Re: [Cfrg] Curve selection revisited
David Jacobson <dmjacobson@sbcglobal.net> Fri, 25 July 2014 15:30 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BFBE1B2948 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 08:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GpwitLBCaOj for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 08:30:37 -0700 (PDT)
Received: from nm22-vm4.access.bullet.mail.gq1.yahoo.com (nm22-vm4.access.bullet.mail.gq1.yahoo.com [216.39.63.110]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02B8D1B2936 for <cfrg@irtf.org>; Fri, 25 Jul 2014 08:30:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1406302236; bh=L3YIWnrEdhkh6ttl9XEXUZ2Pb1izdu2H1kFr6FmEl0s=; h=Received:Received:Received:DKIM-Signature:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=LgBegOeUTEcgnCEcHqeORZ2u4CIVbae+vbQEyBv+/C4uGwBpGnGUaBHsni7/NVdQAWvZot4jrVUId5yRpSPX4JBf0fnUBWdf1y8VB2x/uaRjxNyhAE+Q2iTDxaV6CIGraT/i8a+2E+J2zCgrpa4/xAxI5VwAA/ysxVCxqqlxP1IF7AXXYdT/KDb9DBG3cZvHlylOyBQ/HrdBLWE+oD26fYBg77GHbnkA8t6ZqMQW/S+SuUDMV720QNbl8mE0bBMSNEEoQe/OPDThLB+z94vjSBwCbGoHeqZVYD6LezsRgpnsc3Lts59a/33R9kCtWl44QzfbS6zaSPn5felDWYlibA==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=sbcglobal.net; b=IVNiWQNfwflWkowefckj7iCZhO6RTSaGFtZ8gZQsk1j8TlsR0UsSL/httyrBhk9j/LLvI9FrRO3AkAc450POcE+1gS1kKd+YAZvnherpembORTx8EXeeNyjAiNBziU1NxkkWTLhvL5YoeNrDu8hxz0Gve39iw8deK4pVdv5Wr4rr1JLHPA2XlSZ23gOwdH4ItLWLlxll2NVZWNE8rdsgvjm35FTM7A6698UkA8Ur2Va42ctB04RxclnFSg6a8pj3vCXNANEm7HzIReuFPfjuA63WVJBLQtFbcSkvWbzeZNp+pv6KbaiwHxZmJekHawVzp0REOrJUUqFY4RUl6TWEkA==;
Received: from [216.39.60.167] by nm22.access.bullet.mail.gq1.yahoo.com with NNFMP; 25 Jul 2014 15:30:36 -0000
Received: from [67.195.23.145] by tm3.access.bullet.mail.gq1.yahoo.com with NNFMP; 25 Jul 2014 15:30:36 -0000
Received: from [127.0.0.1] by smtp117.sbc.mail.gq1.yahoo.com with NNFMP; 25 Jul 2014 15:30:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1406302236; bh=L3YIWnrEdhkh6ttl9XEXUZ2Pb1izdu2H1kFr6FmEl0s=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=TowpbCNVtJ3HVcaMlMdIsI3rQVmERGK8Tyk1cbBsii15JPQ+tfvrF2PWqCsPXaSa6spFBaBONSDUZRZToiNdp+iJZt/m8OUGEn0AgD83R7w2fk1EsavHyZmjLWO571v8Z2V9gDRGwy87T4tichGlcpUSTBjBAA717R4ZK+a3Z40=
X-Yahoo-Newman-Id: 361319.20159.bm@smtp117.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: _NfjhqYVM1lyvadhSGNtBNUa6L_e9SKGY6QsjEtYMxtR_cw 8pb10tugOBSJrTuXrLCZWxSOY5EteV2QP32U_xJvgeETjvIc5qCPXcUSFlw7 tfLFctt_cEPhLZ3eun5p9h08KBvQqVROMFcYLPsxI_5lkUF4V9F8ixzt9k0U 5GI9Mh3ok3nk8Jpt0VH4XiNOw6DyflMS.F.p_laCb8q3K_jOME3o4ehccfHk kAFmdHwe8.uObo6vq8dxQrJyiUwKXEyDmiRHzsWTR76sIc0ZaQz7cY_cDL4c s6gHLoN7z0zNqwV2ThCb0uti9alQsM207RFTghtUspbNWd5QxgrQsW2IhyBF 1sjEj_pgXWFd28LRZq8oJ.22BKAJMNxnQbjo231nK0DD_jRraO6aidRrCxcU Ql2goYqqLKUaxp3gJ.g9mlR.WrSYhKEwyOUiDtKtIE3y3mOqd150RIzEdePR f8mYGW.jD3ukNw2qpYJM5vqS1YUxJqLpOnNG8EYsLywzzT3TpAXkDdV7wSOm CW52KYy0gF1XdBIy1IcOxPyeS4N8JAbM291ogPPUyb7SiAAxfV11nBPdyOLO euppbz8lzrLN3g4_azzEQHEsanlFEhXUwqulodrhQ6qj3cVIr_tl8fNrWXY7 kq86AdnSmlzPp7pC7_AHqh7fYTRWHm.nXKckAevPt1mw-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <53D2781B.8030605@sbcglobal.net>
Date: Fri, 25 Jul 2014 08:30:35 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, Benjamin Black <b@b3k.us>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <CA+Vbu7xroa68=HOZtbf=oz7kK2EeUv_z1okpnjxHPR0ZtHD5cA@mail.gmail.com> <CFF7E184.28E9F%kenny.paterson@rhul.ac.uk>
In-Reply-To: <CFF7E184.28E9F%kenny.paterson@rhul.ac.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/nPizu6fxq8eOc9jHYuPLwRKXuYc
Subject: Re: [Cfrg] Curve selection revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 15:30:39 -0000
On 7/25/14 7:48 AM, Paterson, Kenny wrote: > Ben > > Thanks for this helpful message. I've responded in-line below, > representing the chairs and based on what I've heard on the list and at > the IETF meeting this week. People on the list should still feel free, of > course, to argue for other points of view. > > On 25/07/2014 01:10, "Benjamin Black" <b@b3k.us> wrote: > > [snip] >> >> 2) Performance must be measured using "production-quality" >> implementations. By this I mean implementations which employ the sort of >> techniques/optimizations appropriate for large scale deployment. This is >> specifically intended to exclude discussion of >> how simple or fast an implementation _could_ be, in favor of what they >> actually are in practice. However, the goal is to select curves which >> strike the best balance between various requirements, not simply the >> fastest. >> > I don't think it's very easy to be concrete about what > "production-quality" means. I tend to agree with Yoav's comments here > (http://www.ietf.org/mail-archive/web/cfrg/current/msg04735.html). I believe that we need to decide what to do about side channel leakage resistance. Performance needs to be measured with the defenses deployed. Of course, the problem is that nobody knows what defenses should be deployed and when we have reached "good enough". One common defense is no branches on secret data. Almost certainly we would want the benchmarks to be coded this way. But if the threat model includes malicious processes that share a cache with the crypto process, then it is good practice to code so that the stream of memory addresses accessed does not depend on secret data. And then there are various blinding techniques with widely varying costs. This issue is more important if different curves/protocols have different sensitivities to leakage or require different leakage mitigations. I don't know whether this is the case. --David Jacobson
- [Cfrg] Curve selection revisited Benjamin Black
- Re: [Cfrg] Curve selection revisited Yoav Nir
- Re: [Cfrg] Curve selection revisited Paterson, Kenny
- Re: [Cfrg] Curve selection revisited David Jacobson
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Watson Ladd
- Re: [Cfrg] Curve selection revisited Andrey Jivsov
- Re: [Cfrg] Curve selection revisited Ilari Liusvaara
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Michael Jenkins
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Hannes Tschofenig
- Re: [Cfrg] Curve selection revisited Hannes Tschofenig
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Stephen Farrell
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Michael Hamburg
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Paul Lambert
- Re: [Cfrg] Curve selection revisited Paul Lambert
- Re: [Cfrg] Curve selection revisited Mike Hamburg
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Andrey Jivsov
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Robert Ransom
- Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
- Re: [Cfrg] Curve selection revisited Robert Moskowitz
- Re: [Cfrg] Curve selection revisited Russ Housley
- Re: [Cfrg] Curve selection revisited Salz, Rich
- Re: [Cfrg] Curve selection revisited Phillip Hallam-Baker
- Re: [Cfrg] Curve selection revisited Salz, Rich