Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves

Michael Hamburg <mike@shiftleft.org> Sun, 20 July 2014 19:51 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332131A0092 for <cfrg@ietfa.amsl.com>; Sun, 20 Jul 2014 12:51:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NErIvQxBD_-9 for <cfrg@ietfa.amsl.com>; Sun, 20 Jul 2014 12:51:31 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E4891A0049 for <cfrg@irtf.org>; Sun, 20 Jul 2014 12:51:31 -0700 (PDT)
Received: from [192.168.1.124] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 705F33AA3F; Sun, 20 Jul 2014 12:49:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1405885787; bh=d72YO6n1AQ4kSs8zkVLVGQpWKEphizQg5Ho7kgkI8H4=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=cnqWn39eTzmJQtU5yyGP701gB43HbRdTDVU69dn3sHdzuN3W5NScs5ghS9cX4xcdr jwYd7KZLGId1HeOVV7Z09Eo7uWkOV0+C1S3G/z8m3hNvL6josvRLbkl2sgVwsLtTrr 1+5g6REJsLgRLCBpbxf4tgeO0/cHRPubmy3J+Bf8=
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <53CC0304.4010802@cs.bris.ac.uk>
Date: Sun, 20 Jul 2014 12:51:28 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <29A93B93-0C86-4831-A51B-EDDE0221E8FA@shiftleft.org>
References: <53CBDFF8.5050204@cs.bris.ac.uk> <0F4DF570-7886-4D0A-8817-DEEF64FBA8A8@shiftleft.org> <53CC0304.4010802@cs.bris.ac.uk>
To: Nigel Smart <nigel@cs.bris.ac.uk>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/lAuSCTnmD2oIpbfRTaf3QtMQXHk
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Formal request from TLS WG to CFRG for new elliptic curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 19:51:33 -0000

On Jul 20, 2014, at 10:57 AM, Nigel Smart <nigel@cs.bris.ac.uk>; wrote:

> Hi
> 
> Various issues here....
> 
> i) Is there any justification for new curves at this current point in time?
>     - My opinion is no. There is no reasonable argument which can suggest that
>       NIST cooked their curves. There may be better ways to generate the curves
>       now with extra functionality (see below), but the basic security criteria are
>        still valid.

I also do not believe that the NIST curves have backdoors.  They have reasonable security criteria as well.  It’s just that the state of the art has progressed in terms of architecture, implementation, security, performance, protocols, etc.  So it makes sense to standardize new curves for future protocols.

Just because the NIST security criteria were good choices doesn’t mean that they are the best choices.  Making ‘b’ the hash of a random seed was a reasonable choice.  I do not see why it is clearly a better choice than the DJB / Microsoft NUMS approach.  Prime-order curves have good properties.  Edwards curves have different good properties.  Just because prime order is desirable doesn’t mean that it’s the only desirable thing.  We should weigh its properties against the properties of curves with cofactors.

Perhaps the new curves should not go into TLS for complexity reasons.  I defer on that question to those who manage large-scale TLS delpoyments.

> ii) Should we add new SECURITY criteria on the CURVES?
>     - My opinion is that this is marginal. I see no benefit at all in twist security.
>       Dont get me wrong, I think twist security is a cool idea worthy of an academic
>       paper. Its just not practically relevant here (unless we are changing protocols,
>       which is not the request).

You might well think that various new security features — twist security, strongly unified formulas, no point with x=0 for power analysis, etc — are not worth a new standard.  But you asserted explicitly, and with no justification, that the ONLY responsible course is to recommend curves which ignore these constraints.  I don’t understand why extra security constraints would be irresponsible, so long as they’re clearly not part of a "BADA55” manipulation of the parameters.

> iii) Should we add in curves with better performance which may deviate from the
>      NIST choices?
>          - Only if they can represent points in Weierstrass form for transmission.
>          - Only if they have prime order.
>                - Note, here I am being stronger than the ANSI/NIST criteria (but actually
>                  NIST curves have this property in any case).
>                - I really think prime order curves are vital to avoid mistakes. I have
>                  been recommending their use in nearly 18 years of advising companies
>                  on ECC stuff.

There is a class of mistakes that people make with prime order curves, and a different class of mistakes that they make with cofactors.  You may feel that mistakes involving incomplete formulas are less serious or easier to avoid than those involving cofactors.  Go ahead and push for that.  But it’s not helpful to just assert that cofactors aren’t acceptable.

>          - In other words the curve addition is OK, as long as it can interoperate with
>            existing software, and will not cause security/patent violation issues when
>            used with all possible protocols
>                 - Last point is key, as we cannot force a new curve to only be used
>                   with protocol X, as some idiot will use it with Y. This is why I think
>                   Curve25519 should be treated as a complete protocol, as opposed
>                   to a curve. The naming by Danja is a unfortunate in this respect.

It is safe to carry out other protocols over Curve25519, or over isomorphic Weierstrass or Edwards curves if they specify those formats.  Most EC protocols account for a cofactor, including the TLS-revelant ECDHE and ECDSA.  It is of course possible to screw up implementing such protocols.  But is Curve25519 any more dangerous for this than any other curve with a cofactor?

> iv) Should we add in new FUNCTIONALITY criteria on the CURVES?
>          - Actually yes I do think this. If we were to re-do NIST like curves I would also
>            publish seeds for TWO base points. The reason for this is that many protocols
>            require two base points, and not having them defined in the "standard" curves
>            is a problem and we need the DLP to be unknown so we need the seeds to be
>            able to guarantee this.
> 
> <humour mode>
> 
> My problem with the discussion is that it seems to be being conducted in exactly
> the way which resulted in the mess which is the current TLS. It would appear that
> to people (like me) who have spend years researching ECC, key agreement protocols,
> trying to make cryptographic sense of the current TLS protocol, etc etc, are being
> trolled by people on the list   :-)
> 
> </humour mode>

I don’t want to see a mess, and I respect your input.  It’s just that most of these criteria have been discussed for a while now.  It’s frustrating to have a discussion like this, and then you come in and say “actually, it’s obvious that the criteria should be that the curve looks like a NIST curve.  Also it’s important that the new desiderata that you all have been discussing should be ignored.”  That position requires justification.  You’ve provided justification for some of your points, which is helpful.

> Cheers
> 
> Nigel

Cheers,
— Mike

> 
> On 20/07/2014 18:25, Michael Hamburg wrote:
>> You sound a little bit like you’re trolling us, Nigel.  It’s one thing to say that the marginal security and performance gains of the new curves isn’t worth the complexity of supporting them in TLS.  It’s another to say that every crypto curve should have all the properties that NIST chose for theirs (except 512 bits instead of 521), and that it shouldn’t have any other properties, even twist security.  Do you have any justification for those criteria?
>> 
>> — Mike
>> 
>> On Jul 20, 2014, at 8:27 AM, Nigel Smart <nigel@cs.bris.ac.uk>; wrote:
>> 
>>> Hi
>>> 
>>> It seems there is a lot of noise about new types of curves, curvexxxyy this,
>>> and NUMS that.
>>> 
>>> Note the request is for new ELLIPTIC CURVES not elliptic curve PROTOCOLS
>>> 
>>> Thus any curve should be IMHO usable with any STANDARD protocol, in any
>>> STANDARD way of implementing the protocol. Without this constraint one is
>>> bound to get implementation errors.
>>> 
>>>  - Curve25519 is a combined curve/protocol; so is out of scope IMHO. As
>>>     someone is bound to use the underlying curve with some other protocol
>>>     and make mistakes.
>>> 
>>> Benjamin Black is correct; having new types of this that and the other for
>>> a marginal security gain, and/or a marginal performance gain is IMHO
>>> inviting problems.
>>> 
>>> Thus the ONLY response in my view as responsible cryptographers is
>>> to recommend curves which
>>> 
>>>   i) Whose data format for point transfer/curve definition is in Weierstrass
>>>      form
>>>          - I dont care if some implementation wants to use some super-duper
>>>            form to do some calculation; the data transfer must enable
>>>            interoperability.
>>> ii) Whose group order is prime
>>>          - Not having prime group order is inviting problems. Thus Edwards
>>>            curves are out as I am sure they require non-prime group order
>>> iii) The "b" coordinate should be generated by a hash value on some
>>>      random string.
>>> iv) Usual security constraints; base field has 256 and 512 bits of security
>>>       to match AES 128 and AES 256; MOV criteria; SmartASS criteria;
>>> v) Ignore "esorteric" constrains like twist security etc.
>>> 
>>> So basically I cannot see what is wrong with the NIST curves. And if people
>>> want something new then they should really come up with a credible
>>> reason for wanting something new. No argument I have seen warrants
>>> the massive change in software and infrastructure that is being proposed.
>>> If people really are that worried about this NIST curves then
>>>   i) They should probably stop using the internet full stop, as that means
>>>      the NSA probably has massive more capability than even Snowden has
>>>      revealed.
>>>  ii) Generate curves as above; and not trust some new fingle-fangled ideas
>>>      which are not supported by all the major cryptographers who have
>>>      worked on ECC.
>>> 
>>> BTW I still stand by my statement that we should recommend EC-Schnorr
>>> as an extra hash function.
>>>  - Minor change in code needed to support it (compared to some of the other
>>>    proposals)
>>>  - Provides some "hedge" against future collisions in SHA-256 and SHA-3.
>>>  - Has IMHO (and this is purely subjective) better provable security than
>>>    EC-DSA
>>> But that is not what we have been asked to comment on; as this is a new
>>> "protocol" (i.e. signature scheme).
>>> 
>>> Yours
>>> 
>>> Nigel
>>> 
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>