IETF Logo Mail Archive

Re: [CFRG] Psychic Signatures

Mike Hamburg <mike@shiftleft.org> Fri, 22 April 2022 16:09 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2EAB3A17C8 for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2022 09:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n-haBwyrl0EI for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2022 09:09:53 -0700 (PDT)
Received: from wanderer.shiftleft.org (wanderer.shiftleft.org [IPv6:2600:3c01::f03c:92ff:fec5:c23c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32DF13A17C6 for <cfrg@irtf.org>; Fri, 22 Apr 2022 09:09:52 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2601:647:5800:e580:ad96:7a1e:ac51:48d5]) (Authenticated sender: mike) by wanderer.shiftleft.org (Postfix) with ESMTPSA id C96EF41AEC; Fri, 22 Apr 2022 16:09:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1650643791; bh=mJzB7ZzS/ym4gCl/KBxYTaaKAfPjPKF+HRrESQDW4YA=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=egwRshhiUlrUmQAgS/IulVAMzf/7dfjex+axZat51e340oYBJXsWA5ke7d3E8UlXY GLEVgkO1ADolpa0/u/u6hoXoUQv3xb/kjKZOFruls3G3W2rx9GSGjmaWG/hkCvfEJK DQslJRpcWwvZBBGttfdMhqRRNbXSfj7K4vrchFZI=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <3690036F-3BBD-4B73-A5B1-0007DFBD5346@antarateknik.com>
Date: Fri, 22 Apr 2022 09:09:50 -0700
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, IRTF CFRG <cfrg@irtf.org>, David Jacobson <david@dmjacobson.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8AD748B7-8C0F-4254-8A15-78E36C524E12@shiftleft.org>
References: <SY4PR01MB62519FEA53D39AABAF0BD0F4EEF49@SY4PR01MB6251.ausprd01.prod.outlook.com> <2CBA5AE5-DF84-4E9C-85DA-4DC38464710A@ericlagergren.com> <SY4PR01MB6251CA4D5F7C83FA564FD204EEF49@SY4PR01MB6251.ausprd01.prod.outlook.com> <2438a7cd-e0f7-685b-ad47-e9ba5995a5a0@mail.muni.cz> <87FFD633-DAF5-44B8-A2BF-55B547616560@dmjacobson.com> <SY4PR01MB62519B1EE1177740A9FE4C22EEF79@SY4PR01MB6251.ausprd01.prod.outlook.com> <3690036F-3BBD-4B73-A5B1-0007DFBD5346@antarateknik.com>
To: Mehmet Adalier <madalier@antarateknik.com>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cUXCCtxKv1nIo6SnqFYva68h41o>
Subject: Re: [CFRG] Psychic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 16:09:58 -0000

As someone with experience in ECC implementation, this doesn’t make sense to me, at least not in a typical deployment (prime-order curves with (x,y) both given).

A straightforward check that a point given by (x,y) is on the curve is 2-3 orders of magnitude faster than a signing or verification operation.  You only need to check that y^2 = x^3 + ax + b, or whatever the curve equation is, which takes about 3 multiplies.  Compare to eg ECDH which costs at least 11 * bit length for the Montgomery ladder (and that’s new, it used to be 14), plus the final division for a total of around 3000 multiplies.  Or compare ECDSA verification which is even slower.  The slightly faster operation, ECDSA sign, doesn’t take a public key.  So in all these cases it doesn’t make sense to skip public key validation for performance reasons.

There is a cost in less common deployments.  If you have to check the order of the public key, because the curve has a cofactor, then this costs at least a Jacobi symbol but often much more.  Likewise if you have only x, and you’re doing an x-only ladder but need to check that there exists a y such that (x,y) is on the curve, because your curve isn’t twist-secure, then this isn’t free (it’s basically a Jacobi symbol computation; you could batch it with the final inversion but that’s a relatively new technique).  Or if you need to decompress the public key from a form like (x, one bit of y) then this isn’t free either, but it also can’t be skipped without breaking things.

Regards,
— Mike

> On Apr 22, 2022, at 8:49 AM, Mehmet Adalier <madalier@antarateknik.com> wrote:
> 
> Indeed. the verification operation is usually substantially slower than the signing operation, at least with ecc.
> Some library implementers offer verification functions without 'validation' for faster performance paths, assuming that the astute integrator will check for inputs independently via other (potentially) provided validation functions. 
> 
> Patent 9804891 describes methods of validating and pre-computing public keys for performance. these are applicable for both embedded or high-performance computing platforms
> 
> mehmet
> 
> On 4/22/22, 2:10 AM, "CFRG on behalf of Peter Gutmann" <cfrg-bounces@irtf.org on behalf of pgut001@cs.auckland.ac.nz> wrote:
> 
>    David Jacobson <david=40dmjacobson.com@dmarc.ietf.org> writes:
> 
>> I suspect that the reason for the library requiring a separate validation
>> function was patent US 7215773.
> 
>    It'd be interesting to hear from people working on embedded crypto libraries,
>    but I think it'd be due to a different reason.  In terms of the patent I
>    suspect most people don't even know that it exists (I didn't until now) and
>    even if they did, having the input verification function in the library right
>    next to the public/private-key function isn't doing anything to avoid it.
> 
>    I assumed it was because the verification operations are quite expensive for a
>    process that's already slow (compared to RSA's much-faster-than-signing
>    signature verification), and building the input verification into the
>    signature verification would make it even slower.  By skipping the input
>    verification you can appear to be faster than your competitors/RSA/some
>    arbitrary line in the sand.
> 
>    Peter.
> 
>    _______________________________________________
>    CFRG mailing list
>    CFRG@irtf.org
>    https://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email