Re: [Cfrg] Curve manipulation, revisited
Benjamin Black <b@b3k.us> Mon, 29 December 2014 07:57 UTC
Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC571A0007 for <cfrg@ietfa.amsl.com>; Sun, 28 Dec 2014 23:57:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.723
X-Spam-Level:
X-Spam-Status: No, score=0.723 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QFAiFq16VBvG for <cfrg@ietfa.amsl.com>; Sun, 28 Dec 2014 23:57:43 -0800 (PST)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8BF1A0004 for <cfrg@irtf.org>; Sun, 28 Dec 2014 23:57:42 -0800 (PST)
Received: by mail-wi0-f182.google.com with SMTP id h11so21267318wiw.15 for <cfrg@irtf.org>; Sun, 28 Dec 2014 23:57:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=1+I/KKiCFEuVFEJ0tg84YrX6KDZzv+d4BOG4aqZ8VEE=; b=mpG52j8DP22vaiAZWlStWtwNQ0VSoQisZO342BGqFZuerj2a4MNKV/4zMFDer/PM+v sMHTU+vGs1uuCXw7DewVl6w6ypl0FZ7Rx3NhH7fPuXdfkFn3qh3b7YJwX7Y2vaEnUhHK BWY+OYdvrocMrEpQANAIo6/zLbZlG+T0dxSjHn2Y0TEI1sdr8M6sBtNE3DQxBFaRg8UY /6QrEGRt0EiIN8xDPEC7vr5G+b9ffkoWUDBKtjkVRBHBLfbTR+51GpSBUoSRdVF7iybf y0ldnOJ18fLN0Q1tPQLcNcZ0CgnuBB9/edTMYU+TsH1idaAMUbWj96aKC2UifesvVEGs YohQ==
X-Gm-Message-State: ALoCoQmuS+Us+T8z47UIQ74IaOa3Ri+3E89Z5Mo8zLG/BBepdpJgw4HuQslQu/JAQAh0IfRocT7L
X-Received: by 10.194.237.101 with SMTP id vb5mr107658929wjc.30.1419839861537; Sun, 28 Dec 2014 23:57:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.190.139 with HTTP; Sun, 28 Dec 2014 23:57:21 -0800 (PST)
In-Reply-To: <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com>
From: Benjamin Black <b@b3k.us>
Date: Sun, 28 Dec 2014 23:57:21 -0800
Message-ID: <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="089e013d202895d621050b563ae3"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/U8kQFjFK035G89SlxC9Qzxn9haY
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 07:57:47 -0000
Adam has accurately described our position, and thanks to him for taking up the slack while many of us were on holiday. The request might've come from the TLS-WG, but it is almost inconceivable that something CFRG recommended to TLS-WG would not be quickly adopted by many other WGs. It is disingenuous to argue that since the request came from TLS-WG nothing outside TLS-WG should be a consideration while also arguing that things like cofactors for 1 (mod 4) curves must be exactly (8,4) without giving an example of how it matters to TLS-WG. The latter is an implicit acknowledgement that the scope extends beyond TLS-WG. Similarly, suggesting that TLS-WG could be given only X25519 without Ed25519 being pulled in is either naive or an attempt to sneak them both in the back door. My use of the term "compromise" when presenting the current draft seems to have opened the door to some misunderstanding. I used the term in the sense of finding common ground rather than in the sense of introducing flaws. I would not expect anyone in this process to find it acceptable to introduce what they believe to be a security flaw, conspiracy theorists aside. As Adam said, it would be a failure if the consensus that emerged from CFRG did not include Microsoft, as it would be if it didn't include Google or Akamai or anyone else with direct responsibility for protecting a billion people online. We have chosen to move some on what is acceptable to us because it is more important that there is a result that includes enough of the things we believe are essential for delivering that protection than that we get to be "right". I've included more specific responses below. Thanks, b -- The view voiced by several people that the 128-bit security level curve in the draft is Curve25519 is a bit off base. First, the draft describes generation of (twisted) Edwards curves and the 128-bit curve has minimal d (given the addition of the newly manufactured cofactor constraint), while Ed25519 does not. This is an advantage for both performance and rigidity with a tiny reduction in simplicity of implementation, achieving a better balance between security, performance, and simplicity. Second, the specified base point is not the same and can't be the same without forcing the (arbitrary) choice. The result is that it is straightforward to modify existing Curve25519 implementations to use the new curve, but modification is likely required. On Wed, Dec 24, 2014 at 2:47 PM, D. J. Bernstein <djb@cr.yp.to> wrote: > Once upon a time, Microsoft said that it was a "requirement" to have > "rigid parameter generation for primes and curve constants" given the > "security level". Once upon a time, Dan said that is was a "requirement" to use single coordinate ladders to eliminate invalid curve attacks against DH implementations: On Tue, Dec 2, 2014 at 1:28 AM, D. J. Bernstein <djb@cr.yp.to> wrote: > > Invalid-curve attacks completely break the simplest DH implementations > in Montgomery coordinates _and_ in Edwards coordinates. Rather than > blaming the implementor, we eliminate these security failures by > > * adding twist security, for both Montgomery and Edwards, and > * switching to single-coordinate ladders. > Yet for Curve41417, ladders suddenly become optional, just as we've said all along they should be: "We use a windowing method with fixed window width for constant-time single-scalar multiplication on Curve41417 in Edwards form. Our analysis also allows good estimates of, e.g., the cost of signature verification using Curve41417. Another option for single-scalar multiplication is the Montgomery ladder for the Montgomery form of Curve41417; this is not quite as fast as the Edwards form but has the advantage of fitting the computation into less SRAM." It seems performance is the real priority here and you will happily discard things you insist are necessary for security when they conflict with performance. At the 128-bit security level the ladder can be faster. At the 200-bit+ security levels the ladder is slower. Should we blame the implementor who elects not to use a single-coordinate ladder? Should we wonder why you would choose not to eliminate these security failures? This section of your paper raises another interesting point. It seems a slight performance drop in exchange for consuming less SRAM can be a desirable property to you. In Adam's Faster Curve25519 post ( https://www.imperialviolet.org/2013/05/10/fastercurve25519.html) he achieves significant performance improvements at a cost of 24KB of cache for tables. Our NUMS 256 curve performs slightly slower than this, but only requires 9KB for tables. The 15KB difference represents almost 25% of the 64KB L1 cache in a typical Xeon and almost 50% of the 32KB L1 data cache in a typical ARM. It's not quite as fast but has the advantage of fitting the computation into less SRAM. On Mon, Dec 22, 2014 at 5:54 PM, Tanja Lange <tanja@hyperelliptic.org> wrote: > > I think a competition has more to offer than a 'collaboration' where > parties get more influence by having more people send emails to the list. > I'm not sure what point you are trying to make here. The people who haven't submitted curves should remain silent? That is antithetical to the IETF process. If you are suggesting it shouldn't be a process whereby a minority attempts to "stuff the ballot box" by getting a few people to yell loud and often to drown out differing opinions, then I agree. However, I don't think we would agree on who might be doing that. > What should count are the merits of papers, implementations, and internet > drafts so that proposals get more influence by being objectively better. > "Objectively better" is unrealistic as it depends on which implementation, which architectures, which benchmarks and which priorities people have for various properties of the curves. The example above for different L1 cache footprint shows how slippery "objectively better" can be. Another example would be the large d in Ed25519 compared to the minimal d in the rpgecc draft. The smaller d is "objectively better" both in terms of performance and rigidity, but isn't quite as simple to move between twisted Edwards and Montgomery. On Thu, Dec 25, 2014 at 12:55 PM, Salz, Rich <rsalz@akamai.com> wrote: >> desirable. But, to make progress, people need to try and understand >> Microsoft's position.) > >Then perhaps, as you stated earlier in the note, it would be good if we didn't have to guess. > >It's kinda funny that NUMS curve has us now wanting a NUMS rationale. But perhaps funny isn't the right word, maybe sad or >pathetic is. You've been in this from the start, so I find it odd you don't recall any of the numerous times this has been covered, Rich. We don't see the small potential performance gains as worth the additional flexibility introduced by manipulating prime selection like this. You are of course free to disagree, but there is no "objectively better" answer as it is a trade-off. You might also consider not calling things you don't understand or with which you disagree "sad" or "pathetic". On Mon, Nov 3, 2014 at 8:37 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Mon, Nov 3, 2014 at 8:18 AM, Paterson, Kenny > <Kenny.Paterson@rhul.ac.uk> wrote: > > Alyssa, > > > <snip> > > > > However, if there's a reasonably simple way to ensure the highest > possible > > levels of trustworthiness in our recommendations with unduly compromising > > efficiency and security, then I am prepared to sacrifice some extra time > > to achieve it. > > That assumes that picking a generation method would "ensure the > highest possible levels of trustworthiness". It's not clear to me that > it would. Opponents of the performance approach can demonstrate the > flexibility they insist exists by putting BADA55 in the hexadecimal > form of the coefficients obtained by taking the minimal equation > satisfying reasonable constraints on a performance-oriented prime. There are at least two, possibly three, fallacies present in this challenge. The first is that the enormous flexibility required to insert such a string in the coefficients is at all a relevant metric. The second is that the BADA55 work used what anyone who wasn't pushing a very particular agenda would call "reasonable constraints". The third is that the "performance approach" represents much additional performance, that the performance gains are certain regardless of architecture or protocol, or that any additional performance is free. It's worth noting that we have at least two rather different interpretations of BADA55 present in these discussions. Your interpretation seems to be that if you can't insert BADA55 in the coefficients then the process is rigid. Adam's interpretation (which might match Dan's) is that any claim of rigidity in generation is necessarily limited.
- [Cfrg] Curve manipulation, revisited D. J. Bernstein
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited David Gil
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Yoav Nir
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Mike Hamburg
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Benjamin Black
- Re: [Cfrg] Curve manipulation, revisited Tony Arcieri
- Re: [Cfrg] Curve manipulation, revisited Adam Langley
- Re: [Cfrg] Curve manipulation, revisited Rob Stradling
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Nico Williams
- Re: [Cfrg] Curve manipulation, revisited Watson Ladd
- Re: [Cfrg] Curve manipulation, revisited Salz, Rich
- Re: [Cfrg] Curve manipulation, revisited Paul Hoffman
- Re: [Cfrg] Curve manipulation, revisited Alyssa Rowan
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman
- Re: [Cfrg] Curve manipulation, revisited Harry Halpin
- Re: [Cfrg] Curve manipulation, revisited Michael Hamburg
- Re: [Cfrg] Curve manipulation, revisited Peter Dettman