[Cfrg] What I do all day, or the myth of curve specific cryptanalysis
Watson Ladd <watsonbladd@gmail.com> Sun, 03 May 2015 17:14 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68031A8794 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:14:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0sE8pgQNmF8 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:14:28 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FC9D1A878E for <cfrg@irtf.org>; Sun, 3 May 2015 10:14:28 -0700 (PDT)
Received: by widdi4 with SMTP id di4so89596080wid.0 for <cfrg@irtf.org>; Sun, 03 May 2015 10:14:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=NGraO4h6uI67La8m41Pp6ehzMrgggNdTmKlWXM8FEeY=; b=zd9mMSkiMjGX7mB4/9H1L38hXOmRSYA/7hbtdxf2nASSvQi38gqbHZicVoP3fJkaTa slmEuvYY06iwzqX8vtdf3PuliMVDVRm64SKQk1lld38Hd76meroU2wI1v88rB/waVr6Q Y7zmw+Fb8wiwvpXoV45uc58EvcbwlHVjy+ejJY7OMCCy5lBqeX4Lz52t9HxTC2q6KquV PrtjKjuMFGNXgfdzHUuvRIX5AGbJVPjondnsmYnEFD4kW6fnjvEZizVUZkZhQ3tEwG+4 dM0zxvyx/M0Vttaj/Ht7WxVrCMzjQmvFpnNOXwkF/vXoHrH3pr397e0l9mEWkjn4DRJR Fjug==
MIME-Version: 1.0
X-Received: by 10.194.123.4 with SMTP id lw4mr2725383wjb.94.1430673267050; Sun, 03 May 2015 10:14:27 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Sun, 3 May 2015 10:14:27 -0700 (PDT)
Date: Sun, 03 May 2015 10:14:27 -0700
Message-ID: <CACsn0cmr0eLEBB=voxQ+dwO3R22W894YvPaqAMA6im1gAXSw2w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/gyP2tA3qbV2DE4auaj9Qwog1bnI>
Subject: [Cfrg] What I do all day, or the myth of curve specific cryptanalysis
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 17:14:29 -0000
Dear all, Some people think that when Claus Diem sat down and wrote the best known attack on binary curves, he did so by taking a curve, and thinking about how to solve the discrete logarithm problem on that curve, then generalizing. Would they also think that we cryptanalyze AES by first thinking about the zero key, then the key equal to one, and so on? Of course, that's not what Claus Diem, or any algebraic geometer actually does. They write down examples to understand general principles, but when it comes to elliptic curves we have a vast body of knowledge already. Instead they ask "what would really help me with this problem?", look and find that structure. Could someone explain any feature of P-256 that is potentially distinctive, vs. some random curve? Of course, we know many shortcomings of short Weierstrass curves: much software does the calculations incorrectly in edge cases. I've found these errors in several extensively used libraries, including a few still being fixed. The solution to this nonissue being proposed is to further complicate implementations to have to check generated parameters, or complicate protocol designers job by dealing with the consequences of one side specifying bad parameters. That's on top of performance disadvantages from having to genericise arithmetic, as well as tougher constant time assurances. Are you willing to bet money that I can't find a mistake when you make it more complicated? Sincerely, Watson Ladd
- [Cfrg] What I do all day, or the myth of curve sp… Watson Ladd
- Re: [Cfrg] What I do all day, or the myth of curv… David Leon Gil