Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
Rene Struik <rstruik.ext@gmail.com> Mon, 16 March 2015 04:09 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C661F1A0013 for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 21:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1m1Tmo4kjW0C for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 21:09:33 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72DC91A0006 for <cfrg@irtf.org>; Sun, 15 Mar 2015 21:09:33 -0700 (PDT)
Received: by igbue6 with SMTP id ue6so31234647igb.1 for <cfrg@irtf.org>; Sun, 15 Mar 2015 21:09:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=xD9Px9AJrag8/a5I7fN2eSBYdpHfVpM5FiAWcyP/AwE=; b=pL3ZewL+scLdLeyzsmOVatchmtyERpDB2J+9zKGT9P8IpeNEeWjobO1NcKZFrWUEcE 4VqQFWsBneOjlAbWlK3QqhsOiOyZjHJnIRyDk2Mj1kw7q4rrsudNFfHj6anZuKaP1ghx IIJoWIBWor09bxTZL5zVn99S3C0bxDFGYKFxq8UXSZP5CDKlRfRXryiesHEuwfi3E05p TdAMd+pIPCd3wwFU88artw5/ll3sOmk+9rjFFomb2tD+pWNTDN38aag1mfYRgoQ5j65N MckNOfK/g6HSltbElarNT08YtWjrZE6Zo/UjwTfbPGo2/+06sy/qmZJB3ihhFQrLx2k8 y6tQ==
X-Received: by 10.43.13.200 with SMTP id pn8mr76577293icb.0.1426478972840; Sun, 15 Mar 2015 21:09:32 -0700 (PDT)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id ao5sm6194955igc.3.2015.03.15.21.09.32 for <cfrg@irtf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Mar 2015 21:09:32 -0700 (PDT)
Message-ID: <55065772.2020007@gmail.com>
Date: Mon, 16 Mar 2015 00:09:22 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <20150316002255.28855.qmail@cr.yp.to>
In-Reply-To: <20150316002255.28855.qmail@cr.yp.to>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/MXUFqCxzYTqvwpvdPPy8bQOpBAI>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 04:09:35 -0000
Hi Dan: It seems you confuse the sender and recipient side here: on the sender's side, the incremental cost of computing an affine point representation from an x-coordinate-only one is quite insignificant, whereas, indeed, on the recipient's side, this incremental cost is quite high. Hence, the entire discussion. Rene [excerpt of email Dan Bernstein as of Sun March 15, 2015, 8.22pm EDT] Meanwhile you're forcing the ECDH key generator to compute v in the first place---a significant increase in the complexity of the simplest (Montgomery ladder) keygen software. On 3/15/2015 8:22 PM, D. J. Bernstein wrote: > One of the OpenSSL security fixes this year was correcting a bug in > point validation. The bug is estimated to allow more than 2^192 bogus > (x,y) pairs for NIST P-256, and presumably a few of those have order > below 2^66. Finding these medium-order points is an open problem for the > moment, but anyone who _can_ find them can use an active invalid-point > attack to break Microsoft's two-hour ECDH keys with <2^70 computations, > and thus to decrypt all other connections made during that two-hour > period. (The computations don't have to finish within the two hours. > Maybe this work can even be shared across multiple ECDH keys; I'd have > to look at other protocol details to figure this out.) > > How many years did it take for this bug to be found in a very widely > used cryptographic library? Who's reviewing all the other NIST P-256 > implementations to see whether they even _try_ to validate points, never > mind whether they get it right? > > With the Montgomery ladder, the curve is reused in every step, and a bug > that corrupts computations will simply move to different points on the > same curve or its twist. Next-generation curves such as Curve25519 > guarantee that _none_ of those points have dangerous orders. The fault > attack in > > https://www.di.ens.fr/~fouque/pub/fdtc08.pdf > > worked only because it targeted old-fashioned curves that weren't > twist-secure, such as NIST P-224. With proper choices (twist-secure > curve, and scalar bits set accordingly) Montgomery-ladder ECDH doesn't > need _any_ input validation. > > In particular, input 0 is handled correctly without any special tests, > contrary to Rene's comments and earlier comments from Microsoft. See > https://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html. > > Here's another interesting data point regarding code simplicity. In > flipping through Microsoft's "constant-time" ECCLib_v1.1, I noticed > > temp = (scalar[0] & val1) - val2; // ki = (k mod 2^w)/2^(w-1) > *digits = (int)temp; > digits++; > res = scalar[0] - temp; // k = (k-ki)/2^(w-1) > borrow = (temp > 0) & (scalar[0] < (unsigned int)temp); > > inside the fixed_window_recode() function. The scalar is, apparently, > supplied by an attacker, and I would expect the compiler in most cases > to turn the comparisons into variable-time branches, leaking scalar bits > through timing---clearly violating the "constant-time" promise. With the > Montgomery ladder, the scalar bits are used in a much simpler way, > minimizing the number of opportunities to screw up the implementation. > > Andrey Jivsov writes: >> A sample of the interest in unified format can be found here: > You misunderstand. There are two different types of ECDH keygen code > available for X25519: > > * _simple_ key generators that use the Montgomery ladder; > * _fast_ key generators that use precomputed Edwards points and > convert the output to Montgomery format. > > Both of these approaches produce identical Montgomery x-coordinates on > the wire. The fact that the fast implementations use Edwards internally > doesn't mean that all implementations want to do this (for most people > simplicity is more important than this extra burst of keygen speed) and > certainly doesn't mean that it's a good idea to use anything other than > Montgomery x on the wire for ECDH. > > [ send an extra coordinate v along with the Montgomery x ] >> An implementation that uses a Montgomery ladder simply ignores v > Well, yes, this is what any sensible ECDH receiver will do, so why waste > the network traffic? Meanwhile you're forcing the ECDH key generator to > compute v in the first place---a significant increase in the complexity > of the simplest (Montgomery ladder) keygen software. > >> implement both signatures and ECDH > Switching from a "unified" format to Montgomery x for ECDH usually makes > this type of software _simpler_. The underlying issue is that there are > actually three different scalar-multiplication operations of interest: > > * double-scalar multiplication (signature verification); > * fixed-base-point single-scalar multiplication (signing/keygen); and > * variable-base-point single-scalar multiplication (ECDH). > > For example, in Microsoft's library these are ECC_DBLMUL_TE, > ECC_MUL_FIXED_TE, and ECC_MUL_TE. Ripping all the ECDH-specific > functions out of the library (ECC_MUL_TE, fixed_window_recode, etc.), > and replacing them with a Montgomery ladder, would _simplify_ the code. > > Furthermore, even if you can find a signature+ECDH library where a > "unified" format _reduces_ complexity rather than _increasing_ it, the > percentage saved will obviously be quite small---whereas sticking to > Montgomery x for ECDH saves a _much_ larger percentage of a pure ECDH > implementation. > >> a single set of test vectors, code reuse, and the benefits of sharing >> pre-computed values > Every function needs its own test vectors in any case. Pre-computed > values are shared in any case. As for code reuse, see above. > >> no (measurable) performance penalty > The extra network traffic is a measurable performance penalty, and is > more important than the CPU time saved for decompression inside > signature verification. See below. > > Michael Hamburg writes: > [ compression ] >> saves time and energy on radio links > Yes, obviously. > >> but costs time and energy on wired ones > No. > > Time: Curve25519 decompression takes roughly 5 microseconds on a typical > server CPU core, but this is less than the time that the core needs to > receive 256 bits from the Internet---unless you've bought a single > quad-core server to handle more than 200Mbps of Internet traffic; this > doesn't make economic sense. > > Energy: 10 USD of electricity will pay for about 10 watt-years of this > 125-watt quad-core CPU, i.e., a month of CPU time, i.e., 2000000000000 > decompressions, saving 64 terabytes of Internet traffic---a month of > continuous traffic at 200Mbps, as above. Some ISPs do sell noticeable > fractions of 200Mbps for 10 USD/month, but that's because they know that > most users won't use the network anywhere near continuously. > >> or when the point is cached > No. You pay _once_ to decompress a point the first time you use it, and > after that you cache the decompressed version. (I'm assuming that it's > cheaper for you to store the extra bytes than to recompute them; if not, > you should cache the compressed version.) Local caching doesn't affect > the performance impact of compression on the wire. > > ---Dan > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… David Leon Gil
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Viktor Dukhovni
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Salz, Rich
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alexey Melnikov
- [Cfrg] Elliptic Curves - curve form and coordinat… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nadim Kobeissi
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paul Lambert
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg