost?
> How is the patent situation for theses countermeasures?

Most devices randomizing exponents compute xP as [aq+x]P where a is
some random number and q is the order. Random primes apparently permit
q, and thus aq+x to be smaller. But each arithmetic operation, and
thus each point addition or doubling, is twice as fast for a special
prime, and thus a can be the size of q, and we have equal performance
to an unblinded multiplication on a random prime curve. This is better
protection and it's faster. It's identical to the protection you
described, except we've increased the size of a.

This was described by DJB in an email to the list, titled "Primes vs.
hardware side channels", sent October 16th.

Of course, one can always continue to use brainpool. I don't see why
the new curves have to force a 50% slowdown on everyone for benefit of
a very restricted, largely unused class of devices.

Sincerelu.
Watson Ladd

>
> Manfred
>
>>
>> Sincerely,
>> Watson Ladd
>>
>> > [1]
>> > https://www.igvita.com/2012/07/19/latency-the-new-web-performance-bottlen
>> >eck/
>> >
>> > [2] https://eprint.iacr.org/2014/130.pdf
>> >
>> > [3] http://www.statisticbrain.com/google-searches/
>> >
>> > [4] Zero-Value Point Attacks :
>> > https://www-old.cdc.informatik.tu-darmstadt.de/reports/TR/TI-03-01.zvp.pd
>> >f
>> >
>> >
>> >
>> > Franck RONDEPIERRE
>> >
>> > Oberthur Technologies
>> >
>> > Technology & Innovation , R&D Cryptography Engineer
>> >
>> > 420 rue d'Estienne d'Orves | 92700 Colombes | France
>> >
>> > Phone: +33 (0)1 78 14 73 64   | Fax : +33 (0)1 78 14 70 20
>> >
>> > E-mail : f.rondepierre@oberthur.com | Web : www.oberthur.com
>> >
>> > P Please consider your Environmental Responsibility: Before printing this
>> > e-mail or any other document, ask yourself if you need a hard copy
>> >
>> >
>> > _______________________________________________
>> > Cfrg mailing list
>> > Cfrg@irtf.org
>> > http://www.irtf.org/mailman/listinfo/cfrg
>
> --
> Lochter, Manfred
> --------------------------------------------
> Bundesamt für Sicherheit in der Informationstechnik (BSI)
> Referat K21
> Godesberger Allee 185 -189
> 53175 Bonn
>
> Postfach 20 03 63
> 53133 Bonn
>
> Telefon: +49 (0)228 99 9582 5643
> Telefax: +49 (0)228 99 10 9582 5643
> E-Mail: manfred.lochter@bsi.bund.de
> Internet:
> www.bsi.bund.de
> www.bsi-fuer-buerger.de



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email