Re: [Cfrg] Curve25519 specification, test vectors, etc.
David McGrew <mcgrew@cisco.com> Mon, 03 March 2014 09:31 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13DB61A0D4E for <cfrg@ietfa.amsl.com>; Mon, 3 Mar 2014 01:31:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.926
X-Spam-Level:
X-Spam-Status: No, score=-13.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, URI_HEX=1.122, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jt_R1gilc0uf for <cfrg@ietfa.amsl.com>; Mon, 3 Mar 2014 01:31:33 -0800 (PST)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 00F6A1A0056 for <cfrg@irtf.org>; Mon, 3 Mar 2014 01:31:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4013; q=dns/txt; s=iport; t=1393839090; x=1395048690; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=3mVe/gMTf1XncbI2ZLwo/vZxUfDJanrPMch3Rq5Re68=; b=d8twKieKt3KgHDmwnBm0qYJ3QbqxKmF5a+MtuXRe7aPmaF0cMdBRnk5E nH9DdOoRWneXpFzy0im/iw34MyrhjWc/4Kd9xMcMpx/iXRbYdk3JkoP6U fI/vs0m47qKgfywcxQTRN83hS8xQtrEqW/HbTbqDfYjh4G9DIOxUWKTrC o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFANpKFFOrRDoI/2dsb2JhbABagwY7vTCDdYEeFnSCJQEBAQICOEABEAsYCRYPCQMCAQIBRQYBDAEFAgKHdA7MLxeOWQeEOAEDiUuKQoQvgTKFGIthg0se
X-IronPort-AV: E=Sophos;i="4.97,576,1389744000"; d="scan'208";a="107495573"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-2.cisco.com with ESMTP; 03 Mar 2014 09:31:30 +0000
Received: from [10.0.2.15] (sjc-vpn5-1074.cisco.com [10.21.92.50]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s239VSQL014514; Mon, 3 Mar 2014 09:31:29 GMT
Message-ID: <53144BEF.7090407@cisco.com>
Date: Mon, 03 Mar 2014 04:31:27 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: "D. J. Bernstein" <djb@cr.yp.to>, cfrg@irtf.org
References: <20140303075807.19923.qmail@cr.yp.to>
In-Reply-To: <20140303075807.19923.qmail@cr.yp.to>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/abAwMDFnI1BqKxK8uD4ADTkY7dU
Subject: Re: [Cfrg] Curve25519 specification, test vectors, etc.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 09:31:35 -0000
Hi Dan, forwarding your note to the list to make sure that it doesn't get dropped by the system. (Still not sure what the issue is.) David On 03/03/2014 02:58 AM, D. J. Bernstein wrote: > Apparently there's some interest in specifying protocols that use > Curve25519 for DH, especially for forward secrecy. Five years ago I > wrote a 45-page document > > http://cr.yp.to/highspeed/naclcrypto-20090310.pdf > > with a complete specification of NaCl's default mechanism for public-key > authenticated encryption, including > > * a specification of Curve25519 secret keys and the corresponding > public keys (serialized as sequences of bytes); > > * a specification of Curve25519 shared secrets; > > * an example of two secret keys, two public keys, and the shared > secret, with three independent implementations (C code using NaCl; > Sage script using Sage's elliptic-curve functions; self-contained > Python script); > > * a specification of secret-key authentication and encryption using > Poly1305 and Salsa20; > > * an example of secret-key authentication and encryption, with two > independent implementations (Salsa20: C code using NaCl, and > self-contained Python script; Poly1305: C code using NaCl, and C++ > code using GMP); and > > * extensive security notes. > > There are also many different tests in the SUPERCOP benchmarking suite > (http://bench.cr.yp.to/supercop.html), and in NaCl itself. > > Let me also mention three items that _aren't_ in this document: > > 1. ChaCha20. One can of course imagine a similar document that > replaces Salsa20 with ChaCha20, if that's of interest. > > 2. Implementation advice. In particular, this specification does not > explain how to build high-performance constant-time Curve25519 > software. Readers interested in this topic will have to study > various papers and several freely available interoperable > high-performance constant-time Curve25519 implementations. > > It seems to me that, out of all the deployed implementations of > existing IETF cryptographic specifications, very close to 0% are > constant-time software, and precisely 0% are high-performance > constant-time software. It also seems to me that there's very > little useful advice in IETF specifications on achieving high > performance for cryptography (beyond bad advice such as limiting > DNSSEC RSA keys to 1024 bits), and essentially no advice in IETF > specifications on constant-time cryptographic software. It would > be strange for a higher-security specification to be delayed on > the grounds that the specification doesn't include such advice. > > I do think that it's important for users to stick to constant-time > cryptographic software, and I do think that the ease of building > such software should be weighed heavily in selecting cryptographic > primitives and protocols, but I also think that state-of-the-art > implementation details should be covered separately from the > specifications that are needed for interoperability. > > 3. The Ed25519 signature system. This system isn't in NaCl yet (code > review still ongoing) but is fully defined in Section 2 of the > Ed25519 paper, available for free from the Ed25519 web site: > > http://ed25519.cr.yp.to/papers.html > > There is also a self-contained Python implementation of Ed25519, > including extensive test vectors: > > http://ed25519.cr.yp.to/software.html > > SUPERCOP also contains various Ed25519 tests. > > Btw, every message I've sent to cfrg@irtf.org, including my first > attempt to send this one a month ago, have been disappearing without a > trace, despite David's attempts to diagnose and fix. > > ---Dan > . >
- Re: [Cfrg] Curve25519 specification, test vectors… David McGrew
- Re: [Cfrg] Curve25519 specification, test vectors… CodesInChaos