IETF Logo Mail Archive

Re: [Cfrg] Criteria for the selection of new ECC mechanisms

David McGrew <mcgrew@cisco.com> Tue, 29 April 2014 18:21 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 210E21A095D for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 11:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.552
X-Spam-Level:
X-Spam-Status: No, score=-14.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1EFtVZkKj5f for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 11:21:25 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 002CB1A0916 for <cfrg@irtf.org>; Tue, 29 Apr 2014 11:21:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7370; q=dns/txt; s=iport; t=1398795684; x=1400005284; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=+vn3Ir8sRpn3/A5+b+wHvxwjAUNmiEVREgT6qGdHVEM=; b=W00hiMen4hJeKFWhcCketVejGk+PnTU1EC8bcOQAwaJ4eTfBaOqPLGLP 3xXdlGgDAV6TQNe8t15n1m1X6gp0QDGQKv0MAeMRiU+f0NNxZJ+cwqgz+ Brvva0kWWmvPbXNcG0zVwiaVg55PYQq7DFRq9N41ifL45Df35VbNvpKWG Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiAFAOvsX1OtJV2c/2dsb2JhbABZgwZPvh6HOYElFnSCJQEBAQMBAQEBNTYKAQULCw4KCQ8HDwkDAgECARUwBg0BBQICBRKIHggNySQXjCkrgRkRAVAHGIQhAQOVHoNygTyFI4wDg00hgTU
X-IronPort-AV: E=Sophos;i="4.97,952,1389744000"; d="scan'208";a="321324339"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-4.cisco.com with ESMTP; 29 Apr 2014 18:21:23 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8913.cisco.com [10.117.10.228]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id s3TILMOd027278; Tue, 29 Apr 2014 18:21:23 GMT
Message-ID: <535FEDA2.4090502@cisco.com>
Date: Tue, 29 Apr 2014 14:21:22 -0400
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>
References: <535FB927.8080909@cisco.com> <535FDD0A.7070206@gmail.com>
In-Reply-To: <535FDD0A.7070206@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/hMjpmsa4jgJrsfZU1bDcaIJm2Dk
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Criteria for the selection of new ECC mechanisms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 18:21:27 -0000

Hi Rene,

On 04/29/2014 01:10 PM, Rene Struik wrote:
> Hi David:
>
> Some preliminary comments below. 

great, thanks.

> Summary: some of the "requirements" you state below seem to 
> effectively pre-sort on solution directions, rather than stipulating 
> real requirements, which in my mind is undesirable. We can discuss 
> more during the virtual call this afternoon.

OK.   Note that I took the approach of describing the criteria for new 
ECC mechanisms, instead of the criteria for ECC mechanisms overall.  So 
I am presupposing that we are interested in something different than 
short Weierstrass form ECC as in IEEE P1363.    Not saying that existing 
ECC is bad, just that we are investigating alternatives.

>
> Rene
>
> On 4/29/2014 10:37 AM, David McGrew wrote:
>> Hi CFRG,
>>
>> in order to frame the discussion in today's meeting, I wrote up 
>> criteria for new ECC mechanisms.  I will go over this briefly in 
>> today's meeting.   Hopefully, this will foster good understanding 
>> about what the important goals are, and a good discussion about how 
>> to meet our common goals.  Comments are welcome, especially when they 
>> come with suggested text and a reference, where appropriate.
>>
>> David
>>
>> ----
>>
>> Criteria for the selection of new ECC mechanisms
>> David McGrew
>> April 28, 2014
>>
>> This short note summaries the criteria that have been put forward for
>> new ECC mechanisms, using the requirements language typical of
>> standards processes.  Each criterion is identified as either required
>> (strictly necessary) or desired (not strictly necessary, but strongly
>> appealing).  Some criteria apply only to key exchange methods (and not
>> to signatures) or Password Authenticated Key Exchange (PAKE), and are
>> labeled as such.  The Safecurves web page is an outstanding resource
>> for security criteria, though it does not distinguish between
>> properties that are essential for key exchange and those for
>> signatures.  Sources are described in footnotes; this note aims to be
>> objective, but the author's opinion is reflected in some choices.
>>
>> The following criteria have been identified:
>>
>> Simplicity
>>
>>    R1.  Desired: easy to understand and implement [1]
>>
>> Efficiency
>>
>>    R2.  Required: amenable to compact implementations and fast
>>    implementations, across both small and large processors [1]
>>
>>    R3.  Desired: re-use components between signatures and key exchange
>>    algorithms [3]
>>
>> Intellectual Property
>>
>>    R4.  Required: available worldwide under reasonable and well
>>    understood licensing terms [1]
>>
>>    R5.  Desired: available worldwide under royalty-free licensing
>>    terms [1]
>>
>> Interoperability
>>
>>    R6.  Desired: can be used with current software implementations
>>    (using different curve parameters) of TLS, PKIX, SSH, and IKE [4]
>>
>>    R7.  Desired: can be used within current ECC standards of TLS,
>>    PKIX, SSH, and IKE [4]
>>
>> Security
>>
>>    R8.  Required: amenable to constant-time implementations, to avoid
>>    side channel attacks [2]
> RS>>
> The more general requirement is that constructs should allow secure 
> implementations, which stretches much further than constant-time 
> operations.
> <<RS

Just for clarity: you are not disagreeing with R8, just saying that it 
doesn't go far enough in expressing the requirements of avoiding side 
channels, right?

>>
>>    R9.  Required: resist twist attacks [2]
> RS>>
> This is just and example of a particular implementation attack in a 
> very wide spectrum. It would be a shame if this were supposed to rule 
> out any non "twist-secure" curves, just because of this stipulation. 
> There are many ways to skin a cat or here and providing secure 
> implementations.
> <<RS

So, would you be comfortable moving R9 to "desired"?   Are there other 
attacks that we should enumerate?

>>
>>    R10.  Required: curve parameters should have good provenance;
>>    random curves should be provably pseudorandom [5]
> RS>>
> Indeed, curve parameters should have good provenance. The second 
> statement is up to debate. If one wishes to go this way, shouldn't one 
> also stipulate that the prime fields underlying a prime curve should 
> be generated randomly?
> <<RS

I think R10 is a reasonable requirement from the point of view that, if 
someone were generating new curves up to our criteria, we would want 
that requirement to be met.   Or maybe I am missing some demerit of 
randomly generated curves?    I realize that there are nuances here that 
I am not capturing, and I look forward to hearing from others how they 
think R10 should be rewritten.

>>
>>    R11.  Desired for key exchange: resist invalid curve attacks [2];
>>    note that complete addition laws help and are thus desirable [2].
>>    (Note that the use of ephemeral keys also resist such attacks.)
> RS>>
> Again, the more general requirement should be that this should resist 
> implementation attacks over a very wide spectrum, not just invalid 
> curve points (for which there is an extremely easy and low-cost check). 

Fair enough; could you help to enumerate those attacks?

> BTW - Use of ephemeral keys does not necessarily resist invalid curve 
> attacks, e.g., in context of ECIES (where one does not check the 
> ephemeral point to be valid). 

I think you are right about ECIES, because the receiver is using a 
static (not ephemeral) key.   At least that's the sense I meant for 
"ephemeral".

> Perhaps I am missing something here, but not sure how complete 
> addition laws help in thwarting invalid curve attacks. (Do you mean 
> that one can keep computing if, e.g., hQ=O, where h is the co-factor 
> and Q a received point? For small h=1,2,4, why would this be a major 
> design criterium?)

I meant for R11 to cover implementation attacks in general, not just 
invalid curve attacks.  Sorry for the confusion.

> <<RS
>
>> R12.  Required for PAKE: indistinguishability of curve points from
>>    random strings [2]
> RS>>
> While intuitively perhaps a nice feature, not sure why this would be a 
> requirement. Besides, this again seems to presort on solution 
> directions, since this would prohibit use of, e.g., affine curve 
> points (as, e.g., Dragonfly uses). The world is bigger than 
> x-coordinate only arithmetic.
> <<RS

Maybe I should say here "required for some PAKE protocols"?

thanks and regards,

David

>
>
>
> Footnotes:    [1] Original criteria set out for the Advanced 
> Encryption Standard,        which is equally applicable to ECC. 
> National Institute of        Standards and Technology (NIST) of the 
> United States, 1998.    [2] Daniel J. Bernstein and Tanja Lange. 
> SafeCurves: choosing safe
>> curves for elliptic-curve cryptography.
>>        http://safecurves.cr.yp.to, accessed April 2014.
>>
>>    [3] Criteria identified by David McGrew, 2014.
>>
>>    [4] Criteria identified by Russ Housley, TLS WG meeting at IETF89.
>>
>>    [5] Criteria widely acknowledged on CFRG email list during 2014.
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email