Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu, 20 November 2014 08:56 UTC
Return-Path: <mpg@elzevir.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647CD1A010A for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 00:56:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.844
X-Spam-Level:
X-Spam-Status: No, score=-1.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5g9JMm-6cjBu for <cfrg@ietfa.amsl.com>; Thu, 20 Nov 2014 00:56:46 -0800 (PST)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [IPv6:2001:4b98:dc0:41:216:3eff:feeb:c406]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8A221A00C0 for <cfrg@irtf.org>; Thu, 20 Nov 2014 00:56:45 -0800 (PST)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id C65A116155; Thu, 20 Nov 2014 09:56:43 +0100 (CET)
Received: from [IPv6:2a01:e35:8a5d:80b0:caf7:33ff:fe89:5d50] (unknown [IPv6:2a01:e35:8a5d:80b0:caf7:33ff:fe89:5d50]) by thue.elzevir.fr (Postfix) with ESMTPSA id 8CE7A216E7; Thu, 20 Nov 2014 09:56:42 +0100 (CET)
Message-ID: <546DACCA.9040706@elzevir.fr>
Date: Thu, 20 Nov 2014 09:56:42 +0100
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: RONDEPIERRE Franck <F.RONDEPIERRE@oberthur.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com>
In-Reply-To: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com>
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/bRptZ39JJRQEmtTX17yCbj3QJJo
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 08:56:49 -0000
On 19/11/2014 17:06, RONDEPIERRE Franck wrote: > For the sake of simplicity, the twist security is viewed as mandatory. > Indeed, this allows to get rid of attacks without relying on the > implementation. Without this requirement, a point on curve test is needed to > thwart the attacks. I'd just like to emphasise that in many situations (including TLS with uncompressed points and implementations using "standard" short Weierstrass formulas, ie formulas that don't involve b) the point-on-curve test *is* needed anyway, regardless of whether the curve is twist secure or not. I'm sure you're already aware of that, but I think we should always be extremely clear when speaking about it, since there are already people out there making misinterpretations of what exactly twist security buys us and more importantly what it doesn't. I really do not want to see, in a few month/years, implementations skipping the point-on-curve test in a context where it is needed just because they think using a twist secure curve protects them. (Don't get me wrong: I think twist security is nice to have, and I'd like any curve selected by the CFRG to have this property. I just don't want it to be seen (by people outside this group) as a silver bullet.) Manuel.
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley