IETF Logo Mail Archive

Re: [Cfrg] Prime order + twisty DH benefit (theoretical)

Michael Hamburg <mike@shiftleft.org> Mon, 21 July 2014 23:05 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D16491A0299 for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 16:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TcGyRl4yJpfy for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 16:05:17 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E8E11A0282 for <cfrg@irtf.org>; Mon, 21 Jul 2014 16:05:17 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 62AA03AA12; Mon, 21 Jul 2014 16:03:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1405983809; bh=af8UDhSAFzZZ0oRbucliCpsCb8IPqFzoQVUO1L9McNc=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Unz4Y7HZoW7OEgtz0QpXWh6Fx4f0Vjxva1zkq8dxVvZ1inudTS3JB0GnBxDyXAgOB XIOrtWDWr+CpX9gj0XbBeA7lQKwV9KAjhbOXl2BPpAADfV9X03bwLA4Ck30XSjU7XW XmM/EHEly8AmkyiPfLW76SJttPVTA55V6LvsBhRs=
Content-Type: multipart/alternative; boundary="Apple-Mail=_F74F54F1-6D1E-48D0-A093-B46521BCDC04"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <20140721210944.6656149.59544.16939@certicom.com>
Date: Mon, 21 Jul 2014 16:05:13 -0700
Message-Id: <8386CCEB-50DE-45CB-9318-D36E03F33212@shiftleft.org>
References: <20140721210944.6656149.59544.16939@certicom.com>
To: Dan Brown <dbrown@certicom.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/sy2dF2HvYNEkO5Zes1cRWKNahuY
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Prime order + twisty DH benefit (theoretical)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 23:05:19 -0000

Dan, this doesn’t seem right.  The shared secret on an ordinary curve has at least one bit of information, because not every value in the field is the x-coordinate of a point.  Even if the input can be either on the twist or the curve, so that every x-coordinate can come out (not the case in current NIST curves), the adversary can see whether the shared secret is on the curve or the twist.

Amplifying this to 4 bits of information isn’t going to change much.

So you can’t get to no bias, unless you do a completely unwarranted hack involving Elligator.

So you should use a KDF no matter what, and the KDF must be able to hide the small amount of bias.

Is your argument that people who use Curve25519 with no KDF are slightly more edgy than people who use NISTp256 ECDH with no KDF?  In this case, you should add another bit, because the high bit out of Curve25519 is always clear.  This is more serious than the cofactor.  But I still don’t think this is a good argument.

Cheers,
— Mike

On Jul 21, 2014, at 2:09 PM, Dan Brown <dbrown@certicom.com> wrote:

> ‎Sorry, if the following has been discussed previously. Curve25519 has cofactor 8 because it uses a different shape curve.
> 
> If cofactor multiplication DH is used, this gives the shared secrets about 3 bits of information theoretical bias. Of course, the kdf etc should hide that bias just fine, but it would be theoretically simpler to have a shared secret with potentially no bias, eg prime order for both curve and twist.
> 
> Best regards, 
> 
> -- Dan
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email