IETF Logo Mail Archive

Re: [Cfrg] Elliptic curve evaluation truths

"Parkinson, Sean" <sean.parkinson@rsa.com> Wed, 26 November 2014 01:59 UTC

Return-Path: <sean.parkinson@rsa.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6A51A1EEA for <cfrg@ietfa.amsl.com>; Tue, 25 Nov 2014 17:59:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DezNDgPlLq1F for <cfrg@ietfa.amsl.com>; Tue, 25 Nov 2014 17:59:22 -0800 (PST)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31A251A1EE8 for <cfrg@irtf.org>; Tue, 25 Nov 2014 17:59:21 -0800 (PST)
Received: from maildlpprd04.lss.emc.com (maildlpprd04.lss.emc.com [10.253.24.36]) by mailuogwprd04.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sAQ1xIth008694 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Nov 2014 20:59:18 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd04.lss.emc.com sAQ1xIth008694
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=rsa.com; s=jan2013; t=1416967158; bh=kJaWr039a2yenyucSTMos0RrR6o=; h=From:To:CC:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=m61I9A4NRiHUvMaCuqA0xS5hoLRwyDAfjWWksnHsNQdM3mKDxw44ysX47lCEBFEBD JR/4GZx+V7flUbDp68cTJHL2sJhN2kW9aSdPEfUjy7XK42YqRrTa3wbvqDj2GPPx59 90ANEWYWUo0jSBikZgVcCPXIo9mP1M+Bvh7C4HXQ=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd04.lss.emc.com sAQ1xIth008694
Received: from mailusrhubprd54.lss.emc.com (mailusrhubprd54.lss.emc.com [10.106.48.19]) by maildlpprd04.lss.emc.com (RSA Interceptor); Tue, 25 Nov 2014 20:58:34 -0500
Received: from mxhub04.corp.emc.com (mxhub04.corp.emc.com [10.254.141.106]) by mailusrhubprd54.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id sAQ1x4uW019379 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 25 Nov 2014 20:59:04 -0500
Received: from mx17a.corp.emc.com ([169.254.1.228]) by mxhub04.corp.emc.com ([10.254.141.106]) with mapi; Tue, 25 Nov 2014 20:59:04 -0500
From: "Parkinson, Sean" <sean.parkinson@rsa.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 25 Nov 2014 20:59:02 -0500
Thread-Topic: [Cfrg] Elliptic curve evaluation truths
Thread-Index: AdAIzcOh2lHX+uWARnKdo/DiaqlEHAAPVsKAAARPh0A=
Message-ID: <2FBC676C3BBFBB4AA82945763B361DE60BF9B8B6@MX17A.corp.emc.com>
References: <2FBC676C3BBFBB4AA82945763B361DE60BF9B858@MX17A.corp.emc.com> <CACsn0ck=0meRduRi7gCpX=Lp2NffKjQJQhY-QR+erEg2WbKkZg@mail.gmail.com> <2FBC676C3BBFBB4AA82945763B361DE60BF9B8A4@MX17A.corp.emc.com>
In-Reply-To: <2FBC676C3BBFBB4AA82945763B361DE60BF9B8A4@MX17A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd54.lss.emc.com
X-RSA-Classifications: DLM_1, public
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/jIOv29T1crNTf31ZN2vdqe2DXv0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic curve evaluation truths
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 01:59:25 -0000

I can't say I've seen the point addition described in the literature, but always assumed that there are, and I've been assured there are equations.

How about:
4. Signing and verification operations on Montgomery curves is less efficient than on Twisted Edwards and short Weierstrass curves.

Sean
--
Sean Parkinson | Consultant Software Engineer | RSA, The Security Division of EMC
Office +61 7 3032 5232 | Fax +61 7 3032 5299
www.rsa.com


-----Original Message-----
From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Parkinson, Sean
Sent: Wednesday, 26 November 2014 10:02 AM
To: Watson Ladd
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic curve evaluation truths

My understanding is that because you can't efficiently perform a point add operation of two random points with Montgomery curves then signature schemes are out.
Is there inefficient algorithms for performing point add on the Montgomery curve?
I intended to not include transforming points to other curve types. So maybe,
  4. Signing and verification operations on Montgomery curves is not possible.

I'm intentionally not talking about simplicity of implementations. That is making things more complicated and hiding the 'truths'.

Sorry, 'Pools of points' was my name for the technique of having a number of pre-generated points that are then added to each other to quickly generate new points for TLS PFS.


Sean
--
Sean Parkinson | Consultant Software Engineer | RSA, The Security Division of EMC Office +61 7 3032 5232 | Fax +61 7 3032 5299 www.rsa.com


-----Original Message-----
From: Watson Ladd [mailto:watsonbladd@gmail.com]
Sent: Wednesday, 26 November 2014 2:35 AM
To: Parkinson, Sean
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic curve evaluation truths

On Mon, Nov 24, 2014 at 11:56 PM, Parkinson, Sean <sean.parkinson@rsa.com> wrote:
> In hopes of reaching consensus, I thought I might start a list of 
> known truths.
>
> Please don’t just argue against each point but instead look to refine 
> the statements where possible.
>
>
>
> 1.       Only curves over prime fields are being considered.
>
> 2.       Good, efficient implementations of Twisted Edwards curves will
> faster than good, efficient implementations of short Weierstrass with 
> the same prime.
>
> 3.       Good, efficient Montgomery curve implementations are simpler than
> good, efficient Twisted Edwards and short Weierstrass curve implementations.
>
> 4.       Montgomery curves cannot be used for signing/verification
> operations.

This is incorrect: see DJB's "Curves, Coordinates and Computation emails". One can retrieve y-coordinates from the Montgomery ladder.
In fact, 2 and 3 both need to be reworked in light of this email.

The correct statement is that curves with a complete addition law are easy to work with, and that the Montgomery ladder is also very simple.
Curves have a complete addition law if they are isomorphic to Edwards curves, which is almost the same as having a point of order 4. The Montgomery ladder works for curves with a point of order 4. (I may have gotten the conditions somewhat wrong: this is morally correct)

How the curve is presented on the wire doesn't change this: one does a few fast calculations to put the point retrieved from the wire in the preferred form for calculation, and a few fast ones at the end to put it back in the form on the wire.

This is also missing security considerations: it's easy to get multiplication correct with a complete addition law, much harder without one. Edwards curves always have a complete addition law, while Twisted Edwards may or may not, depending on the value $a$ being a quadratic residue or not.

>
> 5.       Small co-factor curves are no weaker, in terms of small subgroup
> attacks, than co-factor 1 curves.
>
> 6.       Twisted Edwards and short Weierstrass but not Montgomery curves
> support pools of points for ephemeral DH.

What do you mean by pools of points? Do you mean fast fixed-based exponentiation? In that case one can do a fast fixed-based exponentiation on the isomorphic or isogenous Edwards curve, and use a few fast computations to get the point on the Montgomery curve.

>
> 7.       NIST curves are going to be in use for some time.
>
> 8.       One curve at about WF-128 is required.
>
> 9.       At least one curve with WF greater than 128 is required.
>
> 10.   Good, efficient implementations of curves using special primes are
> significantly faster than good, efficient implementations using random 
> primes.
>
> 11.   There are steps in performance based on the number of words used.
>
> 12.   There are a few special primes that are significantly faster than the
> step they are on.
>
> 13.   The curves chosen will be used for ECDH and ECDSA.
>
> 14.   The curves will be used in TLS and certificates.
>
>
>
> If you have more truths then please add to this list.
>
>
> Sean
>
> --
>
> Sean Parkinson | Consultant Software Engineer | RSA, The Security 
> Division of EMC
>
> Office +61 7 3032 5232 | Fax +61 7 3032 5299
>
> www.rsa.com
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>



--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email