Re: [Cfrg] Curve manipulation, revisited

Benjamin Black <> Mon, 29 December 2014 17:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6AE221A884C for <>; Mon, 29 Dec 2014 09:14:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a0ZtkSp2aKwt for <>; Mon, 29 Dec 2014 09:14:37 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D2C7B1A87AD for <>; Mon, 29 Dec 2014 09:14:36 -0800 (PST)
Received: by with SMTP id l15so22673583wiw.4 for <>; Mon, 29 Dec 2014 09:14:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=xe3mTknj01r0u1rF4jwE0keNSfrwxnN3KeFcc3cGZE4=; b=e0oacdjcJKAd6mTRIYFvJAyid2TKRYh6/kKYOfCg2fxQczhTN9bmDU+bM4iSXqLyKp uGq/V9jItrDV0jsSxZcuQ264q0Ew11pNAM34GA14kGOrzCcpVX80+mWjl9cCuhR7onAl l1NrKLrhVoCXmIUNsfI+F1rnBDVNFzxLNov++sinI81fOLlu0oxDMVwaobaEj0g1XfWF Ty0T5RT+WJYKufkfEMfj949Nr79zb4bn1l88QLx5VzfP9B2mVtxGfGbXzO0nV80CmaEx tgkChtNJhG6YnWwGZT2ArE2cUhFdfx1u95vAOAE6LQW680qjZpqZXS5xgd2nmOR8N9Qg LNQw==
X-Gm-Message-State: ALoCoQkBJzo81vMxEMk+Z0o9v12TxGXp4NskyT/xz+K0c4YwqtDRS/BANjN02Mt5zcjkcQz2YIHM
X-Received: by with SMTP id z10mr98234600wiv.70.1419873275531; Mon, 29 Dec 2014 09:14:35 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 29 Dec 2014 09:14:15 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
From: Benjamin Black <>
Date: Mon, 29 Dec 2014 09:14:15 -0800
Message-ID: <>
To: Adam Langley <>
Content-Type: multipart/alternative; boundary="f46d0438957336e932050b5e02ab"
Cc: "" <>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Dec 2014 17:14:39 -0000

On Mon, Dec 29, 2014 at 5:31 AM, Adam Langley <>

> On Mon, Dec 29, 2014 at 7:57 AM, Benjamin Black <> wrote:
> > It seems performance is the real priority here and you will happily
> discard
> > things you insist are necessary for security when they conflict with
> > performance. At the 128-bit security level the ladder can be faster. At
> the
> > 200-bit+ security levels the ladder is slower. Should we blame the
> > implementor who elects not to use a single-coordinate ladder? Should we
> > wonder why you would choose not to eliminate these security failures?
> Montgomery ladders allow for very simple, robust implementations of
> scalar-mult. Sometimes an implementation might want to trade off cache
> pressure for speed, but certainly not all will. If we accept that
> supporting Montgomery ladders is a requirement, then we can easily
> meet that by sending the Montgomery-x value in ECDH protocols because
> windowed methods can easily output this. Thus these are not in
> conflict.
After Yarov and Benger I don't know how robust anyone should assume ladders
are, though that might be beside the point. Had Dan been insisting that
ladders be _allowed_ then I would agree with you, as I have said the same
(in the line just before the part you quoted, even). What Dan said is that
single-coordinate ladders are _required_. They are not (or, to quote Dan
again, "False."). X-only on the wire has clear advantages and I support
that recommendation, but that does not force use of ladders.

> > This section of your paper raises another interesting point. It seems a
> > slight performance drop in exchange for consuming less SRAM can be a
> > desirable property to you. In Adam's Faster Curve25519 post
> > (, he
> > achieves significant performance improvements at a cost of 24KB of cache
> for
> > tables.
> Keep in mind that this was mostly the result of me needing to explain
> windowed methods to someone. The practical benefit to ECDH systems is
> minimal since the base-point multiplication can be amortised. (Fast
> signatures, however, obviously can benefit, but there's no danger of
> an invalid-curve attack when multiplying by the base point.)
My point was that space/time trade-offs like that seem to be acceptable or
unacceptable to Dan depending on what is being argued.

> > I'm not sure what point you are trying to make here. The people who
> haven't
> > submitted curves should remain silent? That is antithetical to the IETF
> > process.
> I think Tanja is commenting on the fact that the IETF process is alien
> to most cryptographers. Cryptographers often run competitions (e.g.
> the AES and SHA-3 competitions) where teams submit candidates and a
> winner is decided. That's very different to the more "collaborative"
> method common at the IETF.
I'm experiencing a similar cultural impedance problem.