IETF Logo Mail Archive

Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices

Watson Ladd <watsonbladd@gmail.com> Sat, 22 November 2014 06:00 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89CAF1A004D for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 22:00:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYc4pTFn0rCl for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 22:00:23 -0800 (PST)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1375C1A004B for <cfrg@irtf.org>; Fri, 21 Nov 2014 22:00:23 -0800 (PST)
Received: by mail-yh0-f45.google.com with SMTP id f10so2998699yha.18 for <cfrg@irtf.org>; Fri, 21 Nov 2014 22:00:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=LUKcVwjzsLscgIErf/Ft5KC4otZUlL3OzYHfFVAOx9Q=; b=KS3C4CFajKF9R816diwXTf9/yyVgI/fAtSgWDGlAN6PzWw6kVWlT3M6J1/orFVl44N bko90WCMcqOPisHrKSpgUDWkx+r75PswXlRrnapW6jB9QaMWDe/GQJoH+gtnvaObyYU3 pc/O9c9SyW/3OFX/PeUUkwpMFdAZV2uVhLOYDbTOG+QLb81tPH8TbAmHBIx0SP2M8s27 0GxFJcQmvjoKHXEMe8u/RXubczUqx1FAuyJ8xxkyCbBxPQEKrMePxOjBWWmz7pPysfW2 9ccphEcgCjIIyAaqQvOPbO5FqzJ1eLshZwjyoxOKhgmthG2jm0it8yx6WXCHRXQSe+os gkSA==
MIME-Version: 1.0
X-Received: by 10.236.7.52 with SMTP id 40mr5995705yho.172.1416636022341; Fri, 21 Nov 2014 22:00:22 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Fri, 21 Nov 2014 22:00:22 -0800 (PST)
In-Reply-To: <CALCETrWMd53RyX=2aVRxzX-4x9oe=WmiCv91beK7KCXiXMOhkA@mail.gmail.com>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <201411200901.53517.manfred.lochter@bsi.bund.de> <CACsn0cmV6aOMx+eiLa0iP7rYiU4ZVmeDbNPhTSz_a6oU1=kWjA@mail.gmail.com> <201411211351.04473.manfred.lochter@bsi.bund.de> <CACsn0ckUoijv-uD3yksOQpRW9E-smF1wg9=+L2BVrN1+wRv0tw@mail.gmail.com> <CALCETrWMd53RyX=2aVRxzX-4x9oe=WmiCv91beK7KCXiXMOhkA@mail.gmail.com>
Date: Fri, 21 Nov 2014 22:00:22 -0800
Message-ID: <CACsn0ckBXG+pXiQm_r1DyDUd1DxnNpR124h5Yz1X7LDskmJD+g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Yf488SIst1JmmotaFNN1BzT6JPM
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 06:00:25 -0000

On Fri, Nov 21, 2014 at 9:26 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Fri, Nov 21, 2014 at 8:58 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>> On Fri, Nov 21, 2014 at 4:51 AM, Lochter, Manfred
>> <manfred.lochter@bsi.bund.de> wrote:
>>>
>>>
>>>
>>>
>>>
>>> __________ ursprüngliche Nachricht __________
>>>
>>> Von:            Watson Ladd <watsonbladd@gmail.com>
>>> Datum:  Donnerstag, 20. November 2014, 16:21:50
>>> An:             "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
>>> Kopie:  "cfrg@irtf.org" <cfrg@irtf.org>
>>> Betr.:  Re: [Cfrg] Requirements for elliptic curves with a view towards
>>> constrained devices
>>>
>>>> On Thu, Nov 20, 2014 at 12:01 AM, Lochter, Manfred
>>>>
>>>> <manfred.lochter@bsi.bund.de> wrote:
>>>> >> Of course, you don't need to take my word for it: Cloudflare was very
>>>> >> clear that widespread ECDSA support was essential to making TLS free.
>>>> >> Mobile devices are having issues with verification times for NIST
>>>> >> P384. V2V proposals involves a staggering number of verifications a
>>>> >> second, but oddly enough don't use batching or efficient signatures,
>>>> >> thus forcing larger, more expensive hardware.
>>>> >
>>>> > Is there really a requirement for mobile devices to use a 384 bit curve?
>>>> > Why is 256 not sufficient? In which scenarios do you see the neccessity
>>>> > to use P-384? Which specific mobile devices are having issues with
>>>> > verification times? Are they having these problems only in connection
>>>> > with the proposed protocols you mention?
>>>>
>>>> When my mobile phone's browser connects to a website whose certificate
>>>> is signed by P384, a P384 verification better take place. Not
>>>> supporting P384 introduces an interoperability problem.
>>>
>>> I'm glad that you agree with my previously stated position that 384-bit curves
>>> are needed. Following your reasoning 256/384/512(521) bit curves have to be
>>> supported. In this case I would rather see performance problems on the
>>> 512/521 end.
>>> I would very much appreciate if you could also answer my other questions
>>> above.
>>> You seem to say that car-to-car communication will use the curves proposed by
>>> the cfrg. This supports the inital position we took in the Brainpool position
>>> paper (eprint 832/2014). I'm glad that we seem to agree on that.
>>
>> The V2V projects aren't. Despite high performance constraints they are
>> not making optimal choices. Batch signatures would seem a natural fit,
>> and yet ECDSA is still being used. P256 seems to be selected, despite
>> Koblitz curves existing. But blinding won't be used: the performance
>> hit is too much, and the security model doesn't require it. It doesn't
>> seem like they will switch to Curve25519 if the CFRG recommends it.
>
> Don't the V2V things need high *real-time* performance contraints?  To
> me, that would seem to rule out batch signatures entirely, unless
> there's a magic verifier that can retain good performance even in the
> presence of an invalid signature.

Most signatures are valid: while its true that a significant number of
bad signatures will slow batch verification, that number can be quite
large. For example, http://cr.yp.to/badbatch/badbatch-20120919.pdf
claims that 10 bad signatures out of 64 can be identified faster then
separate verification for each signature. It's clear that no matter if
verification or bandwidth is the limiting factor, malicious attackers
can carry out a denial of service.

Of course, there are several more predictable and simpler
optimizations that can be done, even if one has to stick with
NIST-approved curves. Amusingly, while Bitcoin uses a Koblitz curve,
it is only recently that bitcoin-core has been modified to take
advantage of this, due to verification becoming quite time consuming.

The gold standard for verification speed is e=3 RSA. But signing is
very, very slow.

Sincerely,
Watson Ladd
>
> --Andy



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email