IETF Logo Mail Archive

Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices

"Lochter, Manfred" <manfred.lochter@bsi.bund.de> Thu, 20 November 2014 09:29 UTC

Return-Path: <manfred.lochter@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2081F1A011F for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 01:29:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.143
X-Spam-Level:
X-Spam-Status: No, score=-7.143 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cn605XFmQ_QG for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 01:29:41 -0800 (PST)
Received: from m1-bn.bund.de (m1-bn.bund.de [77.87.228.73]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8DDC1A010F for <cfrg@irtf.org>; Thu, 20 Nov 2014 01:29:40 -0800 (PST)
Received: from m1.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m1-bn.bund.de (8.14.5/8.14.5) with ESMTP id sAK9TcUE029641 for <cfrg@irtf.org>; Thu, 20 Nov 2014 10:29:38 +0100 (CET)
Received: (from localhost) by m1.mfw.bn.ivbb.bund.de (MSCAN) id 5/m1.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Thu Nov 20 10:29:38 2014
X-P350-Id: 236da3f240325bf0
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Organization: BSI Bonn
To: cfrg@irtf.org
Date: Thu, 20 Nov 2014 10:29:27 +0100
User-Agent: KMail/1.9.10 (enterprise35 20140205.23bb19c)
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <546DACCA.9040706@elzevir.fr>
In-Reply-To: <546DACCA.9040706@elzevir.fr>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201411201029.28092.manfred.lochter@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.3.26.16; VDF: 7.11.187.176; host: sgasmtp2.bsi.de); id=19591-6C0uHl
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Z9w3YQCUWD60c9f0d53EjZAjxDM
Cc: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 09:29:43 -0000





__________ ursprüngliche Nachricht __________

Von:		"Manuel Pégourié-Gonnard" <mpg@elzevir.fr>
Datum:	Donnerstag, 20. November 2014, 09:56:42
An:		RONDEPIERRE Franck <F.RONDEPIERRE@oberthur.com>, "cfrg@irtf.org" 
<cfrg@irtf.org>
Kopie:	
Betr.:	Re: [Cfrg] Requirements for elliptic curves with a view towards 
constrained devices

> On 19/11/2014 17:06, RONDEPIERRE Franck wrote:
> > For the sake of simplicity, the twist security is viewed as mandatory.
> > Indeed, this allows to get rid of attacks without relying on the
> > implementation. Without this requirement, a point on curve test is needed
> > to thwart the attacks.
>
> I'd just like to emphasise that in many situations (including TLS with
> uncompressed points and implementations using "standard" short Weierstrass
> formulas, ie formulas that don't involve b) the point-on-curve test *is*
> needed anyway, regardless of whether the curve is twist secure or not.
>
> I'm sure you're already aware of that, but I think we should always be
> extremely clear when speaking about it, since there are already people out
> there making misinterpretations of what exactly twist security buys us and
> more importantly what it doesn't. I really do not want to see, in a few
> month/years, implementations skipping the point-on-curve test in a context
> where it is needed just because they think using a twist secure curve
> protects them.
>
> (Don't get me wrong: I think twist security is nice to have, and I'd like
> any curve selected by the CFRG to have this property. I just don't want it
> to be seen (by people outside this group) as a silver bullet.)
>
I would like to add another aspect. Having  a twist secure curve E means that 
E and its twist E' provide the same degree of security against purely 
mathematical attacks. However, if one takes SCA into accout the situation may 
change. One of the two curves will contain a point with x-coordinate zero. 
For this point projective randomisation will not work properly. 

Manfred 

> Manuel.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

-- 
Lochter, Manfred
--------------------------------------------
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Referat K21
Godesberger Allee 185 -189
53175 Bonn

Postfach 20 03 63
53133 Bonn

Telefon: +49 (0)228 99 9582 5643
Telefax: +49 (0)228 99 10 9582 5643
E-Mail: manfred.lochter@bsi.bund.de
Internet:
www.bsi.bund.de
www.bsi-fuer-buerger.de

v2.23.0 | Report a Bug | By Email