[curves] FourQ

Watson Ladd watsonbladd at gmail.com
Fri Sep 18 05:10:47 PDT 2015

On Sat, Sep 12, 2015 at 6:33 PM, Trevor Perrin <trevp at trevp.net> wrote:
> There's an updated paper and new code for MSR's FourQ curve:
> http://eprint.iacr.org/2015/565
> http://research.microsoft.com/en-us/projects/fourqlib/
> I tossed the numbers into the spreadsheet at [1], but the paper has a
> better performance analysis across several platforms.
> What do people think?
> Without using the endomorphisms the performance is better than 25519,
> and then endomorphisms are close to a 2x speedup.  And if unencumbered
> use of the endomorphisms is just ~4 years away [2], that's not that
> long, in the scheme of things.

The FourQ paper insists that rejecting invalid points is a viable
implementation strategy that provides compatibility with existing
software. Recently teams have independently rediscovered (or perhaps
just republicized) vulnerabilities in Bouncycastle version 1.50 that
stemmed from not validating points.

It may be true that their software properly handles all inputs, and
carefully documents what callers must do to get the claimed security.
But in practice we know that reimplementation frequently happens, and
that these reimplementations frequently contain issues around point
validation. When callers are asked to apply nontrivial amounts of
care, they often fail.

This is an issue for Kummer surfaces also, but there we do not know
how to attack invalid points.

> Trevor
> [1] https://docs.google.com/spreadsheets/d/1SO3NGX-EgIZ1slw9uExb5FoeFy5TVkuA2lEutP6roYI/edit#gid=0
> [2] https://moderncrypto.org/mail-archive/curves/2014/000133.html
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

"Man is born free, but everywhere he is in chains".

More information about the Curves mailing list