Re: [Cfrg] Curve selection revisited

Watson Ladd <watsonbladd@gmail.com> Sat, 26 July 2014 01:04 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB5C1A8BB0 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 18:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HanFWtWzaBC6 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 18:04:06 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27581A03AC for <cfrg@irtf.org>; Fri, 25 Jul 2014 18:04:06 -0700 (PDT)
Received: by mail-yk0-f182.google.com with SMTP id q9so3313049ykb.13 for <cfrg@irtf.org>; Fri, 25 Jul 2014 18:04:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=q455mjeBOb6lReTxU46WUHgOC/eX3tDLa1X1W8XmNT4=; b=r/CUDuBgFVeAirF2l71iDPGmiopiLUMaXBwPWmuN2omt1U18UilrMAoG9y3IMgMyPv DDv1rZwXi2n6rbLlojcU6deie/T/t4mCWnpexT7/e8+HZ2O0VBpLj2FHRTMeCVeVJW6F nG3XYaAileSaTvBsD/FxmT6BzwOVTyxgVbfQMq+j0r5ESYRPjgVYv9hYVxOE957a+7Y5 VALTvGOAgoUKoXM36Oefjjghm2sDbzrttxZljLMHnZQB5LhwCRMo0ml8EdFN7fXs0Zxw MgNx7myVHfNVG/dJFHWEXMr8XD6W8beqfALQQrVQY2e4LfY5VRLWBIH8Q3ePZH/y98C6 g6xw==
MIME-Version: 1.0
X-Received: by 10.236.170.38 with SMTP id o26mr3142614yhl.182.1406336645910; Fri, 25 Jul 2014 18:04:05 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Fri, 25 Jul 2014 18:04:05 -0700 (PDT)
In-Reply-To: <53D2781B.8030605@sbcglobal.net>
References: <CA+Vbu7xroa68=HOZtbf=oz7kK2EeUv_z1okpnjxHPR0ZtHD5cA@mail.gmail.com> <CFF7E184.28E9F%kenny.paterson@rhul.ac.uk> <53D2781B.8030605@sbcglobal.net>
Date: Fri, 25 Jul 2014 18:04:05 -0700
Message-ID: <CACsn0ckqFigWoH2+OOEHSd2VWPp8y6=m8H5OsFRyjXmjK7+m4w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: David Jacobson <dmjacobson@sbcglobal.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/eTuSOE_1QUUqeIvWJ4-ZW80Y9Bw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve selection revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 01:04:10 -0000

On Fri, Jul 25, 2014 at 8:30 AM, David Jacobson
<dmjacobson@sbcglobal.net> wrote:
> On 7/25/14 7:48 AM, Paterson, Kenny wrote:
>>
>> Ben
>>
>> Thanks for this helpful message. I've responded in-line below,
>> representing the chairs and based on what I've heard on the list and at
>> the IETF meeting this week. People on the list should still feel free, of
>> course, to argue for other points of view.
>>
>> On 25/07/2014 01:10, "Benjamin Black" <b@b3k.us> wrote:
>>
>> [snip]
>>
>>>
>>> 2) Performance must be measured using "production-quality"
>>> implementations. By this I mean implementations which employ the sort of
>>> techniques/optimizations appropriate for large scale deployment. This is
>>> specifically intended to exclude discussion of
>>> how simple or fast an implementation _could_ be, in favor of what they
>>> actually are in practice. However, the goal is to select curves which
>>> strike the best balance between various requirements, not simply the
>>> fastest.
>>>
>> I don't think it's very easy to be concrete about what
>> "production-quality" means. I tend to agree with Yoav's comments here
>> (http://www.ietf.org/mail-archive/web/cfrg/current/msg04735.html).
>
>
> I believe that we need to decide what to do about side channel leakage
> resistance.  Performance needs to be measured with the defenses deployed.
> Of course, the problem is that nobody knows what defenses should be deployed
> and when we have reached "good enough". One common defense is no branches on
> secret data.  Almost certainly we would want the benchmarks to be coded this
> way.  But if the threat model includes malicious processes that share a
> cache with the crypto process, then it is  good practice to code so that the
> stream of memory addresses accessed does not depend on secret data.    And
> then there are various blinding techniques with widely varying costs.
>
> This issue is more important if different curves/protocols have different
> sensitivities to leakage or require different leakage mitigations.  I don't
> know whether this is the case.

So I'd like to explain a bit about how implementations work, and why
performance will not help us decide between Curve25519 in twisted
Edwards form and the NUMS curve of similar size in twisted Edwards
form.

The first question is how to do the field arithmetic. All the primes
being considered are of the form 2^s-c, so either one of saturated
arithmetic
or unsaturated will work. Unsaturated is more portable: C cannot
access the carry flag. It offers more freedom in radix, and lets carry
chains be vectorized. Karatsuba can be used or not, which depends on
the saturated/unsaturated choice. But the exact values of s and c
don't matter as much.

The second question and third question what coordinates and what
addition formulas to use when, and what algorithm to use. All twisted
Edwards curves expose the same possibilities here: large precomputed
tables with mixed coordinate addition vs. smaller tables for variable
base, or a conversion to some other isogenous curve for variable base
exponentiation.

If we are willing to use Montgomery form (which the TLS WG initially
had strong support for in Curve25519) one caches ephemeral DH
parameters so the cost of fixed-base exponentiation is amortized
across connections. OpenSSL does this anyway, and this affects
technique
slightly. But to be clear, a fast implementation for one prime and
curve of a certain size and shape will likely be adaptable to a
different curve
over a similar prime with the same shape.

Performance data will not distinguish between s=255 and s=256. It will
inform the decision of whether Ed448 is too big for an intermediate
curve, or if the speed disadvantage over whatever curve has size 384
is so minor as to make the extra strength effectively free, and
likewise the question of s=512 vs. s=521. But this is also a messier
question: how many options do we need and what do people want them to
be?

Sincerely,
Watson Ladd

>
>    --David Jacobson
>
>
>
>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin