Re: [Cfrg] draft-irtf-cfrg-curves-07
Adam Langley <agl@imperialviolet.org> Tue, 01 September 2015 01:10 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AADA1B713D for <cfrg@ietfa.amsl.com>; Mon, 31 Aug 2015 18:10:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYxwWpq8Gx7M for <cfrg@ietfa.amsl.com>; Mon, 31 Aug 2015 18:10:38 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE90F1B713C for <cfrg@irtf.org>; Mon, 31 Aug 2015 18:10:36 -0700 (PDT)
Received: by lbvd4 with SMTP id d4so33916788lbv.3 for <cfrg@irtf.org>; Mon, 31 Aug 2015 18:10:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=rWs7uzFHsKYICgTlaZTPT0wLjLSDws/DApFIfOY/8Gc=; b=bb9gr2FNucP5DUSm+JcvgnvjqR8mIV0bhfHzBCDTaSPP43OIHZ0odqNp6lxULkrTvD P1AIzWWzkJZIK7loZijsC6g/lIoBCa5oViD0jIIYFI2D+fWU5YpnzSPKqTSGXc4Xwp5Q 8GnMAdhhqMViWE0x1EfqhUG16JtExOgKcZSL1YfPAKo3nbgJXHsE/pezLqJwMIDLEFno m9Wv1ZzqSW7M/v/gre2x+VVtN6fkeH3HHwY9sxLF9NX412cp7G0PA1QHKNwKPYzseOSO 67tEu0SWtciFkZuli75j5kangawacKjlqmx3ZV0s935EIbxzVQri0SKCrJBDkeFD/51C 7b9Q==
MIME-Version: 1.0
X-Received: by 10.112.235.130 with SMTP id um2mr11675514lbc.72.1441069834559; Mon, 31 Aug 2015 18:10:34 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.112.17.41 with HTTP; Mon, 31 Aug 2015 18:10:34 -0700 (PDT)
In-Reply-To: <CY1PR0301MB119540063747E1C326904D59956B0@CY1PR0301MB1195.namprd03.prod.outlook.com>
References: <CY1PR0301MB119540063747E1C326904D59956B0@CY1PR0301MB1195.namprd03.prod.outlook.com>
Date: Mon, 31 Aug 2015 18:10:34 -0700
X-Google-Sender-Auth: kNOCCtdi1Pvt6T6Z7dL6S_18pVU
Message-ID: <CAMfhd9UW8w4dv79xRxxYLRnugjin6g2B0CD2KQJv2bVMxdNAdg@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Ronald Harvey <ron.harvey@freescale.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/rLugLCYm-tAVLPpYFS_hDeL5j5U>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-irtf-cfrg-curves-07
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 01:10:40 -0000
On Mon, Aug 31, 2015 at 4:39 PM, Ronald Harvey <ron.harvey@freescale.com> wrote: > In Section 5.1, the second input u-coordinate for each of "X25519" and > "X448" are, to my computations, not on the curve. These are the values > beginning e5210f1278 and 0fbcc2f993cd56d, respectively. I believe > that this makes 'any valid implementation' unable to compute the > answer, as only implementations which use an x-only algorithm could > possibly find the expected new u. If it was intentional, then it > should probably be noted that these are limited in scope. X25519 and X448, as defined, are functions from (byte[32], byte[32]) to byte[32] (or byte[56] for X448). As such, they are defined for all inputs. Although it is the case that one only expects points on a curve to be generated and transmitted etc, partial implementations present at least a fingerprinting issue. Since all the field functions can be shared, and the Montgomery ladder is small, I think the assumption is that implementations will use it. You can certainly still reuse generator tables in Edwards form for calculating multiples of the base point without any issues. > When using other than x-only ladder for doing ECDH on these curves, is > there a recommended procedure for running the (twisted) Edwards point > multiply when starting from an 'invalid' u? Most square root > procedures will fail to return an answer when y^2 is not square. (Completely shooting from the hip: the twist of curve25519 will also be bi-rationally equivalent to a twisted Edwards curve. Some of the Edwards formulas don't depend on d and so you might be able to compute on that curve with the same formulae. Still, that seems more complex and worse than using the ladder.) > Regarding the Monte Carlo tests, it seems likely that a k which gets > turned into a u will not always be on the curve, thus making it > impossible also to use the tests with an Edwards (or other x-y) > implementation. Perhaps both k and u should be the result of the > function after each iteration, ensuring a valid u as input; or k could > be computed from the new u, e.g. Are the "Monte Carlo" tests the iterated ones? If so, then I think it might actually work out (by accident). The initial values are on the curve and thus so will the outputs of the function be. So I think that all the values will be on the curve? (Those tests were intended to shake out any arithmetic errors in implementations rather than anything else.) Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
- Re: [Cfrg] draft-irtf-cfrg-curves-07 Adam Langley
- Re: [Cfrg] draft-irtf-cfrg-curves-07 Michael Hamburg
- Re: [Cfrg] draft-irtf-cfrg-curves-07 Thomas Pornin