[CFRG] Why we use ECDH instead of traditional DH
Daniel Brown <dan.brown.cryptographer@gmail.com> Thu, 21 March 2024 17:34 UTC
Return-Path: <dan.brown.cryptographer@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ABE4C14F6BD for <cfrg@ietfa.amsl.com>; Thu, 21 Mar 2024 10:34:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zS8R3LM7lcG for <cfrg@ietfa.amsl.com>; Thu, 21 Mar 2024 10:33:58 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7B88C14F6F5 for <cfrg@irtf.org>; Thu, 21 Mar 2024 10:33:58 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a466fc8fcccso173053666b.1 for <cfrg@irtf.org>; Thu, 21 Mar 2024 10:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711042437; x=1711647237; darn=irtf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=8kOhrSuLp9i5SfF/K3V2JvukA1kWwlJwRBPkf/ZR7Kg=; b=i+GVdI54l/EuEurThSc8Jz+zuSEiDFreQGoWIR/4Go+69Pe2MJ9hj1QNNEL/mxufyX tdLRtlcHyDyAhsbdVfEIt+wXkJNEcS3wuWC8ZjYHoPbHzMDYEzA8eQD7bmhGCT0P7Veo /cVFqqbjr5c7VoO/4gMOZJ1+W8sPWfYRR4OdbTVt3MgF2Urfu9SPRrvYa9CWK97fPqhj NMdTjhmEI+aTfqXdXJH7be2UzFu8oU6yo1ifN4ipSPSz+IrgjLFhaSluwmy8kKIM9B3H /oOAqjPTNh3lfeNiTtQEQ1ino8Q6NIz+YULO5yHnGPOp6ySd3izBVrvUdxz5BU2ELbJw WOAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711042437; x=1711647237; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=8kOhrSuLp9i5SfF/K3V2JvukA1kWwlJwRBPkf/ZR7Kg=; b=E/ulCIKs87nuY8pzzuuxPh9huBLboTZtFwe9qEdRPwiXiBQRB83LI2KbdMSKT+jssM 6SYuEEWcg2VS2p7Ong+ebCFYlG5mJtmeu2zAiI6up13tk2e0OY31EWFDYU3QPBBfLf1X 3Q8qpBIJX5JBqdxnqmiWsTd6yuYPOiK8e/gd600d54LiIrGl0GZHrdkRr8B6xNlkRRHM dD3uvLv22te4ZhnPZ0uJQIjtGsGMC0/vRAv3eCUt2IzzWZ4k9VL04R4IzW1K0A71WJ2t 1AoX4xFsFK0lIud+qtJz1+2yG1qwHsu3thSR2kfOnxTV00Yep2Z+MGJKmvK1JfHOsPFT 9g7w==
X-Gm-Message-State: AOJu0YwgGmvVuv1rKlCPyy6vCsLVHWDTg3wHbadvzpmsy9w8WFHKe2gK wXhmR7OxsdNMJezHmUfpVPdvZfbb1yNXLB1cTuCmk+qfvPnttW450XIjTH8k/eZXqKTc7ZDLQvq BzJKeSHFPWbin8kZ5ABx74QjenPvLFI61R9o=
X-Google-Smtp-Source: AGHT+IGbDOQyHPb1qK5Cf6MHMnJcbMnhaFkNhpZCKN3TxGRsKatlk2YYmuiEYK11GvHVopLw0ky2IdQyEkTX0i06blA=
X-Received: by 2002:a17:906:5652:b0:a44:1fcf:9b97 with SMTP id v18-20020a170906565200b00a441fcf9b97mr67576ejr.24.1711042436376; Thu, 21 Mar 2024 10:33:56 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Brown <dan.brown.cryptographer@gmail.com>
Date: Thu, 21 Mar 2024 13:33:45 -0400
Message-ID: <CANuRxefUceYt4z_2QDrWz+=RFiVgjksREsgkxfYhQXSvZgYbfw@mail.gmail.com>
To: cfrg@irtf.org, "D. J. Bernstein" <djb@cr.yp.to>
Content-Type: multipart/alternative; boundary="0000000000009dafb406142f1c01"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/w0-LPFaUnNptTDWDA6hermzLCzA>
Subject: [CFRG] Why we use ECDH instead of traditional DH
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 17:36:34 -0000
Hi D. J. Bernstein, Beyond historical interest, is the main point here ("why ECDH, not FFDH") to help work out clearer criteria for future CFRG decisions? On the historical side, Koblitz, Koblitz, and Menezes address this well in "Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift", ia.cr/2008/390, anotherlook.ca [KKM]. The authors have early experience in promoting ECC, including co-inventing ECC, and finding the MOV pairing-based attack (related to index calculus). Their general perspective also merits consideration for future decisions. My 2c: I too think ECDH is overall less risky than traditional DH. As evidence, I'd consider index calculus on traditional DH, failure of Silverman's xedni calculus, security proof under Shoup's generic group model, lack of faster-than-generic ECDLP algorithms (for almost all curves), success efforts towards faster ECDLP such as the MOV attack on special curves (showing that people have been studying ECDLP), and recent advances in index calculus, include quasi-poly-time, on traditional DH. Yet, surely, other pragmatic reasons, not just the ideal reason of security, have also contributed to ECDH's adoption. Of course, I hope that all cryptography decisions aim for security. // Technical points about different curves in ECDH D. J. Bernstein writes: > Taking prime fields eliminates any attacks that exploit extra > subfields, including any risk from FFS. Taking large field > discriminants avoids any risk from further automorphisms. I agree that prime-field and "large" discriminant ECDH is less risky than various alternative forms of ECDH. This is the conventional wisdom. Nonetheless, I'd hope for more clarity on: 1) the level of risk difference, 2) specific rationale for the relative risk assessment, On 1) risk difference, I quote [KKM, Sec. 11, p.30]: "Rather, our point is that conventional wisdom may turn out to be wrong and that, as far as anyone knows, either choice has risks. The decision about what kind of curve to use in ECC is a subjective one based on the user's best guess about future vulnerabilities." So, they argue that the risk difference is not so clear. My 2c: I've also proposed using a hybrid 2 or more (diverse) curves ECC when the extra cost can be afforded (e.g. when hybridized with PQC, etc.). My rationale was that the absolute risk may be high enough to warrant this in some settings (though not sure how many IETF applications would warrant this), while risk difference seemed low enough to gain from the diversity. So, I don't see the risk difference as great. To be clear, my view involves guesswork. On 2) specific rationale about the greater risk of low-discriminant curves: a) [KKM, Sec. 11] cite some rationale to the contrary of conventional wisdom. b) Miller's 1985 CRYPTO proposal for ECC including special curves (with small discriminant), with equation y^2=x^3+ax. Miller predicted it might not be "prudent" to use these special curves. This may be the first instance of the "conventional wisdom". Later, the MOV pairing-based attack knocked out these curves, for the primes that Miller proposed, so Miller's prediction was exactly right. But, by changing the primes used, the MOV pairing-based attack is avoided. So, a low discriminant is not sufficient for the MOV pairing-based attack to work. Does there hold a general correlation between discriminant size and the availability of a pairing needed for a MOV-type attack? If so, is that the specific rationale for deeming greater risk of small-discriminant curves? c) Several people have proposed using special-form prime fields, for their greater efficiency over random prime fields. (The NIST curves and Curve25519 use special-form fields.) Conventional wisdom seems to be that using special-form field does not increase risk (although Brainpool is an exception). I agree with this conventional wisdom, despite the fact that MOV pairing-based attack depends on the field, not just the curve equation, which is a point on which I remain a little puzzled. Note that GLV proposed using low-discriminant special-equation curves for their greater efficiency, by way of efficient endomorphisms. So, how much and why is using a special-form field in ECDH less risky than using a special-equation low-discriminant curve in ECDH? Maybe there is a good rationale, e.g. quantified correlations, etc. If not, then why not use a faster low-discriminant curve for the same reason we use a faster special-form field? // Pedantic quibbles on wording > Taking large field discriminants avoids any risk from further > automorphisms. To be clear, before discussing my quibbles, I think I get the drift of the sentence, and I appreciate that brevity was being used, and it was only a quick email, not an academically precise paper. Also, it's likely that my own wording has even more issues to quibble about. In writing this, I also realized that my own understanding of ECC is far from thorough enough, so I had to motivate most of my quibbles through some technical questions. i) As to "avoid any risk". Is this claiming that the risk of the preferred alternative is lower? Otherwise, it seems almost a vacuous tautology (no X => no risks from X). So, I've been presuming that "avoid any risk" is meant to imply that the preferred alternative (prime-field large-discriminant) has lower risk. But maybe my presumption is missing something. Have I misinterpreted? ii) As to "large". Does this mean "typically large" or "especially large"? If I recall correctly, isn't the typical or average discriminant size of a random curve over p somewhere close to p or p/2. So, I think the intended point in saying "large" was to choose a curve whose discriminant was in the typical size range, as opposed to the small size range, e.g. < 1000. iii) As to "automorphism". Should this have been "efficient endomorphism"? If I understand correctly, for "automorphisms" in the algebraic geometry sense, prime-field curves always have 2 or 4 automorphisms. A curve has 4 automorphism only if it has j-invariant j=0 or j=1728. In particular, many curves with small discriminants have just 2 automorphisms, just like any large discriminant curves. If I recall correctly, for "automorphism" in the abstract group sense, which depends on the group isomorphism type (i.e. a product of cyclic groups), the number of automorphism (e.g. phi(n) if the curve group is cyclic of size n) is not known to be correlated with the size of the curve discriminant. But maybe I'm wrong. For the two reasons above, I presume you meant "endomorphism" not "automorphism". I speculate that this was just a typo, made in haste, being busy with various other important things. If I understand correctly, every curve over a prime-field has complex multiplication. This means that all such curves have "further" endomorphisms, beyond just scalar (i.e. "real") multiplication. But in large-discriminant curves, the extra endomorphisms are not efficient (or not more efficient than scalar multiplication). Hence, my presumption is that you meant "efficient endomorphism", not just "endomorphism". Best regards, Dan
- [CFRG] Why we use ECDH instead of traditional DH Daniel Brown
- Re: [CFRG] Why we use ECDH instead of traditional… D. J. Bernstein