[Lwip] Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
Mohit Sethi M <mohit.m.sethi@ericsson.com> Tue, 11 December 2018 12:46 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44786130DD0 for <lwip@ietfa.amsl.com>; Tue, 11 Dec 2018 04:46:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.76
X-Spam-Level:
X-Spam-Status: No, score=-5.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=VYHm/ogA; dkim=pass (1024-bit key) header.d=ericsson.com header.b=AriWcMSU
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3xh5G7c7ezU for <lwip@ietfa.amsl.com>; Tue, 11 Dec 2018 04:46:48 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14B30127333 for <lwip@ietf.org>; Tue, 11 Dec 2018 04:46:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1544532406; x=1547124406; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=c1CbnyMd0yN40p4gUmGF9INHq+64LCov9OaF3cnM48s=; b=VYHm/ogA55l58UuRaDdStFxEa8zffB/Z7cM2tgEFyqCmlrYb/g9GakI8Vb4qJC9w j1FZIC56BRJ9YhudIoDByyes4Yb3TBbB3Ndz95/5HOh430ZRkvzyZnF6tAnWm6aV OQV7v3IX6QyUNBKxIubqbLadqciwe5nWc+FrXmSKFl4=;
X-AuditID: c1b4fb2d-3c7e09e000007af1-9c-5c0fb1b66240
Received: from ESESSMB504.ericsson.se (Unknown_Domain [153.88.183.122]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 48.DD.31473.6B1BF0C5; Tue, 11 Dec 2018 13:46:46 +0100 (CET)
Received: from ESESSMR501.ericsson.se (153.88.183.108) by ESESSMB504.ericsson.se (153.88.183.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 11 Dec 2018 13:46:45 +0100
Received: from ESESBMB501.ericsson.se (153.88.183.168) by ESESSMR501.ericsson.se (153.88.183.108) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 11 Dec 2018 13:46:45 +0100
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Tue, 11 Dec 2018 13:46:45 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c1CbnyMd0yN40p4gUmGF9INHq+64LCov9OaF3cnM48s=; b=AriWcMSUjG2CfxrePE7Ks+3UlLNjXpL5L+cBv/L+CWuEtpTF2m9Sge1WfXEI7CHtMgGMd0FhE5OUaxgcQTLTYdAcWTPDKFNCKHnZUAB7F22/SRtTiPbzMj4PaoDdPhAwj9hKdDNhmCl7ykISAKjgnF7vDdTk0dShniIDl8qzde8=
Received: from AM0PR07MB4100.eurprd07.prod.outlook.com (52.134.83.140) by AM0PR07MB4580.eurprd07.prod.outlook.com (52.135.151.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.8; Tue, 11 Dec 2018 12:46:44 +0000
Received: from AM0PR07MB4100.eurprd07.prod.outlook.com ([fe80::256e:fd33:76c5:bc91]) by AM0PR07MB4100.eurprd07.prod.outlook.com ([fe80::256e:fd33:76c5:bc91%5]) with mapi id 15.20.1425.016; Tue, 11 Dec 2018 12:46:38 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: "lwip@ietf.org" <lwip@ietf.org>, Rene Struik <rstruik.ext@gmail.com>, "smyshsv@gmail.com" <smyshsv@gmail.com>
Thread-Topic: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
Thread-Index: AQHUkRVhPVqkMrZqRkCXg7NzgY7hjqV5fOeA
Date: Tue, 11 Dec 2018 12:46:38 +0000
Message-ID: <a5a0a5cb-ca94-f8e6-d079-0108f43f0f77@ericsson.com>
References: <CAMr0u6=jnk1EMpE3nyYf_4uXmHPHFakek0AXG=+b7L+zfJD2GA@mail.gmail.com>
In-Reply-To: <CAMr0u6=jnk1EMpE3nyYf_4uXmHPHFakek0AXG=+b7L+zfJD2GA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
x-originating-ip: [89.166.49.243]
x-clientproxiedby: HE1PR0102CA0060.eurprd01.prod.exchangelabs.com (2603:10a6:7:7d::37) To AM0PR07MB4100.eurprd07.prod.outlook.com (2603:10a6:208:48::12)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR07MB4580; 6:SeCwsSnFOtoy1rVz8Y/L7cykRM0TLba/+BLR2upesq1hfJRTo23J2JEOjc2L2JTZ9XTDtbj7Hpmyxd871qm9SSY9vNm2SrUKn8uaLj98kNfc6RxT+rGoFLVZCGV3uxcrxjwZXimQrssETJ1XDfMJpbUpzzKIFRc2F+VbRj1j7HxCXeZDuKXeY5UF2LaOUJ+GB4+1zYNsrqhSso90GePGpz+1NuxZGeCxuZs8E/W9EpghZzuFMHt9KMlfcjFUk3MSANXCK8ZLWLK5SPwJNQFkgz3jgkpd9QoMDYI+7mwB9bqVJvsJzrM9XID/mMRWKL1lG/cYqnbxdWeh0dopLmtryKv+HM/Q9lacgywu8iIlWyfPzdMhk5F6D9kp57mD6O5sikqvGlZq6/Jzbhx/Q7H4LC3NUzX+nxo8knWlk2Ha2n5y2B+tiJKri9VfPVVPCDlPL01U1tobjlFl48eKbYE+vA==; 5:Itz6b3TiQklMY26IkjzUhG6Wq+lQjCexLmmGUgLcNdXdYgZygxr4dgddc4AOtVolUJ16ciEg/KwN40jeX+1+Vdca9G8Z3uTRbB4d4lMsA+XlVJ9dP6YQzKUaZaH3538KL0iX2H1WoPL9wkwAJ48l0W4FriyFx1KuvhvFUGtckU0=; 7:Rxd0VAj4eYC9QvJ+dWxGIaqhHx9hY/WLdTH20ewxNnwPkt+d2yWlVMBQws8z7TEJIYz10L6HOlkIZbXhK4oRskPYMXpujymivfccDGVCr0Z3E3EDIHAHKnjrdiYWIPItG7t0K6CVqZ4YEDd1HFz/eA==
x-ms-office365-filtering-correlation-id: cd82b5a5-c3bb-4b8e-0309-08d65f66b11f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM0PR07MB4580;
x-ms-traffictypediagnostic: AM0PR07MB4580:
x-microsoft-antispam-prvs: <AM0PR07MB4580BB4535168750D0562420D0A60@AM0PR07MB4580.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231455)(999002)(944501520)(4982022)(52105112)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:AM0PR07MB4580; BCL:0; PCL:0; RULEID:; SRVR:AM0PR07MB4580;
x-forefront-prvs: 08831F51DC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(346002)(376002)(366004)(53754006)(199004)(189003)(39060400002)(2501003)(52116002)(325944009)(102836004)(186003)(26005)(4001150100001)(6506007)(71200400001)(76176011)(71190400001)(386003)(36756003)(229853002)(476003)(966005)(105586002)(64126003)(106356001)(14444005)(99286004)(256004)(21615005)(5070765005)(25786009)(446003)(11346002)(2616005)(486006)(478600001)(6306002)(54896002)(3846002)(236005)(81156014)(97736004)(53936002)(2473003)(31686004)(606006)(53376002)(65826007)(6436002)(7736002)(6116002)(2906002)(14454004)(6512007)(66066001)(31696002)(86362001)(68736007)(110136005)(81166006)(58126008)(6486002)(8676002)(5660300001)(65806001)(316002)(8936002)(65956001)(511114005)(563604002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4580; H:AM0PR07MB4100.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ZDQ9XIT+Yva+izvDTOMGHZ0nhx8N4TxYeJx8sbll1D++AUsu0Q/2ENwgk4wF/JBfJZSCcD+UE6RJZqsKHaTgcUxUZs2H8RE5YQhsgKpu0DmEyog0v/bP5+o9qYWDjVLD/PkYKh1eLWsIdUC+hWT9Q9uX3gRlhGypmeij4fMq3QelGCGWzHZ5y6tE8Qws7K2Hgd0itNIa8lueVYS61FkF985cXgAv651gavIdCw8L10d1ur2UVnNVmLG/Gx+WokoNcCW6cilwu0Q2WsDf9pNDmA+L43tAoC5Qj34mnxml5L9sijqSUgFfhdIHsjVUXR1v
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_a5a0a5cbca94f8e6d0790108f43f0f77ericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cd82b5a5-c3bb-4b8e-0309-08d65f66b11f
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2018 12:46:38.5528 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4580
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDKsWRmVeSWpSXmKPExsUyM2J7le62jfwxBo/3CljM2ydssfrGcxaL szc3Mzkwe+ycdZfdY8mSn0wBTFFcNimpOZllqUX6dglcGRcWP2IpaFjKWPF40m2WBsbTCxi7 GDk5JARMJPaf+gVkc3EICRxhlLgz+SkThPONUWLe2R0ITt+cZywQzhImiUtdR9hAHBaBCcwS t25/YAMZJiQwmUliRb8wRNUjRomlLy+zgCTYBAwkJk9ZwQ5iiwgUSzye0McKYgsLREos/HYA Kh4psfPbCkYI20ji5KxmsBoWAVWJMzcug9XwCthLnL30nQViWYBE79djYDanQKDEwqs3wXoZ BcQkvp9awwRiMwuIS9x6Mp8J4lMBiSV7zjND2KISLx//A5svKhAh0XzyLwtEXFHi7LuHUPVz GCXerquFmBkr8eF/P1RcR+Ls9SfQ0JOVuDS/Gxx6EgLX2CSurT/HCpHwlTh/aitU4gKjxLFZ a6A6tCR6jt2GKsqWWLhoJ+MERsNZSI6FsJMlFj66wzoL7GlBiZMzn7DMYuQAimtKrN+lD1Gi KDGl+yE7hK0h0TpnLpTtIfF0ykk2ZDULGDlWMYoWpxYX56YbGeulFmUmFxfn5+nlpZZsYgSm qYNbfuvuYFz92vEQowAHoxIPb8t8/hgh1sSy4srcQ4wSHMxKIry6abwxQrwpiZVVqUX58UWl OanFhxilOViUxHn9tPhihATSE0tSs1NTC1KLYLJMHJxSDYwLN1RnMzX8Wq+6anODcTSfjTt7 wDM75chLej+ue5/U2blp/TLJGzfb05R7Jz5RjLLW33v0Sqzfkn8Rpx0ZtF26ZjuUT7n/+8z5 laettLwtD+gKv1pcP+XWb9eJE/brPXzxJF9D6ZvOadfMFu29ofN+/n/sWaZvd3D5zyNs7zuc t4t7ph9Xv62vxFKckWioxVxUnAgASrdBgU8DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/2ZYsS9u8tOytMsgMXF_xjdJTt7U>
Subject: [Lwip] Fwd: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 12:46:52 -0000
Hi all,
We have received the following detailed review of draft-ietf-lwig-curve-representations from Stanislav Smyshlyaev on behalf of the Crypto Review Panel.
Thank you Stanislav for the excellent review. It would be great if the authors can address his feedback and submit a new version.
Please feel free to chime in if you have any additional feedback on this document at this stage.
Zhen and Mohit
-------- Forwarded Message --------
Subject: Review of draft-ietf-lwig-curve-representations-00 by crypto review panel
Date: Tue, 11 Dec 2018 07:50:11 +0200
From: Stanislav V. Smyshlyaev <smyshsv@gmail.com><mailto:smyshsv@gmail.com>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com><mailto:mohit.m.sethi@ericsson.com>, Suresh@kaloom.com<mailto:Suresh@kaloom.com> <Suresh@kaloom.com><mailto:Suresh@kaloom.com>, zhencao.ietf@gmail.com<mailto:zhencao.ietf@gmail.com> <zhencao.ietf@gmail.com><mailto:zhencao.ietf@gmail.com>, Alexey Melnikov <aamelnikov@fastmail.fm><mailto:aamelnikov@fastmail.fm>
Good afternoon,
Please find below the review of the document made on behalf of Crypto Review Panel.
I'll be happy to discuss all questions raised in the review directly via e-mail: smyshsv@gmail.com<mailto:smyshsv@gmail.com>
Document: draft-ietf-lwig-curve-representations-00
Reviewer: Stanislav Smyshlyaev
Review Date: 2018-11-26
Summary: Revision needed
The document “Alternative Elliptic Curve Representations” contains procedures and formulae of representing Montgomery curves and (twisted) Edwards curves in short Weierstrass form.
The reviewer believes that the document is very helpful and can be used by developers implementing ECC operations in real-world applications.
The reviewer has verified all decimal numbers (and hexadecimal numbers, where they are provided in the draft) and does not have any concerns besides the following ones.
Since some of the concerns seem to be important enough for the overall document, the reviewer recommends to send an updated version of the draft to Crypto Review Panel for a new review.
The review was made for draft-ietf-lwig-curve-representations-00. During the review process an updated version draft-ietf-lwig-curve-representations-01 was published – some comments about the -01 version can be found in the end of the current review.
Comments:
1) Section C.2: The mapping from Weierstrass curves to Montgomery curves is not defined in the current version. The mapping from Weierstrass to Montgomery cannot usually be described as shortly as others, but maybe it could still be useful here. For example, the root of x^3+ax+b in Fp could be provided explicitly.
2) It would be better to stress in Appendix C.1 that formulae provided there do not allow to get parameter a of the twisted Edwards curve equal to 1 or -1. In Appendix D.2 additional constant c is used that helps to obtain the curve with a equal to -1 (this fact by the way implies that the phrase “Here, we used the mapping of Appendix C.1” is inaccurate).
2a) Section D.2: The formulae (u,v) -> (c*u/v, (u-1)/(u+1)) lead to an error. It is not clear why it is needed to multiply by the constant c.
2b) Section D.3: The Montgomery curve Curve25519 doesn’t correspond to Twisted Edwards curve Edwards25519 because of (A+2)/B = (486662+2)/1 != -1.
2c) If one uses the formula from C.1 for Montgomery to Edwards mapping (a:=(A+2)/B and d:=(A-2)/B), she obtains that d for Edwards25519 is equal to 486660 but not the value of d which is provided in D.3.
3) Section E.1: The isomorphic mapping between W_{a,b} and W_{a',b'} should be defined as a’:=a*s^4 and b’:=b*s^6, instead of a:=a'*s^4 and b:=b'*s^6. Otherwise the mapping is defined incorrectly and the test vectors from F.3 are incorrect.
4) It seems that the formula for lambda in case Q:=2P for Montgomery curve is wrong. According to http://hyperelliptic.org/EFD/g1p/auto-montgom.html and to https://eprint.iacr.org/2017/212.pdf (page 4) it should be: lambda = (3*x1^2 + 2*A*x1 + 1)/(2*B*y1). So you need to add “B” as a factor in the denominator.
5) in Appendix D.2 it would be better to stress explicitly that we work with projective coordinates, otherwise the formulae do not have to be correct.
Editorial comments:
a) It seems that the text will be easier to read if the formulae for group law are provided in the following form (for example, for Weierstrass):
x = lambda^2 – x1 – x2
y = lambda * ... (at a new line, but with “and”)
lambda = ... (again at a new line)
b) In reviewer’s opinion, the text will be easier to read if different symbols for coordinates of different forms of a curve are used. For example, (x,y) for Weierstrass, (X,Y) for Montgomery and (u,v) for Edwards. And it would be better to use the same symbols in different parts of the document (now (u,v) is used for Montgomery in A.2 and (x,y) for Montgomery in B.2).
c) The term “short Weierstrass form” is widely used in publications as is. The draft, however, has two variants of it – “short” Weierstrass form and short-Weierstrass form. It seems that one (commonly used) variant would be better to use.
d) The reviewer recommends to use only “GF(p)” everywhere in document instead of “GF(q)” together with “GF(p)”. For example, now in C.1 – GF(q) and GF(p) in D.1.
Additional clarifications might be useful:
Also the reviewer believes that it will be useful to write additional clarifications in D.2 on “can be implemented via integer-only arithmetic as a shift of (p+A)/3 for the isomorphic mapping and a shift of -(p+A)/3 for its inverse” regarding the need of using the mod operation for transformation.
###### draft-ietf-lwig-curve-representations-01:
The concerns 1, 2, 2a, 2b, 2c, 4 and 5 for 00 version are still valid for version -01. The concern 3 has been addressed.
Additional question for draft-ietf-lwig-curve-representations-01: appendices C.1 and C.2 contain information about properties that help to recover y-coordinates of a multiple point if one uses Montgomery ladder. This information may not be needed in the draft, since the ladder itself is not described there.
Best regards,
Stanislav Smyshlyaev
- [Lwip] Fwd: Review of draft-ietf-lwig-curve-repre… Mohit Sethi M