IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Michael Hamburg <mike@shiftleft.org> Mon, 16 March 2015 04:44 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4EF21A006F for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 21:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, LOTS_OF_MONEY=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_UtTZ8W6VW7 for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 21:44:34 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62C2A1A005F for <cfrg@irtf.org>; Sun, 15 Mar 2015 21:44:34 -0700 (PDT)
Received: from [192.168.1.107] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id C9917F210A; Sun, 15 Mar 2015 21:41:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1426480885; bh=tXN9WbsQSWwNkbxfSyBxYrgbukT8zTyydg/A1YbIJ3g=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=ivVzh0uKVSZZRsGbKvhqpfBRe/npovQ1IP8jUlxEFAXB268/kuVdikt4Ufqc9YsK8 lrhVBnFvwHxwGNg9pdLG86aP7EqSw8panCLj5eNthcxBUlRvbY5O+w1H3A7FRDlOwO MGst/n72afGJpfdHYhkmw4f0YuDr7cEMfpFRPfJI=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2087\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <55065772.2020007@gmail.com>
Date: Sun, 15 Mar 2015 21:44:32 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E414DBC4-5BD2-45D1-98D1-54B675AC1C01@shiftleft.org>
References: <20150316002255.28855.qmail@cr.yp.to> <55065772.2020007@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
X-Mailer: Apple Mail (2.2087)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/V45OoTkfNMnl7nHbnG_gT1jAVsg>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 04:44:36 -0000

Rene,

Dan’s technical point is that except in the most network-glutted environments (maybe a datacenter LAN), it’s essentially always cheaper in both time and energy and money to compute v on the recipient’s side instead of sending it, if you aren’t using the Montgomery ladder.  Furthermore it doesn’t add much complexity to compute on the recipient’s side.  And if you are using the Montgomery ladder — which saves complexity instead of adding it — then sending the extra coordinate is an utter waste.

Dan,

I’m not convinced that the Montgomery ladder is automatically safe from fault attacks on a twist-secure curve.  The ladder’s internal state has an invariant, that P+Q=R.  If that condition is violated, you could end up somewhere different.  The ladder does use the curve constant at every step, but I’m not sure that automatically gives immunity.  But it does make the attacker’s job harder.

— Mike

> On Mar 15, 2015, at 9:09 PM, Rene Struik <rstruik.ext@gmail.com> wrote:
> 
> Hi Dan:
> 
> It seems you confuse the sender and recipient side here: on the sender's side, the incremental cost of computing an affine point representation from an x-coordinate-only one is quite insignificant, whereas, indeed, on the recipient's side, this incremental cost is quite high. Hence, the entire discussion.
> 
> Rene
> 
> 
> [excerpt of email Dan Bernstein as of Sun March 15, 2015, 8.22pm EDT]
> 
> Meanwhile you're forcing the ECDH key generator to
> compute v in the first place---a significant increase in the complexity
> of the simplest (Montgomery ladder) keygen software.
> 
> 
> On 3/15/2015 8:22 PM, D. J. Bernstein wrote:
>> One of the OpenSSL security fixes this year was correcting a bug in
>> point validation. The bug is estimated to allow more than 2^192 bogus
>> (x,y) pairs for NIST P-256, and presumably a few of those have order
>> below 2^66. Finding these medium-order points is an open problem for the
>> moment, but anyone who _can_ find them can use an active invalid-point
>> attack to break Microsoft's two-hour ECDH keys with <2^70 computations,
>> and thus to decrypt all other connections made during that two-hour
>> period. (The computations don't have to finish within the two hours.
>> Maybe this work can even be shared across multiple ECDH keys; I'd have
>> to look at other protocol details to figure this out.)
>> 
>> How many years did it take for this bug to be found in a very widely
>> used cryptographic library? Who's reviewing all the other NIST P-256
>> implementations to see whether they even _try_ to validate points, never
>> mind whether they get it right?
>> 
>> With the Montgomery ladder, the curve is reused in every step, and a bug
>> that corrupts computations will simply move to different points on the
>> same curve or its twist. Next-generation curves such as Curve25519
>> guarantee that _none_ of those points have dangerous orders. The fault
>> attack in
>> 
>>    https://www.di.ens.fr/~fouque/pub/fdtc08.pdf
>> 
>> worked only because it targeted old-fashioned curves that weren't
>> twist-secure, such as NIST P-224. With proper choices (twist-secure
>> curve, and scalar bits set accordingly) Montgomery-ladder ECDH doesn't
>> need _any_ input validation.
>> 
>> In particular, input 0 is handled correctly without any special tests,
>> contrary to Rene's comments and earlier comments from Microsoft. See
>> https://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html.
>> 
>> Here's another interesting data point regarding code simplicity. In
>> flipping through Microsoft's "constant-time" ECCLib_v1.1, I noticed
>> 
>>    temp = (scalar[0] & val1) - val2; // ki = (k mod 2^w)/2^(w-1)
>>    *digits = (int)temp;
>>    digits++;
>>    res = scalar[0] - temp;           // k = (k-ki)/2^(w-1)
>>    borrow = (temp > 0) & (scalar[0] < (unsigned int)temp);
>> 
>> inside the fixed_window_recode() function. The scalar is, apparently,
>> supplied by an attacker, and I would expect the compiler in most cases
>> to turn the comparisons into variable-time branches, leaking scalar bits
>> through timing---clearly violating the "constant-time" promise. With the
>> Montgomery ladder, the scalar bits are used in a much simpler way,
>> minimizing the number of opportunities to screw up the implementation.
>> 
>> Andrey Jivsov writes:
>>> A sample of the interest in unified format can be found here:
>> You misunderstand. There are two different types of ECDH keygen code
>> available for X25519:
>> 
>>    * _simple_ key generators that use the Montgomery ladder;
>>    * _fast_ key generators that use precomputed Edwards points and
>>      convert the output to Montgomery format.
>> 
>> Both of these approaches produce identical Montgomery x-coordinates on
>> the wire. The fact that the fast implementations use Edwards internally
>> doesn't mean that all implementations want to do this (for most people
>> simplicity is more important than this extra burst of keygen speed) and
>> certainly doesn't mean that it's a good idea to use anything other than
>> Montgomery x on the wire for ECDH.
>> 
>>   [ send an extra coordinate v along with the Montgomery x ]
>>> An implementation that uses a Montgomery ladder simply ignores v
>> Well, yes, this is what any sensible ECDH receiver will do, so why waste
>> the network traffic? Meanwhile you're forcing the ECDH key generator to
>> compute v in the first place---a significant increase in the complexity
>> of the simplest (Montgomery ladder) keygen software.
>> 
>>> implement both signatures and ECDH
>> Switching from a "unified" format to Montgomery x for ECDH usually makes
>> this type of software _simpler_. The underlying issue is that there are
>> actually three different scalar-multiplication operations of interest:
>> 
>>    * double-scalar multiplication (signature verification);
>>    * fixed-base-point single-scalar multiplication (signing/keygen); and
>>    * variable-base-point single-scalar multiplication (ECDH).
>> 
>> For example, in Microsoft's library these are ECC_DBLMUL_TE,
>> ECC_MUL_FIXED_TE, and ECC_MUL_TE. Ripping all the ECDH-specific
>> functions out of the library (ECC_MUL_TE, fixed_window_recode, etc.),
>> and replacing them with a Montgomery ladder, would _simplify_ the code.
>> 
>> Furthermore, even if you can find a signature+ECDH library where a
>> "unified" format _reduces_ complexity rather than _increasing_ it, the
>> percentage saved will obviously be quite small---whereas sticking to
>> Montgomery x for ECDH saves a _much_ larger percentage of a pure ECDH
>> implementation.
>> 
>>> a single set of test vectors, code reuse, and the benefits of sharing
>>> pre-computed values
>> Every function needs its own test vectors in any case. Pre-computed
>> values are shared in any case. As for code reuse, see above.
>> 
>>> no (measurable) performance penalty
>> The extra network traffic is a measurable performance penalty, and is
>> more important than the CPU time saved for decompression inside
>> signature verification. See below.
>> 
>> Michael Hamburg writes:
>>   [ compression ]
>>> saves time and energy on radio links
>> Yes, obviously.
>> 
>>> but costs time and energy on wired ones
>> No.
>> 
>> Time: Curve25519 decompression takes roughly 5 microseconds on a typical
>> server CPU core, but this is less than the time that the core needs to
>> receive 256 bits from the Internet---unless you've bought a single
>> quad-core server to handle more than 200Mbps of Internet traffic; this
>> doesn't make economic sense.
>> 
>> Energy: 10 USD of electricity will pay for about 10 watt-years of this
>> 125-watt quad-core CPU, i.e., a month of CPU time, i.e., 2000000000000
>> decompressions, saving 64 terabytes of Internet traffic---a month of
>> continuous traffic at 200Mbps, as above. Some ISPs do sell noticeable
>> fractions of 200Mbps for 10 USD/month, but that's because they know that
>> most users won't use the network anywhere near continuously.
>> 
>>> or when the point is cached
>> No. You pay _once_ to decompress a point the first time you use it, and
>> after that you cache the decompressed version. (I'm assuming that it's
>> cheaper for you to store the extra bytes than to recompute them; if not,
>> you should cache the compressed version.) Local caching doesn't affect
>> the performance impact of compression on the wire.
>> 
>> ---Dan
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> -- 
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email