Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
Robert Ransom <rransom.8774@gmail.com> Mon, 01 December 2014 03:33 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 797701A039C for <cfrg@ietfa.amsl.com>; Sun, 30 Nov 2014 19:33:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.149
X-Spam-Level:
X-Spam-Status: No, score=0.149 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWvT8uqVonD4 for <cfrg@ietfa.amsl.com>; Sun, 30 Nov 2014 19:33:07 -0800 (PST)
Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [IPv6:2607:f8b0:400d:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65BEB1A039B for <cfrg@irtf.org>; Sun, 30 Nov 2014 19:33:07 -0800 (PST)
Received: by mail-qc0-f175.google.com with SMTP id b13so7751288qcw.20 for <cfrg@irtf.org>; Sun, 30 Nov 2014 19:33:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=DKIq2xnZQ6h2Yg18AHZiEf3hTVfLyJzYZeiBi8uUMec=; b=PbJoxekfgh9cbfyW7rs0ZldyAtw8kd08A4K6hSueVMdjcGwSjGHS8zscm2dn+1V/Ye HkxMXxb2XB7XMF9RGjOBIcmWUK3leQBk/A2omwqL7xaOrmEqudEPBM+BgSjIOvDM9ohn BuKwhYMHIV7ev87xraDoYF4oJwv0nQlhhwtNmy0+MS/G81aiJQYigqOUDHK1TfL+KNiy pu7iM6acum2jD+IKtiLkEVja8374BKdsQReZE8XBPTlogk3upgbLbFUol6M58y+tssQU f4ij8c7j0xiI+h5+mATHzrdqJMP9o+ns09A+F8qg627L32gfMdWmpDXPWpgUK/Nyo2mj EgGA==
MIME-Version: 1.0
X-Received: by 10.224.129.9 with SMTP id m9mr83433531qas.50.1417404786553; Sun, 30 Nov 2014 19:33:06 -0800 (PST)
Received: by 10.140.30.100 with HTTP; Sun, 30 Nov 2014 19:33:06 -0800 (PST)
In-Reply-To: <CAMfhd9XxkZsVPMcevWOgvvqbBK0JqLVCGBYfwWu0QFO5rsfbJQ@mail.gmail.com>
References: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com> <5476CB73.7090206@akr.io> <CAMfhd9XxkZsVPMcevWOgvvqbBK0JqLVCGBYfwWu0QFO5rsfbJQ@mail.gmail.com>
Date: Sun, 30 Nov 2014 19:33:06 -0800
Message-ID: <CABqy+sodVBbwNrA28AFxYMiw5rJxtUX3cbYCjtrYxK-48Ocd6A@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/z6bzOSsCepDaDfvqDLHZNYjzNps
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 03:33:09 -0000
On 11/26/14, Adam Langley <agl@imperialviolet.org> wrote: > On Wed, Nov 26, 2014 at 10:57 PM, Alyssa Rowan <akr@akr.io> wrote: >> In order to evaluate the performance of simple and secure >> implementations of algorithms over these curves, of course we are also >> going to need safe, efficient implementations for those algorithms, >> ideally available under a liberal licence so stakeholders can actually >> use it (specifically I'm afraid Apache 2.0 won't do due to its licence >> incompatibilities), which also satisfy our patent concerns. Do you >> have such an implementation ready to publish that we can plug into >> SUPERCOP? > > For the curve over GF(2^255-19), I certainly agree that > implementations are needed but I believe that there's strong evidence > that the performance would be equal to curve25519. > > The Edwards curve in question is isogenous to Curve25519 with A=358990 > and, while some uses may want to drop the new curves into existing > code, I hope that this RG can recommend that ECDH operations for the > most part transmit the Montgomery X value. Thus curve25519 > implementations should just need to change the (A-2)/4 value. First, what you are referring to as “Curve25519 with A=358990” is a curve different from Curve25519; it can more correctly be referred to as “the Montgomery curve with A=358990 over the same coordinate field as Curve25519”. Since you have not proposed a concise name for this Montgomery curve, I will use the name that Dr. Bernstein has just suggested for it, i.e. “PinkBikeShed”. Second, as you have stated, existing Curve25519 implementations would need to be changed in order to operate on PinkBikeShed (or any curve isogenous to it). That is a major technical disadvantage compared with using Curve25519 itself, even if the only change required is to replace the curve-parameter constant. Third, you appear to be arguing that ECDH operations would not use the Montgomery curve *isomorphic* to the Edwards curve in your Internet draft, but use a *different* Montgomery curve (PinkBikeShed) which is merely *isogenous* to the curve that you are proposing, in order to reduce the modifications required to make the many existing independent, interoperable implementations of Curve25519 operate on your curve. This would *slightly* reduce the technical disadvantage of your proposal compared to Curve25519, but would clearly not eliminate it. If you do intend to propose PinkBikeShed for ECDH, rather than the Montgomery curve isomorphic to the one specified in your Internet draft, then that needs to be stated explicitly in your draft. > For implementations of the Edwards curve, the smaller d value, if > anything, might allow a slight speedup over Edwards curve25519. > (Although those implementations would need changes to the scalar > reduction function and any precomputed tables.) Interesting suggestion. Both 89747 and 121665 are 17 bits long (they are between 2^17 and 2^18 - 1), and 89747 has a slightly greater Hamming weight than 121665 (10 rather than 9); I would expect any performance improvement on due to that change in curve parameter to be quite small and only applicable to a very few implementation strategies. Have you done any benchmarking to quantify the performance improvement that you are claiming as a technical benefit of PinkBikeShed? >> I note that if you run your algorithm on 2^521-1 you get E-521. If you >> ran it on 2^255-19, why didn't you get the twisted Edwards form of >> Curve25519? Kindly elucidate your objections to the same. > > As djb noted in the curve25519 paper[1], the A value for curve25519 is > not minimal. draft-black-rpgecc-00 finds a curve isogenous to the > minimal A. The minimal (and second minimal) value was originally > rejected because, when generating private keys, there's a possibility > of generating a multiple of the order. This can be taken care of with > (I think) a single memcmp, although I need to confirm that just one is > sufficient when I'm back home. > > [1] http://cr.yp.to/ecdh/curve25519-20060209.pdf, section "Why this > curve?". As Dr. Bernstein noted in the Curve25519 paper, the value of (A - 2)/4 for Curve25519 is indeed minimal subject to an additional security criterion. (I do not know or care whether A is minimal subject to any set of constraints for either Curve25519 or PinkBikeShed.) By discarding that additional security criterion, you have knowingly and intentionally introduced a very small security vulnerability in your proposal (another technical disadvantage of PinkBikeShed compared to Curve25519): the simplest implementation strategy for ECDH (Montgomery-ladder scalar multiplication on PinkBikeShed) produces zero as an output for one (non-zero) secret key when computing a shared secret with any input public key (point) on the twist. (I note that you did not disclose this security vulnerability in your draft's ‘Security Considerations’ section.) In order to mitigate that vulnerability, you recommend that ECDH implementations call the standard C library function ‘memcmp’ on every secret key to check for that one (slightly) weak key. This adds complexity to every ECDH implementation, and requires that applications or protocols which derive secret keys deterministically (e.g. by hashing some other secret) devise a backup plan in case that one secret key is ever generated. Worse, your proposed mitigation introduces a further security vulnerability (much worse than the one it is intended to protect against): a typical implementation of memcmp will leak information about *every* secret key to a timing side-channel attack. (And as Dr. Bernstein has pointed out, further, more severe, security vulnerabilities are possible in implementations of some protocols based on PinkBikeShed, but not in implementations of the same protocols based on Curve25519.) You have stated two technical disadvantages that you knew of at the time that you submitted your proposal: the deliberate incompatibility with existing Curve25519 software, and the deliberate introduction of a security vulnerability that is not present in Curve25519. You have stated only one possible technical benefit of your proposal over Curve25519: a small performance improvement in some (not all) implementations due to a slightly smaller curve-parameter constant. Do you believe that that possible performance improvement is a sufficiently large technical benefit over Curve25519 to outweigh the technical disadvantages of your proposal that you were aware of at the time that you submitted it? If not, did you have in mind any other technical benefit of your proposal over the use of unmodified Curve25519 that you consider to outweigh your proposal's technical disadvantages? Robert Ransom
- [Cfrg] Consensus and a way forward Benjamin Black
- Re: [Cfrg] Consensus and a way forward Watson Ladd
- Re: [Cfrg] Consensus and a way forward Joppe Bos
- Re: [Cfrg] Consensus and a way forward Hannes Tschofenig
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] Consensus and a way forward Ilari Liusvaara
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Adam Langley
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Mike Hamburg
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Michael Hamburg
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Adam Langley
- Re: [Cfrg] Consensus and a way forward Lochter, Manfred
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Ilari Liusvaara
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tony Arcieri
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… D. J. Bernstein
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paul Hoffman
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Harry Halpin
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paul Hoffman
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tanja Lange
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Salz, Rich
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tony Arcieri
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tanja Lange
- Re: [Cfrg] Mishandling twist attacks Paterson, Kenny
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Salz, Rich
- Re: [Cfrg] Mishandling twist attacks Stephen Farrell
- Re: [Cfrg] Mishandling twist attacks Adam Back