Re: [Crypto-panel] Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Mon, 26 November 2018 11:46 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEADF124BAA for <crypto-panel@ietfa.amsl.com>; Mon, 26 Nov 2018 03:46:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XzcF8fOSKe_s for <crypto-panel@ietfa.amsl.com>; Mon, 26 Nov 2018 03:46:45 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 696A8128A6E for <crypto-panel@irtf.org>; Mon, 26 Nov 2018 03:46:45 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id r14so17111158qtp.1 for <crypto-panel@irtf.org>; Mon, 26 Nov 2018 03:46:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x5LXCWAqG32k2XQ5sF+tnZ/uA5X5waA4SAWJNnAvgmw=; b=R9LONV6O/Mc5jPWNx2zJPVWJJLssXN1SS4luCEalkrGhivFbTRpsT0dKRRmRUKr8d2 aD7wvMORA2xd2Fmf/JUNRDdcI+5DoGSM1EQXcGX0kB3ku6hwCoj6oqLjNf4W3+88Bna1 KUXg4gahnBNHYX49JAd3Bnt3lNl00MfjC8LHIfmGvZ/NKebPUgWJJtsepk0sWDVOnZ9P KT+WCwdex2JdobdIiiDfbnQTgde7vmOtX3QhA4EnHh38HFNm+0yyr8htvR7cv2juMUTg aLHqaWVmKh7/O153NuRDxrpLM8wLmRPGYO1fgDG4f0ZyGcmj9byQVOHfv7Ar7DiuA8DG o5nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x5LXCWAqG32k2XQ5sF+tnZ/uA5X5waA4SAWJNnAvgmw=; b=L2zWFLNZpGPGk/M8QgjCObIhspQKOdcZx6og1a9ikQzZGhrh9OPtsifr9XNmhCiNa4 DOIp9gj/q3pycG6hnQuXC0B+MCv5FGeLc9o8hmQLWXsw2U0t1bX8RbBZGqqi5nWImd+V W8+a9RbAklMLnK87l/5+p0lIUcuoJFrrd0ie++y+skVvWCHQAw7gq9BC+yCQCrkAwDe/ z9g1X8U3+OSaacwUgueFCPepUBWKXFzcf0apFwnvjXYCfYNfF04xJHHWV5HXx+DdRK+R 7CgHDXoqq51aYK/86n5wrgSNKyfIGS4/B3Gh7lrwiRdPzE2CS6PuC59cF5xBkIvCjSn3 WuYQ==
X-Gm-Message-State: AA+aEWYT8614UoF34hyg6FcECR82VjqeTH5XqiFC86OAXlnaH5qYYUdC 2X6Au2wVI0Bd5YJiJiu4/B4zlnd6Z3F7wWnlIoPi8JDl
X-Google-Smtp-Source: AFSGD/WeqfsbY/3TeFrSs1UGIr7m1SYvgDMz3LUBBvXR0kunLnzRTUZG5w1SDL6W76r4p44RoVkov9U0D/N212sjIS8=
X-Received: by 2002:ad4:510f:: with SMTP id g15mr25909972qvp.46.1543232804251; Mon, 26 Nov 2018 03:46:44 -0800 (PST)
MIME-Version: 1.0
References: <1541414516.2523052.1565873248.73FBDB9E@webmail.messagingengine.com> <CAMr0u6n2J-+zMN-nPkqr9AA67B8Eqa2t93OLeq62qAjSeBmsSg@mail.gmail.com> <1541652807.3633750.1569631704.6A8B74ED@webmail.messagingengine.com>
In-Reply-To: <1541652807.3633750.1569631704.6A8B74ED@webmail.messagingengine.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Mon, 26 Nov 2018 14:47:18 +0300
Message-ID: <CAMr0u6mD21wKNV+4hpXxivVUNBUbmMdwBjsgNUnu2tDFA=tDdw@mail.gmail.com>
To: crypto-panel@irtf.org
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, Alexey Melnikov <alexey.melnikov@isode.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: multipart/alternative; boundary="0000000000001a6d68057b8fe3ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/1itH0lM9w0bZiADJXQkizr8JTiA>
Subject: Re: [Crypto-panel] Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 11:46:50 -0000
Good afternoon, Please find below the review of the document. Of course, I'll be happy to discuss all questions raised in the review directly via e-mail: smyshsv@gmail.com Document: draft-ietf-lwig-curve-representations-00 Reviewer: Stanislav Smyshlyaev Review Date: 2018-11-26 Summary: Revision needed The document “Alternative Elliptic Curve Representations” contains procedures and formulae of representing Montgomery curves and (twisted) Edwards curves in short Weierstrass form. The reviewer believes that the document is very helpful and can be used by developers implementing ECC operations in real-world applications. The reviewer has verified all decimal numbers (and hexadecimal numbers, where they are provided in the draft) and does not have any concerns besides the following ones. Since some of the concerns seem to be important enough for the overall document, the reviewer recommends to send an updated version of the draft to Crypto Review Panel for a new review. The review was made for draft-ietf-lwig-curve-representations-00. During the review process an updated version draft-ietf-lwig-curve-representations-01 was published – some comments about the -01 version can be found in the end of the current review. Comments: 1) Section C.2: The mapping from Weierstrass curves to Montgomery curves is not defined in the current version. The mapping from Weierstrass to Montgomery cannot usually be described as shortly as others, but maybe it could still be useful here. For example, the root of x^3+ax+b in Fp could be provided explicitly. 2) It would be better to stress in Appendix C.1 that formulae provided there do not allow to get parameter a of the twisted Edwards curve equal to 1 or -1. In Appendix D.2 additional constant c is used that helps to obtain the curve with a equal to -1 (this fact by the way implies that the phrase “Here, we used the mapping of Appendix C.1” is inaccurate). 2a) Section D.2: The formulae (u,v) -> (c*u/v, (u-1)/(u+1)) lead to an error. It is not clear why it is needed to multiply by the constant c. 2b) Section D.3: The Montgomery curve Curve25519 doesn’t correspond to Twisted Edwards curve Edwards25519 because of (A+2)/B = (486662+2)/1 != -1. 2c) If one uses the formula from C.1 for Montgomery to Edwards mapping (a:=(A+2)/B and d:=(A-2)/B), she obtains that d for Edwards25519 is equal to 486660 but not the value of d which is provided in D.3. 3) Section E.1: The isomorphic mapping between W_{a,b} and W_{a',b'} should be defined as a’:=a*s^4 and b’:=b*s^6, instead of a:=a'*s^4 and b:=b'*s^6. Otherwise the mapping is defined incorrectly and the test vectors from F.3 are incorrect. 4) It seems that the formula for lambda in case Q:=2P for Montgomery curve is wrong. According to http://hyperelliptic.org/EFD/g1p/auto-montgom.html and to https://eprint.iacr.org/2017/212.pdf (page 4) it should be: lambda = (3*x1^2 + 2*A*x1 + 1)/(2*B*y1). So you need to add “B” as a factor in the denominator. 5) in Appendix D.2 it would be better to stress explicitly that we work with projective coordinates, otherwise the formulae do not have to be correct. Editorial comments: a) It seems that the text will be easier to read if the formulae for group law are provided in the following form (for example, for Weierstrass): x = lambda^2 – x1 – x2 y = lambda * ... (at a new line, but with “and”) lambda = ... (again at a new line) b) In reviewer’s opinion, the text will be easier to read if different symbols for coordinates of different forms of a curve are used. For example, (x,y) for Weierstrass, (X,Y) for Montgomery and (u,v) for Edwards. And it would be better to use the same symbols in different parts of the document (now (u,v) is used for Montgomery in A.2 and (x,y) for Montgomery in B.2). c) The term “short Weierstrass form” is widely used in publications as is. The draft, however, has two variants of it – “short” Weierstrass form and short-Weierstrass form. It seems that one (commonly used) variant would be better to use. d) The reviewer recommends to use only “GF(p)” everywhere in document instead of “GF(q)” together with “GF(p)”. For example, now in C.1 – GF(q) and GF(p) in D.1. Additional clarifications might be useful: Also the reviewer believes that it will be useful to write additional clarifications in D.2 on “can be implemented via integer-only arithmetic as a shift of (p+A)/3 for the isomorphic mapping and a shift of -(p+A)/3 for its inverse” regarding the need of using the mod operation for transformation. ###### draft-ietf-lwig-curve-representations-01: The concerns 1, 2, 2a, 2b, 2c, 4 and 5 for 00 version are still valid for version -01. The concern 3 has been addressed. Additional question for draft-ietf-lwig-curve-representations-01: appendices C.1 and C.2 contain information about properties that help to recover y-coordinates of a multiple point if one uses Montgomery ladder. This information may not be needed in the draft, since the ladder itself is not described there. Best regards, Stanislav Smyshlyaev чт, 8 нояб. 2018 г. в 07:53, Alexey Melnikov <aamelnikov@fastmail.fm>: > On Tue, Nov 6, 2018, at 11:45 AM, Stanislav V. Smyshlyaev wrote: > > Dear Alexey, > > I’ll be happy to do it. > > Since there are many numbers to check, and since it’s much better to be > done using independent implementations of elliptics, it will take some > time. > > Will it be OK if I do it until the end of November? > > Thank you. I am sure this will not be a problem! > > > Best regards, > Stanislav > > пн, 5 нояб. 2018 г. в 17:42, Alexey Melnikov <aamelnikov@fastmail.fm>: > > Hi, > Can one of Crypto Panel members review this document? > > Thank you, > Alexey > > ----- Original message ----- > From: Mohit Sethi M <mohit.m.sethi@ericsson.com> > To: "aamelnikov@fastmail.fm" <aamelnikov@fastmail.fm>, Suresh Krishnan < > Suresh@kaloom.com>, Zhen Cao <zhencao.ietf@gmail.com> > Subject: Review of draft-ietf-lwig-curve-representations-00 by crypto > review panel > Date: Sun, 4 Nov 2018 08:26:08 +0000 > > Hi Alexey, > > We spoke today about the need for getting more reviews on a LWIG > document titled "Alternative Elliptic Curve Representations": > https://tools.ietf.org/html/draft-ietf-lwig-curve-representations-00 > > The draft describes how to implement Ed25519, Curve25519 and NIST P-256 > with the same underlying implementation. Phillip Hallam-Baker also > recently requested this on the SAAG list: > https://mailarchive.ietf.org/arch/msg/saag/QM80DmA-3iEBxlh_VU5B5wOQnnA. > > It would be great if someone from the crypto review panel could provide > feedback on this draft. The draft is currently hosted in the LWIG > working group and Zhen (in CC) is my co-chair, while Suresh (in CC) is > the responsible area director. > > Rene will also present the draft on Wednesday in LWIG in room Meeting 2 > between 11:20-12:20. > > --Mohit > > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://www.irtf.org/mailman/listinfo/crypto-panel > > >
- [Crypto-panel] Fwd: Review of draft-ietf-lwig-cur… Alexey Melnikov
- Re: [Crypto-panel] Fwd: Review of draft-ietf-lwig… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Fwd: Review of draft-ietf-lwig… Alexey Melnikov
- Re: [Crypto-panel] Fwd: Review of draft-ietf-lwig… Stanislav V. Smyshlyaev