Re: [Cfrg] Curves as groups

[Michael Hamburg <mike@shiftleft.org>]

> On Aug 8, 2014, at 3:36 PM, Douglas Stebila <stebila@qut.edu.au> wrote:
> 
> Do members of CFRG think it important that the curve(s) we recommend be usable as arbitrary groups?  By this I mean that the implementations readily expose both a scalar point multiplication operation and a point addition operation.  

I think that’s a good idea.

> Utility as arbitrary groups would I think imply criteria R3 (Desired: re-use components between signatures and key exchange algorithms) but the reverse is not necessarily true.  

Right.  For example, you can do Schnorr signatures with Curve25519’s scalar multiplication API, so long as the signature is in (kG, s) form.

> Curve25519+Ed25519 together give key exchange and signatures, but are high-level cryptographic functions, not groups.  The Curve25519 private API has scalar point multiplication functions but not point addition; the Ed25519 private API has both.  The NUMS library has public interfaces for scalar point multiplication and kP+lQ, but arbitrary point addition is only in the private API with a disclaimer on context of use.  To what extent are these a choice by implementers to only implement the functions needed to achieve their desired cryptographic scheme versus inherent to the mathematical design?

It’s some and some.  Exposing only a kP+lQ allows you to expose an API that deals only with affine points, or even only serialized points, which avoids committing to the internal point representation format.  Furthermore, the curve might be specified one way for safety or clarity, but implemented another way for speed.

The MSR NUMS library operates on Twisted Edwards curves over a 3 mod 4 field, which have an incomplete addition formula.  This formula can be used safely only if the protocol is is designed to avoid the troublesome points, eg by clearing the cofactor.  The kP+lQ actually computes k(4P) + l(4Q) or something similar to avoid this problem.  So there’s a good reason not to expose the point addition function in the API.

Likewise, my own curve, Ed448-Goldilocks, is specified as an Edwards curve.  But internally my implementation uses an isogenous twisted Edwards curve for speed.  The isogeny clears the cofactor, so this approach is also completely safe.  The library doesn’t need to add points on the untwisted curve, so it doesn’t have that API, but it would be easy and safe to write if it were needed.  By the way, specifying untwisted and implementing twisted is a carefully thought out strategy, and I would recommend adopting it for any CFRG-approved cofactor-4 curves; see http://eprint.iacr.org/2014/027 .

> While criteria R3 will ensure we have something that we can use for key exchange and signatures immediately, I think it would be good for cryptographers to also have good, plain old groups from elliptic curves, for whatever new schemes we may invent or try to implement over the next 10 years.  Prior IETF initiatives (RFC 3526, RFC 5114) seem to have focused on groups rather than key exchange / signature functions.
> 
> Douglas

Agreed.

Cheers,
— Mike