IETF Logo Mail Archive

Re: [Cfrg] CFRG Curves document fixes

Mike Hamburg <mike@shiftleft.org> Tue, 12 May 2015 17:27 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AFF01ACD9D for <cfrg@ietfa.amsl.com>; Tue, 12 May 2015 10:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.054
X-Spam-Level: ****
X-Spam-Status: No, score=4.054 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_31=0.6, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AAVd4yTjzhpa for <cfrg@ietfa.amsl.com>; Tue, 12 May 2015 10:27:42 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDB681ACD9C for <cfrg@irtf.org>; Tue, 12 May 2015 10:27:42 -0700 (PDT)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 9CC9D3A9C3; Tue, 12 May 2015 10:27:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1431451643; bh=nm6FYomYv8MzbPm8eYj2tWg2p1IAywRGmHlV9TOMP/Y=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=XtG1ekJzwc1FDHyyuEIuAG8CGwUHkws2+ECYEg0HpXFrIU+6ff/QrpsgGHl5j5tNZ P1/+aUoEIHY3UjQHukg13RIL9raILi2fB+fFKkroRb1ppwywO0lCG1AUzW3EcKiehR jt5ugA3KF9ceo6cU+P16J50XBKx3A078WxeOwX80=
Message-ID: <5552380C.7080804@shiftleft.org>
Date: Tue, 12 May 2015 10:27:40 -0700
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Thomas DuBuisson <thomas.dubuisson@gmail.com>
References: <CAOk36JgLquvp55NoqOE=rSfcjLXt6d8r0RmbsmWzv+S4dSM1ig@mail.gmail.com> <20150512051402.GA16528@LK-Perkele-VII>
In-Reply-To: <20150512051402.GA16528@LK-Perkele-VII>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lHIGwva2Bs477RR35Btf4ZAXWh8>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] CFRG Curves document fixes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 17:27:44 -0000

I dunno how I managed to typo this, since I was doing it in SAGE. Do you 
get

07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b
b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d

Cheers,
-- Mike

On 05/11/2015 10:14 PM, Ilari Liusvaara wrote:
> On Mon, May 11, 2015 at 05:37:01PM -0700, Thomas DuBuisson wrote:
>> All,
>>
>> I have produced an executable (Cryptol) specification of the Turner
>> draft and now the cfrg-curves document.  In doing so I believe I have
>> found a bug; the division optimization is only valid for 25519, if I
>> understand correctly.  The offending text:
>>
>> ```
>> Return x_2 * (z_2^(p - 2))
>> ```
>>
>> appears as field division in my reference implementation.
> I think the formula above is correct for all GF(p) (except for producing
> 0 for 0, which is actually desirable to handle z=0 right).
>
>> As a matter of full disclosure: my specification "passes the tests" in
>> that the Curve25519 passes 7.1 and 8.X while 448 passes section 7.1
>> vectors but not 8.X (ECDH).  I will investigate the failure when time
>> allows, though if someone wishes to confirm this KAT is correct I
>> certainly would not object.
> I tried running through KAT with my own implementation:
> - [PASS] KAT Curve25519 DHF #1
> - [PASS] KAT Curve25519 DHF #2
> - [PASS] KAT Curve25519 ECDH Alice public
> - [PASS] KAT Curve25519 ECDH Bob public
> - [PASS]     Curve25519 ECDH consistancy[1]
> - [PASS] KAT Curve25519 ECDH Shared secret
> - [PASS] KAT Curve448 DHF #1
> - [PASS] KAT Curve448 DHF #2
> - [PASS] KAT Curve448 ECDH Alice public
> - [PASS] KAT Curve448 ECDH Bob public
> - [PASS]     Curve448 ECDH consistancy[1]
> - [FAIL] KAT Curve448 ECDH Shared secret
>
> Was that KAT Curve448 ECDH Shared secret the KAT you saw failing?
> Any others failed for you?
>
>
> [1] Where ECDH consistency means the consistency conditions:
> - DHF(a, G) = DHF_base(a)
> - DHF(b, G) = DHF_base(b)
> - DHF(a, B) = DHF(b, A)
>
> (My implementation does have different faster algorithm for standard
> basepoint).
>
>
> -Ilari
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email