Re: [Cfrg] Curve manipulation, revisited

Watson Ladd <watsonbladd@gmail.com> Mon, 29 December 2014 20:25 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9AE1AC432 for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 12:25:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frZcPBBT7MMS for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 12:25:19 -0800 (PST)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C94C1A8AD0 for <cfrg@irtf.org>; Mon, 29 Dec 2014 12:25:19 -0800 (PST)
Received: by mail-yk0-f181.google.com with SMTP id 142so6683118ykq.40 for <cfrg@irtf.org>; Mon, 29 Dec 2014 12:25:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=NpFOFZx9hp7SXkQ3JyX7RopyEw0jsf+6sRhwq55VchY=; b=wXdu+T+EHLSYdaVl+N1q3WONNzA24FfyulyZdZIXK+CmLS1FG4NRxboNA3KdvgTjxD DR0LBIHzbx0vtje25vdApid+xP/pHPEQopojH4MNoBsQbKF+V/SNMRMQNPHPQI8mS75r pJhvXHV1DzFp1gh9cjOrKJQ0CwqlnSAhcCuDSLc9QN/SvS2Au2YniB/hxZH5bzQLssNw GXioURaZUJxkzJjCxAdGazOLvv5aPzsy2SOFe9XwzhIvMdxAkqdBC2mT8kprOEqQoMp0 O8f+Hd2/D91xoc+sbF9KnXbWlX1UjsYGIv0vXOQLI7nlzDokDkUMiIIcMN8S9Sm80eVX VngA==
MIME-Version: 1.0
X-Received: by 10.170.220.195 with SMTP id m186mr11068253ykf.58.1419884718392; Mon, 29 Dec 2014 12:25:18 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Mon, 29 Dec 2014 12:25:18 -0800 (PST)
In-Reply-To: <CA+Vbu7zxGm3EE7h3K2mg5WoziUf4bmjoaCAVzFgaaGsE=kLFpQ@mail.gmail.com>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <CAMfhd9XEqMwFzJ4sK4aHGbke6REZb26uaEEv9gbM5v_goDzwUA@mail.gmail.com> <CA+Vbu7zO3OatbC+cXiV58hvJCuqiTYvnsSuyopDXum4qBX54fw@mail.gmail.com> <EBD3350E-93CA-4D85-91C0-560D17187572@shiftleft.org> <CA+Vbu7zxGm3EE7h3K2mg5WoziUf4bmjoaCAVzFgaaGsE=kLFpQ@mail.gmail.com>
Date: Mon, 29 Dec 2014 15:25:18 -0500
Message-ID: <CACsn0cnmy1u+1uY=8NMkq1Sh_A-kX9LOKJA3u1QFpO=ZgvFG2Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Benjamin Black <b@b3k.us>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/dC_hm_U3XbXACbW9_5qle5q5J9I
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 20:25:21 -0000

On Mon, Dec 29, 2014 at 1:59 PM, Benjamin Black <b@b3k.us>; wrote:
> On Mon, Dec 29, 2014 at 10:34 AM, Michael Hamburg <mike@shiftleft.org>;
> wrote:
>>
>>
>> > On Dec 29, 2014, at 9:14 AM, Benjamin Black <b@b3k.us>; wrote:
>> > Had Dan been insisting that ladders be _allowed_ then I would agree with
>> > you, as I have said the same (in the line just before the part you quoted,
>> > even). What Dan said is that single-coordinate ladders are _required_.
>>
>> […]
>>
>> > My point was that space/time trade-offs like that seem to be acceptable
>> > or unacceptable to Dan depending on what is being argued.
>>
>> That’s because Dan has been arguing the opposite of what you claim he’s
>> arguing.
>>
>> You claim he said that only one implementation strategy — ladders —is
>> acceptable.  But in fact, he’s been arguing that the curve/encoding/protocol
>> should be chosen so that multiple implementation strategies — ladders,
>> combs, whatever — will be possible.
>>
>> That way, an implementor can decide what trade-offs are acceptable for his
>> or her own implementation.  And if we make an especially good choice of
>> curve/encoding/protocol, most of those trade-offs can be good choices
>> instead of pitfalls.
>>
>> — Mike
>
>
> I can only go on the things he puts in writing and they say the opposite.
>
>>Rather than
>>blaming the implementor, we eliminate these security failures by
>>
>>   * adding twist security, for both Montgomery and Edwards, and
>>   * switching to single-coordinate ladders.
>
> That is not a suggestion folks be allowed to implement the ladder if they
> choose to. It is a requirement that they not be allowed to use anything
> else. If they are allowed to use anything but single-coordinate ladders,
> then, in his own words, we have not eliminated these "security failures" and
> will be back to "blaming the implementor". If he means something else he
> should say something else.

I don't see how this quote supports your reading exclusively. In
particular, when looking at other messages to the list from DJB, I see
the position Mike describes.

RFC 6080, and the Suite B implementors guide don't describe many
common optimizations. Are these "not allowed"?

We can and should blame the implementor for security flaws. But when
we don't provide enough guidance in standards to avoid flaws, and make
the result overly complex in ways that invite errors, we're
responsible.

I also don't see why this matters: now that Montgomery x form and
complete coordinates for signatures are being used, there isn't a
difference between the rival proposals on this point.

Sincerely,
Watson Ladd

>
>
> b
>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin