IETF Logo Mail Archive

Re: [Cfrg] Complete additon for cofactor 1 short Weierstrass curve?

Michael Hamburg <mike@shiftleft.org> Thu, 05 November 2015 02:03 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B71C11B3636 for <cfrg@ietfa.amsl.com>; Wed, 4 Nov 2015 18:03:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hovDz5IJhqwM for <cfrg@ietfa.amsl.com>; Wed, 4 Nov 2015 18:03:26 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0495C1B3632 for <cfrg@irtf.org>; Wed, 4 Nov 2015 18:03:26 -0800 (PST)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 06E26F210A; Wed, 4 Nov 2015 18:02:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1446688925; bh=S5JLO+lxqWOrP+X+hRMndgbL9YaP35GJ2ShVegzCIyQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=SxfSYQanik6E6M2REDNoxrL1N8It360bzjXA92CcGzpFUKYg8C4w3cFoAaY975CRY 7yPJ/nQVPTiTBCau6Gv/rqe4W6N+KTMSQCsxXFIBVCdIBihworlzwRTJmJkWJluSKO HvoVF6DprVjJ5PrQFxqnOmAXRNXUBLCbzQhn7bAg=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <CACsn0cn5mDArJP9ZgMx8pknJirP=cXj3D6bjmu6is+Q3+M81aw@mail.gmail.com>
Date: Wed, 04 Nov 2015 18:03:25 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <03927688-1642-4B99-932F-536C07CC5FB5@shiftleft.org>
References: <810C31990B57ED40B2062BA10D43FBF5D21FA2@XMB116CNC.rim.net> <5483749E.1000504@dei.uc.pt> <810C31990B57ED40B2062BA10D43FBF5D23FBB@XMB116CNC.rim.net> <548613FE.8060107@dei.uc.pt> <810C31990B57ED40B2062BA10D43FBF5E76B45@XMB116CNC.rim.net> <CACsn0c=Q=idWRNLMJhntpdYx60h-0BSCvc=7z2v3tGAyt0L4Qw@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5E77852@XMB116CNC.rim.net> <CACsn0cn5mDArJP9ZgMx8pknJirP=cXj3D6bjmu6is+Q3+M81aw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/K18Qcdk8qpRPS8mCQUQp-AthjVM>
Cc: Dan Brown <dbrown@certicom.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Complete additon for cofactor 1 short Weierstrass curve?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 02:03:27 -0000

> On Nov 4, 2015, at 11:08 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> On Wed, Nov 4, 2015 at 12:41 PM, Dan Brown <dbrown@certicom.com> wrote:
>> 
>>> -----Original Message-----
>>> From: Watson Ladd
>>> Sent: Monday, November 02, 2015 11:21 AM
>>> 
>>> It's completely irrelevant in practice.
>> [DB] Seems a tad overstated. How about: too little, too late.
>> 
>>> Multiplying points by 4 or 8 before
>>> hashing and after subtracting for equality checks produces a prime order
>> group
>>> without the efficiency loss inherent to these formulas.
>> 
>> Cofactor-1 curves obviate the need for cofactor-multiplication (e.g.
>> multiplying by 4 or 8). In that regard, they improve implementation-fault
>> tolerance: one less thing for an implementer to get wrong - similar in
>> principle to using twist-security or pseudo-randomized signatures.  The
>> efficiency loss you mention is now quite a tolerable loss, due to this new
>> paper.  Given the relatively tolerable efficiency, the deciding question
>> should be about security.
> 
> An implementor who removes a multiplication by 4 where it matters will
> get the wrong result and the keys they derive will fail to agree with
> the other end. An implementor who uses incomplete formulas is not
> guaranteed to notice.

[MH]: I agree with [DB] that this paper is useful, but unlikely to be widely deployed because of its speed penalty vs the unsafe method.  But for general-purpose libraries and niche protocols that really can’t guarantee safety with non-unified formulas, this is an important step forward.  It may not quite level the playing with Edwards, but at least it avoids a potentially show-stopping problem with prime-order curves.

Cheers,
— Mike

v2.23.0 | Report a Bug | By Email