[CFRG] Why we use ECDH instead of traditional DH
"D. J. Bernstein" <djb@cr.yp.to> Thu, 22 February 2024 19:24 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0202C18DB9D for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2024 11:24:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RISK_FREE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NF9-WmHzToaM for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2024 11:24:18 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id A8E2AC17C88A for <cfrg@irtf.org>; Thu, 22 Feb 2024 11:24:18 -0800 (PST)
Received: (qmail 32109 invoked by uid 1010); 22 Feb 2024 19:24:17 -0000
Received: from unknown (unknown) by unknown with QMTP; 22 Feb 2024 19:24:17 -0000
Received: (qmail 941053 invoked by uid 1000); 22 Feb 2024 19:24:10 -0000
Date: Thu, 22 Feb 2024 19:24:10 -0000
Message-ID: <20240222192410.941051.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <25cecba9-7c35-41c7-962a-c204a76e538c@app.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bGiT7BHITzP6Ir0coceGaeyIROE>
Subject: [CFRG] Why we use ECDH instead of traditional DH
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 19:24:23 -0000
Filippo Valsorda writes: > Any work that can be pushed up the pyramid should be, because it > reduces duplication. Often that saves work, but not always: sometimes the work becomes bigger when it's pushed up. Furthermore, the goal is not to minimize total work; the goal is security, and there are cases where reviewer time is more important for this than implementor time. Here's a pre-quantum example illustrating these effects. Traditional DH uses a group of size q-1 for a prime power q, namely the multiplicative group of the finite field F_q, or sometimes a subgroup of whichever order dividing q-1. Traditional DH is easier for implementors than ECDH. (I'm assuming in both cases that there's a single group that everyone uses---otherwise traditional DH becomes considerably more complicated and ECDH becomes much more complicated.) How about we further simplify implementations by moving to _additive_ DH? Use a group of size q, the additive group of F_q. Sure, it's completely broken, but look at how much easier the code is! Okay, okay, obviously we don't use something that we know is broken. The _reason_ we know additive DH is broken is that people thinking about its security say "Hey, Euclid's algorithm breaks that". For traditional DH, trying to figure out how to choose q for any particular security level is a nightmare for security reviewers. For example, the case of q being a power of 2 is in many ways the nicest case for implementors, but 1984 Coppersmith found a much faster attack against this case, and then there were more advanced "FFS" algorithms, and finally, three decades after Coppersmith, there was a flurry of papers breaking this case in quasi-polynomial time. Large primes q seem quantitatively safer, but the "NFS" analysis is super-complicated (see https://blog.cr.yp.to/20151120-batchattacks.html for some highlights), and much faster attacks would be unsurprising. ECDH, despite its implementation disadvantages, is _much_ easier for security reviewers. Taking prime fields eliminates any attacks that exploit extra subfields, including any risk from FFS. Taking large field discriminants avoids any risk from further automorphisms. The occasional curves for which NFS applies are easily recognized and avoided. What we're left with are curves where the state-of-the-art attacks are _much_ simpler and _much_ easier to analyze than state-of-the-art attacks against traditional DH. The last big excitement in these attacks was a 1.4x speedup decades ago. Would taking traditional DH instead of ECDH push work up the pyramid? Yes, obviously. Would it reduce total work? No. Most importantly, would it reduce security risks? No: it would _increase_ them. I've identified and addressed various risks in ECDH implementations. I wouldn't say that what we have now is risk-free. If the only concern were implementations then I would advocate traditional DH (again, with a single shared group). But the ECDH implementation situation is getting to be _almost_ non-scary, for example with recent full formal proofs from John Harrison that some fast ECDH software works correctly for all inputs, assuming the CPU correctly handles various machine instructions. Meanwhile the cryptanalysis of _traditional_ DH isn't on a path to any expert being willing to say "Okay, that's the end of the speedups". This is the real reason that we use ECDH. It is, fortunately, correlated with something much easier to explain, namely ECDH being smaller than traditional DH (since the _known_ security losses in traditional DH force big q) and faster than traditional DH (since the big q outweighs the extra operations in ECDH)---but efficiency is really just another subsidiary goal in service of the real goal, namely security. Sophie Schmieg writes: > avoiding FF-DH wherever I can means I don't have to care whether we > should use safe primes or use larger private keys or both, one less > thing I need to tell people about. These are not advantages of ECDH over traditional DH. They are advantages of taking standard, shared, reviewed, big enough groups. Committees in the dark ages had tendencies towards traditional DH, towards sizes being too small, and towards allowing each implementation to pick its own adventure; but these mistakes aren't tied to each other. openssl-3.2.1 ecparam -list_curves still shows secp112r1, for example. I would rip that code out of the code base---along with the underlying general-purpose curve support---so that reviewers can easily see that attackers can't trigger it. ---D. J. Bernstein
- [CFRG] (no subject) D. J. Bernstein
- Re: [CFRG] (no subject) Andy Lutomirski
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- [CFRG] What I want from the "KEM hybrids" Watson Ladd
- Re: [CFRG] What I want from the "KEM hybrids" Filippo Valsorda
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Sophie Schmieg
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Hubert Kario
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Neil Madden
- Re: [CFRG] [EXTERNAL] Re: [EXT] What I want from … Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Watson Ladd
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] What I want from the "KEM hybrids" D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Watson Ladd
- Re: [CFRG] What I want from the "KEM hybrids" Filippo Valsorda
- Re: [CFRG] What I want from the "KEM hybrids" Salz, Rich
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Salz, Rich
- Re: [CFRG] What I want from the "KEM hybrids" Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: (no subject) Watson Ladd
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Peter Gutmann
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Watson Ladd
- Re: [CFRG] (no subject) Filippo Valsorda
- Re: [CFRG] [EXTERNAL] Re: (no subject) Natanael
- Re: [CFRG] (no subject) Watson Ladd
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] [EXTERNAL] Re: (no subject) Watson Ladd
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] [EXTERNAL] Re: (no subject) Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: (no subject) Watson Ladd
- Re: [CFRG] [EXT] Re: [EXTERNAL] Re: (no subject) Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Carl Wallace
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Santosh Chokhani
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Santosh Chokhani
- Re: [CFRG] Millions of dollars of hashing Ilari Liusvaara
- [CFRG] Combiners: is the tail capable of wagging … D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] Millions of dollars of hashing Bas Westerbaan
- Re: [CFRG] Millions of dollars of hashing Sophie Schmieg
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- [CFRG] Why we use ECDH instead of traditional DH D. J. Bernstein
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Mike Ounsworth
- Re: [CFRG] Tens of millions of dollars of CPU cyc… D. J. Bernstein
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] Millions of dollars of hashing Adam Langley
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Ilari Liusvaara
- Re: [CFRG] Proposed CFRG hybrid KEM scope Simon Josefsson
- Re: [CFRG] stick to kems maybe (Re: [EXTERNAL] Re… Mike Ounsworth
- Re: [CFRG] Proposed CFRG hybrid KEM scope Loganaden Velvindron
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Ilari Liusvaara
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Bas Westerbaan
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Ilari Liusvaara
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] Millions of dollars of hashing Peter Gutmann
- Re: [CFRG] Millions of dollars of hashing Adam Langley
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Millions of dollars of hashing John Mattsson
- Re: [CFRG] What I want from the "KEM hybrids" Jeffrey Burdges
- Re: [CFRG] Millions of dollars of hashing Sophie Schmieg
- Re: [CFRG] Why we use ECDH instead of traditional… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Millions of dollars of hashing Neil Madden
- Re: [CFRG] Millions of dollars of hashing Sophie Schmieg
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Millions of dollars of hashing Eric Rescorla
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "… Bas Westerbaan
- Re: [CFRG] Millions of dollars of hashing Peter Gutmann
- [CFRG] Tens of millions of dollars of CPU cycles D. J. Bernstein
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] Millions of dollars of hashing D. J. Bernstein
- [CFRG] stick to kems maybe (Re: [EXTERNAL] Re: (n… Stephen Farrell
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Neil Madden
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Neil Madden
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Hubert Kario
- Re: [CFRG] [EXT] Re: [EXTERNAL] What I want from … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Salz, Rich
- Re: [CFRG] [EXTERNAL] What I want from the "KEM h… Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Sophie Schmieg
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Peter Gutmann
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Peter Gutmann
- Re: [CFRG] Tens of millions of dollars of CPU cyc… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: (no subject) Mike Ounsworth
- Re: [CFRG] [EXT] What I want from the "KEM hybrid… Santosh Chokhani
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Peter Gutmann
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Salz, Rich
- Re: [CFRG] Tens of millions of dollars of CPU cyc… Chris Barber
- Re: [CFRG] Tens of millions of dollars of CPU cyc… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: (no subject) Sophie Schmieg
- Re: [CFRG] Why we use ECDH instead of traditional… Ilari Liusvaara