[Cfrg] Curve25519 v Cheon ...
Dan Brown <danibrown@blackberry.com> Fri, 03 August 2018 18:49 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A30813109A for <cfrg@ietfa.amsl.com>; Fri, 3 Aug 2018 11:49:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0vMrKtIQxWh for <cfrg@ietfa.amsl.com>; Fri, 3 Aug 2018 11:49:26 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE951130DD4 for <cfrg@irtf.org>; Fri, 3 Aug 2018 11:49:25 -0700 (PDT)
X-Spoof:
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs214cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 03 Aug 2018 14:49:24 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT102CNC.rim.net ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0408.000; Fri, 3 Aug 2018 14:49:24 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
CC: "Hugo Krawczyk (hugo@ee.technion.ac.il)" <hugo@ee.technion.ac.il>
Thread-Topic: Curve25519 v Cheon ...
Thread-Index: AdQrTlYGZ8aNSZnjQEu9MQgqAbXgzw==
Date: Fri, 03 Aug 2018 18:49:23 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501CB6494@XMB116CNC.rim.net>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.249]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0061_01D42B39.2A25FD50"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JqeGAse5ZzWCvf1v6vRntM9Lv9Q>
Subject: [Cfrg] Curve25519 v Cheon ...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 18:49:29 -0000
Hi, I was asked off-list if I know the necessary parameter factorizations involved in the Cheon-type attack against Curve25519. This may be somewhat relevant for the Ford-Kaliski OPRF construct used in OPAQUE, recently proposed to CFRG. I did not know the relevant factorizations, but was curious, so I used SageMath to find the factorizations. TL;DR: Non-twist Curve25519 nearly fully resists Cheon attack; if twist points are allowed, then resistance is approximately typical for a curve of its size. (Reminder: Cheon's attack is expensive, requires many queries, and does not affect hashed ECDH or ElGamal-style signatures, such as ECDSA or EdDSA/Schnorr.) More details: Main curve, prime base point order n: n = 2^252+27742317777372353535851937790883648493 n-1 = 2^2 * 3 * 11 * 198211423230930754013084525763697 * 276602624281642239937218680557139826668747 n+1 = 2 * 5 * 7 * 103 * 684245902131068969 * 1466936914520620440380580414586728830413895967152734051 Twist curve, prime base point order m: m = 2^253 - 55484635554744707071703875581767296995 m-1 = 2^2 * 79 * 117223 * 6418733 * 2220636239 * 27413359092552162435694767700453926735143482401279781 m+1 = 2 * 3 * 25759 * 65239 * 84185933008598999 * 17051470131630101375531586771020539887753991037867 Caveat: I may have mis-pasted these numbers (they might be missing a digit here or there). Of course, if I mis-pasted n or m, then subsequent factorization would be wrong and irrelevant. (I factored m and n, and got primes, a check against the chance I miscopied m or n.) Aside: All these factorization were quite quick, just seconds on a PC, except n-1, which took minutes (since it is RSA-like number with two big factors). Recall that Cheon's attack has a narrow impact. If a protocol provides an oracle for a static scalar multiplier, which is usually only needed for protocols that have a blinding or oblivious step, and does not include ECDH or ElGamal signature, then Cheon's attack might reduce security slightly below the usual 128-bit level, at the cost of very many queries to the oracle. The effectiveness of this attack depends on the factorization of the base point order +/- 1. The smaller factor indicate the query complexity of the attack, while the square of the remaining factors indicates the off-line computation. (I actually the forget the details to any greater precision than that.) For Curve25519, numbers n+/-1 have either very small factors, or very large factors. The factorizations means that (non-twist) Cheon's attack has nearly negligible reduction in security, or else requires an impractical (2^60) number of queries. By contrast, considering the twist case, the m+/-1 numbers have more typical factorizations, with some medium size factors, so very roughly the attack applies in a typical way (with a large number of queries, and a huge computational cost, usually). Many Curve25519 implementations do not check for points on the twist, in which Cheon's attack on the twist might be applicable. I've heard that some proposal suggest reject points on the twist, though I am not sure which situation this applies to. I presume it is a pure fluke that non-twist-only Curve25519 nearly fully resists Cheon's attack. I don't recall if CFRG made this feature part of its desirable list, when it was asked by TLS to recommend to new curves. Brief side notes on other curves ... NIST curves: R. Gallant and I long ago wrote a paper in which we discussed this issue for NIST case in the n-1 case of the attack. IIRC, the factorizations were mostly typical (a mix of small, medium and large prime factors). We didn't do the n+1 case, pre-dating Cheon (who discovered the n+1 case). 2y^2=x^3+x/GF(8^91+5): the new curve I proposed in an I-D (and presented to CFRG), has a typical vulnerability to Cheon. I think the I-D recommends to only use this curve in ephemeral ECDH (or signatures?). Best regards, Dan
- [Cfrg] Curve25519 v Cheon ... Dan Brown
- Re: [Cfrg] Curve25519 v Cheon ... Ilari Liusvaara
- Re: [Cfrg] Curve25519 v Cheon ... Dan Brown