### Re: [Cfrg] Curve selection revisited

Robert Ransom <rransom.8774@gmail.com> Sun, 27 July 2014 18:03 UTC

Return-Path: <rransom.8774@gmail.com>

X-Original-To: cfrg@ietfa.amsl.com

Delivered-To: cfrg@ietfa.amsl.com

Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0921A0AEC for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 11:03:14 -0700 (PDT)

X-Virus-Scanned: amavisd-new at amsl.com

X-Spam-Flag: NO

X-Spam-Score: -1.75

X-Spam-Level:

X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no

Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hs7VzdKajLrM for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 11:03:12 -0700 (PDT)

Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79EE61A0AF0 for <cfrg@irtf.org>; Sun, 27 Jul 2014 11:02:35 -0700 (PDT)

Received: by mail-qg0-f43.google.com with SMTP id a108so7403859qge.16 for <cfrg@irtf.org>; Sun, 27 Jul 2014 11:02:35 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=BJ329Nyoan63KueDgBBncoKPf7NwXTnPOKPcWrR22uM=; b=GfRJBKcwmIU99xjZfhmReawEgmFQuXvmvS0/C+PG4EFBXZvKEMOFWFu11bwV/PeG6Q VtVL4eiCYoD7HeFo8JNTImSUaTufqAThMgJcMBBgoe4ARNzbeanh8n+AnQDqAdSrrWPN RZUAsKMxGjyR6PCWGt9uR4m5Uu29zySAH075+Cls+83sczrR71aFUGUvCQnsUypiVulJ tMmwxrBMVU7qTNlIZSLYLuiwDPF7BzH1RCfcaE1WDqJR8Z9tFOK98fKTpcItYkY8D+p3 aLz/82ejW2e2uwBCR9ueBPcVRHi572zTZCTUK/3X0nX/mEuSk6xNln2PYOV00vmdo17n BADg==

MIME-Version: 1.0

X-Received: by 10.140.87.75 with SMTP id q69mr50371292qgd.94.1406484155117; Sun, 27 Jul 2014 11:02:35 -0700 (PDT)

Received: by 10.140.86.135 with HTTP; Sun, 27 Jul 2014 11:02:34 -0700 (PDT)

In-Reply-To: <CACsn0cm7_d0XBz-E7trOgH_J0RcpyLJLm-uy6AmE2rL0peQ=bQ@mail.gmail.com>

References: <CA+Vbu7xroa68=HOZtbf=oz7kK2EeUv_z1okpnjxHPR0ZtHD5cA@mail.gmail.com> <CFF7E184.28E9F%kenny.paterson@rhul.ac.uk> <53D2781B.8030605@sbcglobal.net> <CACsn0ckqFigWoH2+OOEHSd2VWPp8y6=m8H5OsFRyjXmjK7+m4w@mail.gmail.com> <CABqy+srxMNuG0AaQd0SaegHvZWgbW762EQq+iAHL_fbu6sOJJQ@mail.gmail.com> <CACsn0ck-nmwtKVmoC=qTuWwJWDZPE6SwKreeJjjdyew+mAcfYw@mail.gmail.com> <CABqy+spNJYWyBHLY5YL3kh6PcDm_tTbqyN0tpDNs-Bme7de1hg@mail.gmail.com> <CACsn0cm7_d0XBz-E7trOgH_J0RcpyLJLm-uy6AmE2rL0peQ=bQ@mail.gmail.com>

Date: Sun, 27 Jul 2014 11:02:34 -0700

Message-ID: <CABqy+sr2Ys-c=GjZwkQtKjU0_BhZrX-+=aV_a_5Ymk8RsiR7xg@mail.gmail.com>

From: Robert Ransom <rransom.8774@gmail.com>

To: Watson Ladd <watsonbladd@gmail.com>

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/kBtQ_rHlv-DSj4dRBZTB4Wvbo1g

Cc: "cfrg@irtf.org" <cfrg@irtf.org>

Subject: Re: [Cfrg] Curve selection revisited

X-BeenThere: cfrg@irtf.org

X-Mailman-Version: 2.1.15

Precedence: list

List-Id: Crypto Forum Research Group <cfrg.irtf.org>

List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>

List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>

List-Post: <mailto:cfrg@irtf.org>

List-Help: <mailto:cfrg-request@irtf.org?subject=help>

List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>

X-List-Received-Date: Sun, 27 Jul 2014 18:03:14 -0000

On 7/26/14, Watson Ladd <watsonbladd@gmail.com> wrote: > <choping irrelevent stuff> > >> >> “Easy” does not mean “low-cost”. Adding support for Edwards-form >> input points to a Montgomery-ladder implementation is easy, but has a >> high performance cost (1I per scalarmult). Adding support for >> Montgomery-form input points to an implementation which operates on >> Edwards form is easy, and has much smaller performance cost. > > By "easy" I meant that as the field arithmetic is already done, which > is the vast > bulk of the difficulty, the additional code is smaller. Adding the > Montgomery ladder > as a routine on top of the arithmetic is not hard: it's 10 function > calls and a loop more or less. As I said, “easy” has nothing to do with “low-cost”. >>> (there is an additional question of small parameters: a Montgomery >>> curve with small >>> parameter is birationally equivalent to a twisted Edwards curve of >>> small parameter, but >>> the converse is not (obviously) true. Most generated curves seem to be >>> in Edwards form >>> however.) >> >> Curve25519 chose (A+2)/4 to be a small integer because Edwards curves >> had not been published yet. All new curves should be chosen to have >> Edwards d be a small integer, because that makes the Edwards-form >> unified addition formulas faster at no cost to the Montgomery ladder >> on the isomorphic Montgomery curve. (I've mentioned this to CFRG >> before; I wish more people had listened to me.) > > Doesn't A become a ratio of small integers rather than a small integer? > Although > this is still pretty fast. A is irrelevant. (A+2)/4, which is actually used in the formulas, becomes the reciprocal of a small integer rather than a small integer, which does not harm the performance of the Montgomery-ladder formulas. (See e.g. <http://www.ietf.org/mail-archive/web/cfrg/current/msg04077.html>. You were part of that discussion; I'm a bit surprised that you've forgotten this.) >>>>> one caches ephemeral DH >>>>> parameters so the cost of fixed-base exponentiation is amortized >>>>> across connections. OpenSSL does this anyway, and this affects >>>>> technique >>>>> slightly. >>>> >>>> This is good for performance even if you use a table to optimize >>>> fixed-base scalar multiplications. >>> >>> Very true: the NUMS performance results are thus dead wrong in ECDHE >>> costs, >>> which are two variable-base multiplications plus a very amortized >>> fixed-base multiplication, not >>> the fixed+variable base they used. >> >> I don't see anything wrong with what MSR states as the cost of ECDHE >> -- they're consistent across the implementations, and not reusing >> ephemeral keys is the simplest implementation strategy. (If they did >> change their figures to take key reuse into account, though, the cost >> would be only one variable-base scalar multiplication, not two.) > > The numbers are right, but the conclusions are thus wrong since a > common optimization > is neglected. In particular, the absence of Montgomery form from the > proposal is based on > performance measures including a fixed based exponentiation. Remember that MSR used a ‘hybrid’ implementation for ECDHE, which performed the fixed-base multiplication in Edwards form and the variable-base multiplication in Montgomery form. They would have drawn the same conclusions if they had looked only at their variable-base multiplication performance figures, because they report that their Montgomery-ladder implementation is slower than their Edwards-form variable-base scalar multiplication implementation on every curve they considered. However, MSR's performance numbers may be wrong: they used an unnecessarily long scalar for the Montgomery ladder (and threw away twist security in the process), because they believed the (false) conventional wisdom that the Montgomery ladder must start with the most significant non-zero bit of the scalar. They need to redo their Montgomery-ladder implementation and publish corrected performance figures before we can trust their algorithm recommendations on any curve. My bigger problem with MSR is that they seem to view Curve25519, and the community of cryptography experts and users which made it the de-facto standard for fast ECDH(E) in groups of near-256-bit order, as their enemy. It's not just that they showed up with their pile of curves just in time to ask the TLS WG to not issue the protocol numbers that people who want to use Curve25519 would need in order to use it in TLS; they're also having to rediscover things that anyone who has tried to optimize Montgomery and/or Edwards curves should know by now (or worse, not rediscovering them). If their goal is to find the fastest ECC curves and algorithms, they're hurting themselves by not listening to the people who have investigated these curves for months or years already. Robert Ransom

- [Cfrg] Curve selection revisited Benjamin Black
- Re: [Cfrg] Curve selection revisited Yoav Nir
- Re: [Cfrg] Curve selection revisited Paterson, Kenny
- Re: [Cfrg] Curve selection revisited David Jacobson
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Andrey Jivsov
- Re: [Cfrg] Curve selection revisited Ilari Liusvaara
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Michael Jenkins
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Hannes Tschofenig
- Re: [Cfrg] Curve selection revisited Hannes Tschofenig
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Stephen Farrell
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Paul Lambert
- Re: [Cfrg] Curve selection revisited Paul Lambert
- Re: [Cfrg] Curve selection revisited Mike Hamburg
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Andrey Jivsov
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Russ Housley
- Re: [Cfrg] Curve selection revisited Salz, Rich
- Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
- Re: [Cfrg] Curve selection revisited Salz, Rich