[curves] Point validation (was: Twist security for elliptic curves)

Trevor Perrin trevp at trevp.net
Sat Jun 20 15:42:11 PDT 2015


On Fri, Jun 19, 2015 at 2:20 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>
>> On Jun 19, 2015, at 2:15 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> Still, is there an argument that point-validation is a good
>> "robustness principle", even with twist-secure curves?
>>
[...]
>
>
> I prefer to validate all points if there isn’t a big perf/complexity hit, because that way the protocol designer doesn’t have to take twist points into account.

Or small-order points.


>  But I still think curves should be selected as twist-secure if there isn’t a good reason to do otherwise.  Some people will prefer the 20-line Curve25519-style Montgomery ladder, and there’s very little cost to giving those folks security against non-DPA-equipped adversaries.

I'm not convinced point-validation is that useful with "SafeCurves" [1].

But as a thought experiment, suppose most implementations will do it
(i.e. check both point-on-curve and point-in-main-subgroup).  Would
that affect which curves people prefer?

I think it would reduce the efficiency and simplicity win for
single-coordinate ladders, since checking point-on-curve has similar
costs to decompression?  Also checking small-order points for
cofactor>1 is not that time-consuming but is annoying [2].  So the
efficiency and simplicity advantage of newer curve forms vs
Weierstrass would be reduced, but I think would still be there?

I also wonder how much this would argue for 3 mod 4 primes (easier
square roots?  "Decaf"?) but I'm not sure.


Trevor


[1] http://safecurves.cr.yp.to/twist.html
[2] http://cr.yp.to/ecdh.html#validate


More information about the Curves mailing list