Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
"Lochter, Manfred" <manfred.lochter@bsi.bund.de> Thu, 20 November 2014 09:29 UTC
Return-Path: <manfred.lochter@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2081F1A011F for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 01:29:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.143
X-Spam-Level:
X-Spam-Status: No, score=-7.143 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cn605XFmQ_QG for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 01:29:41 -0800 (PST)
Received: from m1-bn.bund.de (m1-bn.bund.de [77.87.228.73]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8DDC1A010F for <cfrg@irtf.org>; Thu, 20 Nov 2014 01:29:40 -0800 (PST)
Received: from m1.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m1-bn.bund.de (8.14.5/8.14.5) with ESMTP id sAK9TcUE029641 for <cfrg@irtf.org>; Thu, 20 Nov 2014 10:29:38 +0100 (CET)
Received: (from localhost) by m1.mfw.bn.ivbb.bund.de (MSCAN) id 5/m1.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Thu Nov 20 10:29:38 2014
X-P350-Id: 236da3f240325bf0
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Organization: BSI Bonn
To: cfrg@irtf.org
Date: Thu, 20 Nov 2014 10:29:27 +0100
User-Agent: KMail/1.9.10 (enterprise35 20140205.23bb19c)
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <546DACCA.9040706@elzevir.fr>
In-Reply-To: <546DACCA.9040706@elzevir.fr>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201411201029.28092.manfred.lochter@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.3.26.16; VDF: 7.11.187.176; host: sgasmtp2.bsi.de); id=19591-6C0uHl
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Z9w3YQCUWD60c9f0d53EjZAjxDM
Cc: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 09:29:43 -0000
__________ ursprüngliche Nachricht __________ Von: "Manuel Pégourié-Gonnard" <mpg@elzevir.fr> Datum: Donnerstag, 20. November 2014, 09:56:42 An: RONDEPIERRE Franck <F.RONDEPIERRE@oberthur.com>, "cfrg@irtf.org" <cfrg@irtf.org> Kopie: Betr.: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices > On 19/11/2014 17:06, RONDEPIERRE Franck wrote: > > For the sake of simplicity, the twist security is viewed as mandatory. > > Indeed, this allows to get rid of attacks without relying on the > > implementation. Without this requirement, a point on curve test is needed > > to thwart the attacks. > > I'd just like to emphasise that in many situations (including TLS with > uncompressed points and implementations using "standard" short Weierstrass > formulas, ie formulas that don't involve b) the point-on-curve test *is* > needed anyway, regardless of whether the curve is twist secure or not. > > I'm sure you're already aware of that, but I think we should always be > extremely clear when speaking about it, since there are already people out > there making misinterpretations of what exactly twist security buys us and > more importantly what it doesn't. I really do not want to see, in a few > month/years, implementations skipping the point-on-curve test in a context > where it is needed just because they think using a twist secure curve > protects them. > > (Don't get me wrong: I think twist security is nice to have, and I'd like > any curve selected by the CFRG to have this property. I just don't want it > to be seen (by people outside this group) as a silver bullet.) > I would like to add another aspect. Having a twist secure curve E means that E and its twist E' provide the same degree of security against purely mathematical attacks. However, if one takes SCA into accout the situation may change. One of the two curves will contain a point with x-coordinate zero. For this point projective randomisation will not work properly. Manfred > Manuel. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- Lochter, Manfred -------------------------------------------- Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat K21 Godesberger Allee 185 -189 53175 Bonn Postfach 20 03 63 53133 Bonn Telefon: +49 (0)228 99 9582 5643 Telefax: +49 (0)228 99 10 9582 5643 E-Mail: manfred.lochter@bsi.bund.de Internet: www.bsi.bund.de www.bsi-fuer-buerger.de
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley