IETF Logo Mail Archive

Re: [Cfrg] Criteria for the selection of new ECC mechanisms

Michael Hamburg <mike@shiftleft.org> Tue, 29 April 2014 17:38 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1D081A0931 for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 10:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9_emI8poC6c for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 10:38:53 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) by ietfa.amsl.com (Postfix) with ESMTP id 15E6F1A092A for <cfrg@irtf.org>; Tue, 29 Apr 2014 10:38:52 -0700 (PDT)
Received: from [10.184.148.249] (w035.z205158021.lax-ca.dsl.cnc.net [205.158.21.35]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id A56123AA3F; Tue, 29 Apr 2014 10:37:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1398793026; bh=36uRfBMfB8NwLJ+8LeqYk/w3cYQZElwenOg30XeSO3Y=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=CXgVUUOETb4NoCgbjbm8BN04Q2We00eewrf7KimbTR+icXYBgZ+Nq5+/vcYNa7/Wr vL1wcljfHIX+TkXUTyhQk9mLctyIHWmy1ImzcXmmeZu89kxR29UvAYULaMEtt3pyBN DnGMG5yFD/zxpp7IPDZ9Z683oRcqnJg0zk/H5V/M=
Content-Type: multipart/alternative; boundary="Apple-Mail=_9C2FD47D-028F-42EC-91AD-FCC519EA68AC"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <535FDD0A.7070206@gmail.com>
Date: Tue, 29 Apr 2014 10:38:48 -0700
Message-Id: <67C14570-0DFD-4031-97D0-00C946736EE3@shiftleft.org>
References: <535FB927.8080909@cisco.com> <535FDD0A.7070206@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/LnCXV7tT8ONtjDqgj6Ft4N4M_Ek
Cc: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Criteria for the selection of new ECC mechanisms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 17:38:54 -0000

Hello,

I agree that some of these requirements look like a presort.  More comments inline.  I will probably not be in the meeting this afternoon, because my employer is hesitant to agree to IP disclosure rules :-(

On Apr 29, 2014, at 10:10 AM, Rene Struik <rstruik.ext@gmail.com> wrote:

> Hi David:
> 
> Some preliminary comments below. Summary: some of the "requirements" you state below seem to effectively pre-sort on solution directions, rather than stipulating real requirements, which in my mind is undesirable. We can discuss more during the virtual call this afternoon.
> 
> Rene
> 
> On 4/29/2014 10:37 AM, David McGrew wrote:
>> 
>>   R8.  Required: amenable to constant-time implementations, to avoid
>>   side channel attacks [2]
> RS>>
> The more general requirement is that constructs should allow secure implementations, which stretches much further than constant-time operations.
> <<RS

What’s more, it’s important that the constructs should allow relatively simple and efficient secure implementations.  A curve that has straightforward constant-time complete addition formulas is preferable to one where the complete addition formulas are much slower or more complicated.

Likewise, if a curve is designed for GLS/GLV, it should be possible to exploit this in constant time without losing the GLS/GLV advantages.

>>   R9.  Required: resist twist attacks [2]
> RS>>
> This is just and example of a particular implementation attack in a very wide spectrum. It would be a shame if this were supposed to rule out any non "twist-secure" curves, just because of this stipulation. There are many ways to skin a cat or here and providing secure implementations.
> <<RS

I agree that we shouldn’t state twist-security as a hard requirement, as there are other defenses.  That said, twist-security isn’t terribly hard to come by even at high security levels, costing perhaps $20 of EC2 compute time for both a curve and a certificate that it’s the first one.  So I don’t see a particularly good reason to use curves without this property unless everyone is generating their own for some reason.

>>   R10.  Required: curve parameters should have good provenance;
>>   random curves should be provably pseudorandom [5]
> RS>>
> Indeed, curve parameters should have good provenance. The second statement is up to debate. If one wishes to go this way, shouldn't one also stipulate that the prime fields underlying a prime curve should be generated randomly?
> <<RS

This is only a requirement for curves with claimed random parameters.  If the underlying prime is claimed to be random, there should be strong evidence that it was indeed generated at random.  Likewise, if it is non-random, there must be strong evidence of rigidity (it’s the curve with the lowest-in-absolute-value d, mod the first prime in this family of implementation-friendly primes, which satisfies the safety properties).

>> R12.  Required for PAKE: indistinguishability of curve points from
>>   random strings [2]
> RS>>
> While intuitively perhaps a nice feature, not sure why this would be a requirement. Besides, this again seems to presort on solution directions, since this would prohibit use of, e.g., affine curve points (as, e.g., Dragonfly uses). The world is bigger than x-coordinate only arithmetic.
> <<RS

PAKE support shouldn’t be a requirement, and this feature is not even required for PAKE.  SPEKE, SPAKE2EE and Dragonfly don’t even use indistinguishability, just an inverse-samplable map to a large subset of the curve (eg, SWU/BCIMRT or Elligator).  SPAKE2 and JPAKE don’t even use that.  It’s only EKE and anti-censorship applications that use this, and you can use Tibouchi’s “Elligator Squared” (which is actually the same as BCIMRT) on any curve with a small overhead in ciphertext size.

Cheers,
— Mike

> Footnotes:    [1] Original criteria set out for the Advanced Encryption Standard,        which is equally applicable to ECC.  National Institute of        Standards and Technology (NIST) of the United States, 1998.    [2] Daniel J. Bernstein and Tanja Lange. SafeCurves: choosing safe
>> curves for elliptic-curve cryptography.
>>       http://safecurves.cr.yp.to, accessed April 2014.
>> 
>>   [3] Criteria identified by David McGrew, 2014.
>> 
>>   [4] Criteria identified by Russ Housley, TLS WG meeting at IETF89.
>> 
>>   [5] Criteria widely acknowledged on CFRG email list during 2014.
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> -- 
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email