Re: [Cfrg] Curve selection revisited
Watson Ladd <watsonbladd@gmail.com> Sat, 26 July 2014 01:04 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB5C1A8BB0 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 18:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HanFWtWzaBC6 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 18:04:06 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27581A03AC for <cfrg@irtf.org>; Fri, 25 Jul 2014 18:04:06 -0700 (PDT)
Received: by mail-yk0-f182.google.com with SMTP id q9so3313049ykb.13 for <cfrg@irtf.org>; Fri, 25 Jul 2014 18:04:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=q455mjeBOb6lReTxU46WUHgOC/eX3tDLa1X1W8XmNT4=; b=r/CUDuBgFVeAirF2l71iDPGmiopiLUMaXBwPWmuN2omt1U18UilrMAoG9y3IMgMyPv DDv1rZwXi2n6rbLlojcU6deie/T/t4mCWnpexT7/e8+HZ2O0VBpLj2FHRTMeCVeVJW6F nG3XYaAileSaTvBsD/FxmT6BzwOVTyxgVbfQMq+j0r5ESYRPjgVYv9hYVxOE957a+7Y5 VALTvGOAgoUKoXM36Oefjjghm2sDbzrttxZljLMHnZQB5LhwCRMo0ml8EdFN7fXs0Zxw MgNx7myVHfNVG/dJFHWEXMr8XD6W8beqfALQQrVQY2e4LfY5VRLWBIH8Q3ePZH/y98C6 g6xw==
MIME-Version: 1.0
X-Received: by 10.236.170.38 with SMTP id o26mr3142614yhl.182.1406336645910; Fri, 25 Jul 2014 18:04:05 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Fri, 25 Jul 2014 18:04:05 -0700 (PDT)
In-Reply-To: <53D2781B.8030605@sbcglobal.net>
References: <CA+Vbu7xroa68=HOZtbf=oz7kK2EeUv_z1okpnjxHPR0ZtHD5cA@mail.gmail.com> <CFF7E184.28E9F%kenny.paterson@rhul.ac.uk> <53D2781B.8030605@sbcglobal.net>
Date: Fri, 25 Jul 2014 18:04:05 -0700
Message-ID: <CACsn0ckqFigWoH2+OOEHSd2VWPp8y6=m8H5OsFRyjXmjK7+m4w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: David Jacobson <dmjacobson@sbcglobal.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/eTuSOE_1QUUqeIvWJ4-ZW80Y9Bw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve selection revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 01:04:10 -0000
On Fri, Jul 25, 2014 at 8:30 AM, David Jacobson <dmjacobson@sbcglobal.net> wrote: > On 7/25/14 7:48 AM, Paterson, Kenny wrote: >> >> Ben >> >> Thanks for this helpful message. I've responded in-line below, >> representing the chairs and based on what I've heard on the list and at >> the IETF meeting this week. People on the list should still feel free, of >> course, to argue for other points of view. >> >> On 25/07/2014 01:10, "Benjamin Black" <b@b3k.us> wrote: >> >> [snip] >> >>> >>> 2) Performance must be measured using "production-quality" >>> implementations. By this I mean implementations which employ the sort of >>> techniques/optimizations appropriate for large scale deployment. This is >>> specifically intended to exclude discussion of >>> how simple or fast an implementation _could_ be, in favor of what they >>> actually are in practice. However, the goal is to select curves which >>> strike the best balance between various requirements, not simply the >>> fastest. >>> >> I don't think it's very easy to be concrete about what >> "production-quality" means. I tend to agree with Yoav's comments here >> (http://www.ietf.org/mail-archive/web/cfrg/current/msg04735.html). > > > I believe that we need to decide what to do about side channel leakage > resistance. Performance needs to be measured with the defenses deployed. > Of course, the problem is that nobody knows what defenses should be deployed > and when we have reached "good enough". One common defense is no branches on > secret data. Almost certainly we would want the benchmarks to be coded this > way. But if the threat model includes malicious processes that share a > cache with the crypto process, then it is good practice to code so that the > stream of memory addresses accessed does not depend on secret data. And > then there are various blinding techniques with widely varying costs. > > This issue is more important if different curves/protocols have different > sensitivities to leakage or require different leakage mitigations. I don't > know whether this is the case. So I'd like to explain a bit about how implementations work, and why performance will not help us decide between Curve25519 in twisted Edwards form and the NUMS curve of similar size in twisted Edwards form. The first question is how to do the field arithmetic. All the primes being considered are of the form 2^s-c, so either one of saturated arithmetic or unsaturated will work. Unsaturated is more portable: C cannot access the carry flag. It offers more freedom in radix, and lets carry chains be vectorized. Karatsuba can be used or not, which depends on the saturated/unsaturated choice. But the exact values of s and c don't matter as much. The second question and third question what coordinates and what addition formulas to use when, and what algorithm to use. All twisted Edwards curves expose the same possibilities here: large precomputed tables with mixed coordinate addition vs. smaller tables for variable base, or a conversion to some other isogenous curve for variable base exponentiation. If we are willing to use Montgomery form (which the TLS WG initially had strong support for in Curve25519) one caches ephemeral DH parameters so the cost of fixed-base exponentiation is amortized across connections. OpenSSL does this anyway, and this affects technique slightly. But to be clear, a fast implementation for one prime and curve of a certain size and shape will likely be adaptable to a different curve over a similar prime with the same shape. Performance data will not distinguish between s=255 and s=256. It will inform the decision of whether Ed448 is too big for an intermediate curve, or if the speed disadvantage over whatever curve has size 384 is so minor as to make the extra strength effectively free, and likewise the question of s=512 vs. s=521. But this is also a messier question: how many options do we need and what do people want them to be? Sincerely, Watson Ladd > > --David Jacobson > > > > > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Curve selection revisited Benjamin Black
- Re: [Cfrg] Curve selection revisited Yoav Nir
- Re: [Cfrg] Curve selection revisited Paterson, Kenny
- Re: [Cfrg] Curve selection revisited David Jacobson
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Andrey Jivsov
- Re: [Cfrg] Curve selection revisited Ilari Liusvaara
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Michael Jenkins
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Hannes Tschofenig
- Re: [Cfrg] Curve selection revisited Hannes Tschofenig
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Stephen Farrell
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Paul Lambert
- Re: [Cfrg] Curve selection revisited Paul Lambert
- Re: [Cfrg] Curve selection revisited Mike Hamburg
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Andrey Jivsov
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Russ Housley
- Re: [Cfrg] Curve selection revisited Salz, Rich
- Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
- Re: [Cfrg] Curve selection revisited Salz, Rich