[Cfrg] Complexity of the Microsoft curve proposal
Watson Ladd <watsonbladd@gmail.com> Tue, 14 October 2014 15:00 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA8151A88DC for <cfrg@ietfa.amsl.com>; Tue, 14 Oct 2014 08:00:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y_3LNZZzv0RX for <cfrg@ietfa.amsl.com>; Tue, 14 Oct 2014 08:00:50 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E55F1A87AF for <cfrg@irtf.org>; Tue, 14 Oct 2014 08:00:50 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id b6so5137850yha.12 for <cfrg@irtf.org>; Tue, 14 Oct 2014 08:00:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=GMtAnF8v/RnlPGgA8j4tgsURRQRT+gIssDUq7avju2I=; b=KY+77IER1FB4nuajDHgrxwYtiT0Pqad8GRlPFGq1loeb1jO93R+jalOCZYZ+XYQ2cg dCuzX4bHcryHhP06OWh1l4rDguZFAaUROH5vBYcKmH8SyAvmnTsxe3yxQfi8DIsKytZV LIO7UWJ29U5R0HYiH2w0NGYcHbUhcExdjcrfNGW8Xo9WiKbKrQkTvhyuLZopeKRrV7Of YtCoahU/5Q2mISP0ZP83c8Kn37V/avAaWJZyT97+bTSbBGSIEo7FRhcki1jmICj/bi6U 45b9e+rgopZKAl0ZvmqgpF6MZHx5Lf8LsV+mF3SoPNn5hdaeXOw5mIoZrlBpSUcNx3hT oAlg==
MIME-Version: 1.0
X-Received: by 10.236.17.197 with SMTP id j45mr7542131yhj.49.1413298847800; Tue, 14 Oct 2014 08:00:47 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Tue, 14 Oct 2014 08:00:47 -0700 (PDT)
Date: Tue, 14 Oct 2014 08:00:47 -0700
Message-ID: <CACsn0cmHcuQOkJ2Td3cqpyWLpLGdyUvkSrhJ3qgAvti4D521qw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/fvCDud9o5S9dZEYH38bv6UAyDdg
Subject: [Cfrg] Complexity of the Microsoft curve proposal
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 15:00:51 -0000
Dear all, Sadly DJBs linked slides aren't explicitly about the microsoft curves. So I'd like to explain why the NUMS curves, with the prefered coordinate system, are more complex than the curve and coordinate choices DJB and Mike Hamburg have made in their prefered curves. If we send twisted Edward points with a=-1, d nonsquare, and p congruent to 3 mod 4, the addition law is incomplete as a is not a square. This forces implementers to add checks required for security, but not interoperability, which will be neglected. Sending points in coordinates where a complete addition law exists, even if an incomplete one is used internally, removes this temptation. I have exploited this issue against Bouncycastle (now fixed) and several other TLS implementations. Sending regular Edwards points solves this issue: the addition law is complete so long as d is a nonsquare. If we send twisted Edwards points, we also have to check that x and y lie on the curve. Failure to make this check is exploitable as well. By contrast, sending compressed points or Montgomery coordinates removes this difficulty. The Montgomery ladder is also easy to make timing-attack resistant with high performance, and is very simple to implement. So long as p is not congruent to plus or minus 1 mod 8, taking square roots mod p is easy. Again, this is an argument about coordinates, not the curve. The curve is virtually irrelevant. Sincerely, Watson Ladd
- [Cfrg] Complexity of the Microsoft curve proposal Watson Ladd
- Re: [Cfrg] Complexity of the Microsoft curve prop… Craig Costello
- Re: [Cfrg] Complexity of the Microsoft curve prop… Michael Hamburg
- [Cfrg] Fwd: Complexity of the Microsoft curve pro… Watson Ladd
- Re: [Cfrg] Complexity of the Microsoft curve prop… Benjamin Black