IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 16 March 2015 04:49 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A36D11A00A2 for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 21:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bK46bUfzG2Y7 for <cfrg@ietfa.amsl.com>; Sun, 15 Mar 2015 21:49:09 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D26D71A0099 for <cfrg@irtf.org>; Sun, 15 Mar 2015 21:49:08 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6E194282FC2; Mon, 16 Mar 2015 04:49:06 +0000 (UTC)
Date: Mon, 16 Mar 2015 04:49:06 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: cfrg@irtf.org
Message-ID: <20150316044906.GA27479@mournblade.imrryr.org>
References: <5501E6A5.5040608@brainhub.org> <A6F30412-8E0A-4D8D-9F26-580307B46874@shiftleft.org> <20150316002255.28855.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150316002255.28855.qmail@cr.yp.to>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/ka3GNdTzM5pYvp-ncaYL4fIi7SA>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: cfrg@irtf.org
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 04:49:10 -0000

On Mon, Mar 16, 2015 at 12:22:55AM -0000, D. J. Bernstein wrote:

> In particular, input 0 is handled correctly without any special tests,
> contrary to Rene's comments and earlier comments from Microsoft. See
> https://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html.

Dan, thanks for the detailed comments.  I support the emphasis on
implementation simplicity they represent (including potentially
taking away choices, when such choices are more prone to mistakes
than "the right way").  That is, I suport removing inessential
degrees of freedom.

One quick question.  I did not think that Rene was saying that the
Montgomery ladder computes multiples of 0 incorrectly.  Rather,
the concern is I believe that when one of the parties to an ECDH
agreement sends zero as their public key, the output is then zero
regardless of the public key of the other party.

This may allow an attacker to force a given session key, depending
on how the ECDH output is used to construct session keys (whether
additional nonces are used.  Can you comment on situations (in
higher level protocols) under which participants in ECDH might want
to explicitly reject 0 as the peer's public key?  (I don't know
whether any protocols in wide use that employ ECDH are potentially
exposed to this issue, if it is an issue.)

If I recall correctly, with X25519, such a key will never arise if
both peers choose their secret keys per the specification (the
private "exponent" is never 0, and I think it is always smaller
than the order of the group).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email