[HN Gopher] An Illustrated Guide to Elliptic Curve Cryptography ... ___________________________________________________________________ An Illustrated Guide to Elliptic Curve Cryptography Validation Author : alanfranz Score : 62 points Date : 2021-11-30 20:45 UTC (2 hours ago) (HTM) web link (research.nccgroup.com) (TXT) w3m dump (research.nccgroup.com) | dan-robertson wrote: | I was worried this would be a silly visualisation where you draw | an elliptic curve and talk about tangents, which maybe describes | an elliptic curve group, but not the right one, and it doesn't | really give any intuition about what ECC is. | | But this article is not that at all, and I like that. | loup-vaillant wrote: | Excellent essay, highly recommended. | | > _With the popularity of Curve25519 and the desire for | cryptographers to design more exotic protocols with it, the | cofactor value of 8 resurfaced as a potential source of problems. | Ristretto was designed as a solution to the cofactor pitfalls._ | | I'm a bit two face about this: on the one hand, if you don't want | to think and just want a prime order group to work with, | Ristretto is a Blessing from the Heavens: fast validation, fast | curve operations (thanks to the underlying curve), and no pesky | cofactor death trap. Thanks Mike Hamburg, may you live long and | happy. | | On the other hand, if we know our way around cyclic groups1, | there are almost always very simple (implementation-wise) ways to | deal with the cofactor, which lessens the need for Ristretto on | carefully crafted protocols--though Ristretto would still | simplify those protocols, making them easier to audit. | | [1]: https://loup-vaillant.fr/tutorials/cofactor | | > _Recently, we also uncovered a critical vulnerability in a | number of open-source ECDSA libraries, in which the verification | function failed to check that the signature was non-zero, | allowing attackers to forge signatures on arbitrary messages_ | | Oh. That explains a lot. | | See, I made _one_ significant mistake in all my time as a | cryptographic implementer2. The effect was, all-zero signatures | were accepted half the time, with any public key. Sounds | familiar? | | In any case, some people were quick to assume I was a drooling | incompetent for failing to perform such a basic check as | rejecting the all-zero signature. If I was implementing ECDSA, | they'd have been right. Except I was implementing _EdDSA_ , which | _already_ rejects all-zero signatures with its main algorithm. An | explicit all-zero check is not needed at all. DJB himself for | instance omits it in TweetNaCl. My bug was more subtle: I didn't | failed to check a standard edge case any decent specification | would mention. I _introduced_ an edge case by doing a less-than- | safe conversion with a less-than-perfect understanding of the | maths involved. | | _(To those who wonder why I even tried, I asked around before | attempting this, and no one warned me. And to those who are | wondering why I didn't use Whycheproof right away, that's because | I thought it didn't support EdDSA: to this day, its front page | lists neither EdDSA nor Ed251519, despite my pull request from | nearly 2 years ago.3 If someone from Google hears this, | please...)_ | | In any case, I now understand the mockery better. Those people | likely pattern matched my vulnerability with the corresponding | ECDSA beginner error, and shot me down without checking what was | actually going on. I guess they too were busy. | | [2]: https://monocypher.org/quality-assurance/disclosures | | [3]: https://github.com/google/wycheproof/pull/79 | throwaway81523 wrote: | It is very easy to make mistakes in ECC implementation. If you | really want to code it yourself, there's a book by Menezes, | Vanstone et al ("Guide to Elliptic Curve Cryptography, I think) | that gives very explicit instructions about how to do everything. | I used to hack on a P256 implementation. But, it is a bit out of | date by now, and IIRC it doesn't say anything about Curve25519. ___________________________________________________________________ (page generated 2021-11-30 23:00 UTC)