Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document
Robert Ransom <rransom.8774@gmail.com> Mon, 19 January 2015 07:33 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42D111AD1D5 for <cfrg@ietfa.amsl.com>; Sun, 18 Jan 2015 23:33:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.149
X-Spam-Level:
X-Spam-Status: No, score=0.149 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lh4t0qen7SU5 for <cfrg@ietfa.amsl.com>; Sun, 18 Jan 2015 23:32:58 -0800 (PST)
Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [IPv6:2607:f8b0:400d:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECBFF1AD1C3 for <cfrg@irtf.org>; Sun, 18 Jan 2015 23:32:57 -0800 (PST)
Received: by mail-qc0-f175.google.com with SMTP id c9so2309171qcz.6 for <cfrg@irtf.org>; Sun, 18 Jan 2015 23:32:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cpUQ54RC/dIVE0H/ov+Qb3aIFr4OY8kcnFujpJLrmGs=; b=hm8vCLXHsnkmI9vzua0aMjdqL+bCpRMokTcDMrYTQdhHeQvsQ+Bjc9FlweQkkJ2/5S GmgRomEdMNjxfzbpubQJ7y1h+X4tMuxZJAiIVVVvFVoElOn70nDei75nioZKVikuGqCi yeG7RPVy8aa0+QDOCAxMliYAEeVAK1MYQtvZlk5L9PWC/uwRL/quRxaLmWId/1b/ZQp3 Kod9w/PAqYDYrgBv5+rWqMoa+DZPNLYp3FKdiBT+bsQ8KSw5wkFyLMJRgF5GCuE2xASe Wxb+UfoqAWKDhERpXBqq95NIcwphtk2RMGbm/QWb7xbyvzsApeAZz6WxU3ioxrGNR8eQ +zDA==
MIME-Version: 1.0
X-Received: by 10.140.96.132 with SMTP id k4mr9409311qge.102.1421652777200; Sun, 18 Jan 2015 23:32:57 -0800 (PST)
Received: by 10.140.108.55 with HTTP; Sun, 18 Jan 2015 23:32:57 -0800 (PST)
In-Reply-To: <54AAE2CA.1080701@isode.com>
References: <54AAE2CA.1080701@isode.com>
Date: Sun, 18 Jan 2015 23:32:57 -0800
Message-ID: <CABqy+sq7m9epnQho0gbjZzZ9pN4Y4osbuR0mypcAxHrTv_7nAA@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/yQApIPOSpc0h1A1MEjsiMRYxb1c>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 07:33:00 -0000
On 1/5/15, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > This message starts 2 weeks adoption call (ending on January 19th 2015) on: > > https://www.imperialviolet.org/cfrgcurve/cfrgcurve.xml > > as the starting point for the CFRG document which describes an algorithm > for safe curve parameter generation for a particular security level and > also recommends a specific curve (2^255-19) for the 128-bit security level. My comments below are based on the document submitted to IETF and published as the Internet draft draft-agl-cfrgcurve-00. That document is dated 2015-01-06, after you published your call for adoption. I have not attempted to determine whether there are any other differences between the draft posted at the URL you specify at the time of the call for adoption and the Internet draft. > > Please reply to this message or directly to CFRG chairs, stating whether > you support (or not) adoption of this document. If you do not support > adoption of this document, please state whether you support adoption of > any alternative document or whether you want a particular change be made > to the document before adoption. I strongly oppose adoption of this document: * Adam Langley was listed as a co-author of draft-black-rpgecc-00 and draft-black-rpgecc-01. No one who co-authored either of those two documents should be considered as an editor or co-editor of any future CFRG document. * The curve selection procedures specified in draft-agl-cfrgcurve-00 were derived from the curve selection process specified in <https://eprint.iacr.org/2014/130> (referenced by draft-black-rpgecc-00 as [MSR]), and accordingly, the authors of [MSR] may require that their paper be cited as a reference by draft-agl-cfrgcurve-00. For reasons which have already been discussed, inclusion of [MSR] as a reference in any CFRG document is unacceptable. Thus, these curve selection procedures must not be included in any CFRG document. I also oppose adoption of this document for other reasons which have previously been raised; see below. I would support adoption of draft-turner-thecurve25519function, provided that it is never changed to include in its text any curve selection procedure derived from [MSR] or from any Internet-Draft by the authors of [MSR]. > > Chairs ask not to reiterate previously expressed technical opinions or > arguments. But clarifying questions on the adoption call are welcome. The following technical issues were raised prior to your call for adoption of draft-agl-cfrgcurve-00: * Curve3617 (also known as Curve41417) has cofactor 8, and is defined over a field of order congruent to 3 mod 4. Accordingly, the curve selection procedure in draft-agl-cfrgcurve-00 will choose a different curve if applied to the field used for Curve3617. (This point was previously raised to CFRG in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05788.html>.) The curve selection procedure specified in draft-agl-cfrgcurve-00 will instead choose a curve with d > 2^19 (found by D. J. Bernstein (et al. ?), found again by Mike Hamburg, and found yet again and published recently by David Leon Gil), compared to d=3617 < 2^12 for Curve3617. The parameter value for the twist-secure curve with cofactor 4 is so much larger than the parameter value for cofactor 8 that the performance of at least one implementation strategy of some significance would be harmed by insisting on cofactor 4: current FPGAs contain 18-bit multipliers, and d > 2^19 almost guarantees a greater cost to multiply by the curve parameter. With the point format specified in draft-agl-cfrgcurve-00, there is no technical benefit to switching to a curve with cofactor 4 over the field used for Curve3617. * It is possible that the point format specified in section 9 of draft-agl-cfrgcurve-00 for ECDH (in order to match Curve25519 ECDH implementations) may be suboptimal for future curves. Mike Hamburg has developed a compressed point format which can only represent points of odd order on curves with cofactor 4, and which seems to be compatible with the Montgomery ladder. (This point was previously raised to CFRG in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05654.html>.) A modern Schnorr-like signature (like EdDSA) usually consists of one group element and one scalar, to allow for batch verification. On elliptic-curve groups of composite order, a malicious signer can generate signatures which will pass batch verification and fail the simplest, fastest single-signature verification procedure, and vice-versa. Thus, implementors of single-signature verification have an engineering trade-off regarding whether to verify single signatures as quickly as possible or match the behaviour of batch verification; and implementors also have an engineering trade-off regarding whether to attempt to use batch verification at all. In some applications -- notably anonymity systems, but other systems are severely affected as well -- implementation-distinguishing attacks such as those can be quite severe. Mike Hamburg's new point format would eliminate those cofactor-based implementation-distinguishing attacks, but only for curves with cofactor 4. Thus, it may be appropriate for CFRG to recommend a curve other than Curve25519 for signatures, in order to obtain this technical benefit. Note that ECDH can be designed (with careful attention to proper handling of edge cases) to not have implementation-distinguishing attacks. Curve25519 ECDH, as it is currently widely implemented, has come to have an especially well-specified behaviour, and I believe that CFRG should not delay use of Curve25519 ECDH in IETF-controlled protocols further in the hope of switching to a different curve in order to use the new point format. * The basepoint selection procedure specified in section 6.3 of draft-agl-cfrgcurve-00 generates a different basepoint for Curve25519 than the standard basepoint currently in use for Curve25519, which is specified implicitly in the draft in section 9.1. (This point was previously raised to CFRG in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05709.html>.) The simplest implementation strategy for ECDH is to implement both key generation and shared-secret computation using the same variable-base single-scalar multiplication routine. This implementation strategy can be made easier, simpler, and less error-prone to implement, at absolutely no cost to any other implementation strategy, by choosing the basepoint to have a simple form when expressed in the point format chosen for public keys. For example, the Curve25519 standard basepoint is the number 9, expressed as a 32-byte little-endian integer. It appears to me that the basepoint selection procedure specified in draft-agl-cfrgcurve-00 will not generate a basepoint of a simple form for any point format which might plausibly be used, so that basepoint selection procedure should be discarded entirely. * The curve selection procedure specified in draft-agl-cfrgcurve-00 for fields of order congruent to 1 mod 4 was concocted, at the direction of the CFRG chairs, solely to reproduce a curve isogenous to Curve25519. This is diametrically opposed to the purpose which the CFRG chairs claim that the curve selection procedure is supposed to perform. (This point was previously raised to CFRG in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05637.html>.) Including a curve selection procedure which has been evaluated solely based on whether it will reproduce one curve or a small number of curves in a CFRG document may cause harm to people who use that curve selection procedure to produce additional curves. This point has been raised to CFRG again during this call for adoption of draft-agl-cfrgcurve, in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05860.html>, despite the chairs' request that technical issues previously brought to CFRG's attention not be raised again. * The curve selection procedure specified in draft-agl-cfrgcurve-00 for fields of order congruent to 1 mod 4 does not require that both the curve and twist subgroup orders be greater than a power of 2 near q/8, even in fields of order sufficiently close to a power of 2 that such a requirement is feasible and is sufficient to allow a simple bit-masking procedure to generate scalars which act as non-zero on all curve and twist points of large order. (This point was previously raised to CFRG in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05606.html> and <http://www.ietf.org/mail-archive/web/cfrg/current/msg05629.html>.) Over the specific field used for Curve25519, this property is implied by the other criteria already used in the curve selection procedure. Since the CFRG chairs' goal was to create a curve selection procedure which would reproduce Curve25519, not to create a curve selection procedure for general use, they apparently did not realize that the curve selection procedure might retain this issue when used over other fields. * If CFRG chooses the curve generation procedure, point format, and basepoint selection procedure specified in draft-agl-cfrgcurve-00 based solely on the fact that they reproduce the current Curve25519 ECDH protocol, as is currently the case, then CFRG's resulting document may make decisions that would be inappropriate for future curves. (This point was previously raised to CFRG in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05793.html>.) I believe that each of these previously stated technical issues is sufficient to oppose adoption of draft-agl-cfrgcurve-00. Why have the CFRG chairs asked that these issues not be discussed further? Robert Ransom
- [Cfrg] Adoption of draft-agl-cfrgcurve-00 as a RG… Alexey Melnikov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Adam Langley
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Stephen Farrell
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Watson Ladd
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Tony Arcieri
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Adam Langley
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Ilari Liusvaara
- [Cfrg] (please make draft an IETF document first)… Rene Struik
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Paul Lambert
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … David Leon Gil
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Michael Hamburg
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Alyssa Rowan
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Dan Brown
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … David Gil
- Re: [Cfrg] (please make draft an IETF document fi… Alexey Melnikov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Sean Turner
- Re: [Cfrg] (please make draft an IETF document fi… Alexey Melnikov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Watson Ladd
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Andrey Jivsov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Adam Langley
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Andrey Jivsov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Watson Ladd
- [Cfrg] options (was: Re: Adoption of draft-agl-cf… Stephen Farrell
- [Cfrg] No longer talking about Adoption of draft-… Alexey Melnikov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Joppe Bos
- Re: [Cfrg] options (was: Re: Adoption of draft-ag… Paul Hoffman
- Re: [Cfrg] options Andrey Jivsov
- Re: [Cfrg] draft-agl-cfrgcurve-00 point format (w… Alyssa Rowan
- Re: [Cfrg] draft-agl-cfrgcurve-00 point format Andrey Jivsov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Robert Ransom
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Ilari Liusvaara
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Robert Ransom
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Tony Arcieri
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-agl-cfrgcurve-00 as … Stephen Farrell
- [Cfrg] (technical flaws to be corrected in next v… Rene Struik
- Re: [Cfrg] (technical flaws to be corrected in ne… Adam Langley
- Re: [Cfrg] (technical flaws to be corrected in ne… Rene Struik
- Re: [Cfrg] (technical flaws to be corrected in ne… Adam Langley