Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
"D. J. Bernstein" <djb@cr.yp.to> Sun, 23 November 2014 00:52 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 259B71A1A06 for <cfrg@ietfa.amsl.com>; Sat, 22 Nov 2014 16:52:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SClfIwFV81iN for <cfrg@ietfa.amsl.com>; Sat, 22 Nov 2014 16:52:40 -0800 (PST)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 4E73F1A19F2 for <cfrg@irtf.org>; Sat, 22 Nov 2014 16:52:40 -0800 (PST)
Received: (qmail 27874 invoked by uid 1017); 23 Nov 2014 00:52:58 -0000
Received: from unknown (unknown) by unknown with QMTP; 23 Nov 2014 00:52:58 -0000
Received: (qmail 6122 invoked by uid 1001); 23 Nov 2014 00:52:33 -0000
Date: Sun, 23 Nov 2014 00:52:33 -0000
Message-ID: <20141123005233.6120.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/j-iTwwzdlcs4nZna2YHpJRhHnIY
Subject: Re: [Cfrg] Requirements for elliptic curves with a view towards constrained devices
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2014 00:52:43 -0000
RONDEPIERRE Franck writes: > It seems that the current CFRG discussion quickly swiped the > "hardware" point of view, qualifying it as out of the topic. Many people here consider hardware important. Fortunately, within the scope that CFRG is considering (elliptic curves over big prime fields), the best curves for software are also the best curves for hardware. > For some devices, the code size is the main limitation and hence has > to be taken into account prior to speed performances. This isn't a software-vs.-hardware issue. Unnecessarily complex crypto (the NIST P-256 prime, Weierstrass failure cases, ECDSA inversion, etc.; see http://blog.cr.yp.to/20140323-ecdsa.html for many details) produces crypto software that's hard to write, even harder to get right, a royal pain to audit, and a huge source of security failures. Fortunately, we know how to make ECC much simpler. This doesn't cause trouble for the people who care about speed; it even improves speed. I realize that IETF has historically done a very bad job of managing migrations---people seem to think that the primary goal is to add new options (e.g., TLS 1.3) rather than to eliminate the code for the bad options (e.g., SSLv3); that "agility" means waving your arms rather than getting your feet out of the tar pit. But some migrations do succeed. There are many Internet protocols that haven't even started using ECC yet, and it's easy to envision a path towards future implementations that don't have to suffer through NIST's obsolete version of ECC. > We analyze hereafter the impact of switching to Edwards curves while > keeping Short-Weierstrass ones for backward compatibility. Obviously, until a migration is complete, there's a certain minimum level of code complexity required to handle the obsolete options. Adding support for the new options costs very little code---even if new point formats are used on the wire, as I recommend; the conversions are easy. > The efficient implementations of Short-Weierstrass and Twisted Edwards (or > Montgomery) formulae are quite different. Not only the group law operation is > different but also the precomputations and the internal point representations > are different. It thus doubles all the multiplication implementations: > fixed-base case, variable-base case, double-scalar case. No. It's true that people _who want top speed_ will write separate code for the fast new options (to the extent that it isn't written already), the same way that they've already written separate code for, e.g., NIST P-256 reduction. It's obviously not true that people will write separate code if "the code size is the main limitation". In that case they'll stick to a merged code base using the obsolete Weierstrass approach to scalar multiplication, because that's the only thing that the old curves support. The new curves support this option too. Obviously the reuse-old-code implementation option isn't the fast implementation option---but if we stick to cofactor 1, as you recommend, then we're _eliminating_ the fast option. What's the advantage supposed to be? This is bad for all of the people who want more speed; it also destroys the possibility of eventually migrating to a simpler code base that throws away the obsolete Weierstrass approach. > Furthermore, google.com, which is by far the most consulted website, > currently processes around 10^5 requests per second Searches are not connections; connections are not ECC operations; and, most importantly, clients are not servers---often they're rather slow smartphones. Google has already shown many times that it's willing to sacrifice server performance for the sake of reduced client latency. The bottom line, in any case, is that Google has already stated that it cares about curve speed: "We're looking for a replacement [for P-256] because we think that we can get something much faster and simpler." > However when performances matters, why not taking Short Weierstrass > curves with a=0? That's an extremely special type of curve called a "GLV curve", adding extra structure (an "endomorphism") for speed---but the main GLV speedup is subject to Certicom patents 7100538 and 7995752. There are also nice speeds from "GLV+GLS curves", including GLV+GLS Edwards curves, but all of this is subject to the same patents. (Side question to Dan Brown: Weren't you required to mention these patents when you suggested that CFRG might be interested in these speeds?) In the patent-free world, scalar multiplication for a=0 ends up being slower than Montgomery and Edwards. The curve shape is also incompatible with most primes (even if CFRG doesn't require twist-security), creating larger gaps from powers of 2 and causing further slowdowns. > Also for convenience, we think that the new curves should keep p=3 mod > 4 as it is the case for most NIST and Brainpool curves: it allows > simpler implementations and backward compatibility. A moment ago you were insisting on measuring the code size for an implementation that can handle the old options; now you're suddenly advocating a requirement that eliminates, e.g., NIST P-224. This is a strange notion of "backward compatibility". Anyway, your underlying assessment of code size is incorrect. There's a considerable cost in code size to handling NIST P-224 efficiently (see http://cr.yp.to/papers/sqroot.pdf for the fastest options), but it's very easy to handle primes that are 5 mod 8, such as Curve25519. > This side-channel attack uses the fact that a zero value may appear in an > intermediate result in the computation of the scalar multiplication, and that > zero-value cannot be randomized with classical countermeasures. False. For example, Coron's second countermeasure (more than 15 years old now!) converts the input point into a random point, so the zero disappears. There are many other important countermeasures against side-channel attacks; would you rather have your resources devoted to those countermeasures, or to unnecessarily slow curve computations? ---Dan
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley