[CFRG] Why we use ECDH instead of traditional DH
Daniel Brown <dan.brown.cryptographer@gmail.com> Thu, 21 March 2024 17:34 UTC
Return-Path: <dan.brown.cryptographer@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ABE4C14F6BD for <cfrg@ietfa.amsl.com>; Thu, 21 Mar 2024 10:34:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zS8R3LM7lcG for <cfrg@ietfa.amsl.com>; Thu, 21 Mar 2024 10:33:58 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7B88C14F6F5 for <cfrg@irtf.org>; Thu, 21 Mar 2024 10:33:58 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a466fc8fcccso173053666b.1 for <cfrg@irtf.org>; Thu, 21 Mar 2024 10:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711042437; x=1711647237; darn=irtf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=8kOhrSuLp9i5SfF/K3V2JvukA1kWwlJwRBPkf/ZR7Kg=; b=i+GVdI54l/EuEurThSc8Jz+zuSEiDFreQGoWIR/4Go+69Pe2MJ9hj1QNNEL/mxufyX tdLRtlcHyDyAhsbdVfEIt+wXkJNEcS3wuWC8ZjYHoPbHzMDYEzA8eQD7bmhGCT0P7Veo /cVFqqbjr5c7VoO/4gMOZJ1+W8sPWfYRR4OdbTVt3MgF2Urfu9SPRrvYa9CWK97fPqhj NMdTjhmEI+aTfqXdXJH7be2UzFu8oU6yo1ifN4ipSPSz+IrgjLFhaSluwmy8kKIM9B3H /oOAqjPTNh3lfeNiTtQEQ1ino8Q6NIz+YULO5yHnGPOp6ySd3izBVrvUdxz5BU2ELbJw WOAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711042437; x=1711647237; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=8kOhrSuLp9i5SfF/K3V2JvukA1kWwlJwRBPkf/ZR7Kg=; b=E/ulCIKs87nuY8pzzuuxPh9huBLboTZtFwe9qEdRPwiXiBQRB83LI2KbdMSKT+jssM 6SYuEEWcg2VS2p7Ong+ebCFYlG5mJtmeu2zAiI6up13tk2e0OY31EWFDYU3QPBBfLf1X 3Q8qpBIJX5JBqdxnqmiWsTd6yuYPOiK8e/gd600d54LiIrGl0GZHrdkRr8B6xNlkRRHM dD3uvLv22te4ZhnPZ0uJQIjtGsGMC0/vRAv3eCUt2IzzWZ4k9VL04R4IzW1K0A71WJ2t 1AoX4xFsFK0lIud+qtJz1+2yG1qwHsu3thSR2kfOnxTV00Yep2Z+MGJKmvK1JfHOsPFT 9g7w==
X-Gm-Message-State: AOJu0YwgGmvVuv1rKlCPyy6vCsLVHWDTg3wHbadvzpmsy9w8WFHKe2gK wXhmR7OxsdNMJezHmUfpVPdvZfbb1yNXLB1cTuCmk+qfvPnttW450XIjTH8k/eZXqKTc7ZDLQvq BzJKeSHFPWbin8kZ5ABx74QjenPvLFI61R9o=
X-Google-Smtp-Source: AGHT+IGbDOQyHPb1qK5Cf6MHMnJcbMnhaFkNhpZCKN3TxGRsKatlk2YYmuiEYK11GvHVopLw0ky2IdQyEkTX0i06blA=
X-Received: by 2002:a17:906:5652:b0:a44:1fcf:9b97 with SMTP id v18-20020a170906565200b00a441fcf9b97mr67576ejr.24.1711042436376; Thu, 21 Mar 2024 10:33:56 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Brown <dan.brown.cryptographer@gmail.com>
Date: Thu, 21 Mar 2024 13:33:45 -0400
Message-ID: <CANuRxefUceYt4z_2QDrWz+=RFiVgjksREsgkxfYhQXSvZgYbfw@mail.gmail.com>
To: cfrg@irtf.org, "D. J. Bernstein" <djb@cr.yp.to>
Content-Type: multipart/alternative; boundary="0000000000009dafb406142f1c01"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/w0-LPFaUnNptTDWDA6hermzLCzA>
Subject: [CFRG] Why we use ECDH instead of traditional DH
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 17:36:34 -0000
Hi D. J. Bernstein,
Beyond historical interest, is the main point here ("why ECDH, not FFDH")
to help work out clearer criteria for future CFRG decisions?
On the historical side, Koblitz, Koblitz, and Menezes address this well in
"Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift",
ia.cr/2008/390, anotherlook.ca [KKM]. The authors have early experience in
promoting ECC, including co-inventing ECC, and finding the MOV
pairing-based attack (related to index calculus). Their general perspective
also merits consideration for future decisions.
My 2c: I too think ECDH is overall less risky than traditional DH. As
evidence, I'd consider index calculus on traditional DH, failure of
Silverman's xedni calculus, security proof under Shoup's generic group
model, lack of faster-than-generic ECDLP algorithms (for almost all
curves), success efforts towards faster ECDLP such as the MOV attack on
special curves (showing that people have been studying ECDLP), and recent
advances in index calculus, include quasi-poly-time, on traditional DH.
Yet, surely, other pragmatic reasons, not just the ideal reason of
security, have also contributed to ECDH's adoption. Of course, I hope that
all cryptography decisions aim for security.
// Technical points about different curves in ECDH
D. J. Bernstein writes:
> Taking prime fields eliminates any attacks that exploit extra
> subfields, including any risk from FFS. Taking large field
> discriminants avoids any risk from further automorphisms.
I agree that prime-field and "large" discriminant ECDH is less risky than
various alternative forms of ECDH. This is the conventional wisdom.
Nonetheless, I'd hope for more clarity on:
1) the level of risk difference,
2) specific rationale for the relative risk assessment,
On 1) risk difference, I quote [KKM, Sec. 11, p.30]: "Rather, our point is
that conventional wisdom may turn out to be wrong and that, as far as
anyone knows, either choice has risks. The decision about what kind of
curve to use in ECC is a subjective one based on the user's best guess
about future vulnerabilities." So, they argue that the risk difference is
not so clear.
My 2c: I've also proposed using a hybrid 2 or more (diverse) curves ECC
when the extra cost can be afforded (e.g. when hybridized with PQC, etc.).
My rationale was that the absolute risk may be high enough to warrant this
in some settings (though not sure how many IETF applications would warrant
this), while risk difference seemed low enough to gain from the diversity.
So, I don't see the risk difference as great. To be clear, my view
involves guesswork.
On 2) specific rationale about the greater risk of low-discriminant curves:
a) [KKM, Sec. 11] cite some rationale to the contrary of conventional
wisdom.
b) Miller's 1985 CRYPTO proposal for ECC including special curves (with
small discriminant), with equation y^2=x^3+ax. Miller predicted it might
not be "prudent" to use these special curves. This may be the first
instance of the "conventional wisdom".
Later, the MOV pairing-based attack knocked out these curves, for the
primes that Miller proposed, so Miller's prediction was exactly right. But,
by changing the primes used, the MOV pairing-based attack is avoided. So,
a low discriminant is not sufficient for the MOV pairing-based attack to
work.
Does there hold a general correlation between discriminant size and the
availability of a pairing needed for a MOV-type attack? If so, is that the
specific rationale for deeming greater risk of small-discriminant curves?
c) Several people have proposed using special-form prime fields, for their
greater efficiency over random prime fields. (The NIST curves and
Curve25519 use special-form fields.)
Conventional wisdom seems to be that using special-form field does not
increase risk (although Brainpool is an exception). I agree with this
conventional wisdom, despite the fact that MOV pairing-based attack depends
on the field, not just the curve equation, which is a point on which I
remain a little puzzled.
Note that GLV proposed using low-discriminant special-equation curves for
their greater efficiency, by way of efficient endomorphisms.
So, how much and why is using a special-form field in ECDH less risky than
using a special-equation low-discriminant curve in ECDH? Maybe there is a
good rationale, e.g. quantified correlations, etc. If not, then why not
use a faster low-discriminant curve for the same reason we use a faster
special-form field?
// Pedantic quibbles on wording
> Taking large field discriminants avoids any risk from further
> automorphisms.
To be clear, before discussing my quibbles, I think I get the drift of the
sentence, and I appreciate that brevity was being used, and it was only a
quick email, not an academically precise paper. Also, it's likely that my
own wording has even more issues to quibble about. In writing this, I also
realized that my own understanding of ECC is far from thorough enough, so I
had to motivate most of my quibbles through some technical questions.
i) As to "avoid any risk". Is this claiming that the risk of the preferred
alternative is lower?
Otherwise, it seems almost a vacuous tautology (no X => no risks from X).
So, I've been presuming that "avoid any risk" is meant to imply that the
preferred alternative (prime-field large-discriminant) has lower risk. But
maybe my presumption is missing something. Have I misinterpreted?
ii) As to "large". Does this mean "typically large" or "especially large"?
If I recall correctly, isn't the typical or average discriminant size of a
random curve over p somewhere close to p or p/2. So, I think the intended
point in saying "large" was to choose a curve whose discriminant was in the
typical size range, as opposed to the small size range, e.g. < 1000.
iii) As to "automorphism". Should this have been "efficient endomorphism"?
If I understand correctly, for "automorphisms" in the algebraic geometry
sense, prime-field curves always have 2 or 4 automorphisms. A curve has 4
automorphism only if it has j-invariant j=0 or j=1728. In particular, many
curves with small discriminants have just 2 automorphisms, just like any
large discriminant curves.
If I recall correctly, for "automorphism" in the abstract group sense,
which depends on the group isomorphism type (i.e. a product of cyclic
groups), the number of automorphism (e.g. phi(n) if the curve group is
cyclic of size n) is not known to be correlated with the size of the curve
discriminant. But maybe I'm wrong.
For the two reasons above, I presume you meant "endomorphism" not
"automorphism". I speculate that this was just a typo, made in haste,
being busy with various other important things.
If I understand correctly, every curve over a prime-field has complex
multiplication. This means that all such curves have "further"
endomorphisms, beyond just scalar (i.e. "real") multiplication. But in
large-discriminant curves, the extra endomorphisms are not efficient (or
not more efficient than scalar multiplication). Hence, my presumption is
that you meant "efficient endomorphism", not just "endomorphism".
Best regards,
Dan
- [CFRG] Why we use ECDH instead of traditional DH Daniel Brown
- Re: [CFRG] Why we use ECDH instead of traditional… D. J. Bernstein