Re: [Cfrg] hpke encoding of DH output

Richard Barnes <> Thu, 20 August 2020 18:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 99C983A1247 for <>; Thu, 20 Aug 2020 11:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KDrUg4qQWUIA for <>; Thu, 20 Aug 2020 11:30:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E7BE83A1243 for <>; Thu, 20 Aug 2020 11:30:12 -0700 (PDT)
Received: by with SMTP id n129so2385311qkd.6 for <>; Thu, 20 Aug 2020 11:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ggpMyqgSEgVPZS9QSq13+wV4VPgwdo35LOhCCy+bqUY=; b=rs9a8QyAyFTpOYcur5tiw+ASnlgHmdypbW+bIq6L2y/EEXgW9zf5hBld4EavzWXxkD 2EZDAxjCNtH1cNKxt3sPF8526JBX6hpBH75aLCnhETjg4D5ci4dnE/akah+U8/0PVmHg TqgKfdsHnZjwt9kIYtv6zLj84omCswnvUuh0GI1ywvDXJnfRbyOWTcq7OATsskvUG5KK v25C65AZCJwyB0h4S+Vt3x3HEAQMwLoLVaAOeTYGA7w1xZ/dZu7Q6A1Sf2t5Wcg5zuO/ aDO5y/SYpqisjtqDlKUXXQ7RniowB/8ia7/WqyEIu/DxUHFGVGxI0XdckI7Y7bd3iZ0T zh2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ggpMyqgSEgVPZS9QSq13+wV4VPgwdo35LOhCCy+bqUY=; b=EYQIowa8oXdpuHKLJkvBAsrx5y19A6SIfB7e6St5jP+SM8qSUwzrEEZ+dcOgdZvgcq ktjXoZvrBbmaAj9l4DT2SxFl/sXxuE+d0xYHAI6r6XbpxovZ+UU18E5IaBM8bznjOE2K wau+7Z4sV9MRjfXygdz6eVPIXJ72/f9lJtauA9lKEqqNtxIujkKg5zJMp83rjZIMIMED t28lI32tc2rYuiY2oKBMusD2dHb0DOEumwdJNSzZQXdEk3n5e6BF/5QMeu2JUO1jCO/+ uI594CR/a+iVx68PKwqBZq5SxnI433nMRE1oIyOYy70Tue6HByL4juGbHVz9zzELEcNE BXmA==
X-Gm-Message-State: AOAM530dAsIybRGnso5MEoAXD222Y0j8gNJbxu7W3WJjHwKLBTPZeV20 xg7R81judi3pRgLBk8iVeFQSb7dyH/zd1U++C4AXlOdalyF7kRwn
X-Google-Smtp-Source: ABdhPJwSx0ZoXMPwUxzAuSPk4h2Ar7dOw3g0RDkilChh4VdZTDfH4WtP1adyg/65XymA0kCDPjS+TXnDtDKTVeIzrQk=
X-Received: by 2002:a37:99c7:: with SMTP id b190mr3758409qke.347.1597948211703; Thu, 20 Aug 2020 11:30:11 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Richard Barnes <>
Date: Thu, 20 Aug 2020 14:29:50 -0400
Message-ID: <>
To: Stephen Farrell <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="00000000000087488005ad534f81"
Archived-At: <>
Subject: Re: [Cfrg] hpke encoding of DH output
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Aug 2020 18:30:15 -0000

Hi Stephen,

I think you're right here.  I just re-checked both the NIST and SECG
specifications for ECDH [1][2], and they're in agreement that the secret
value is the X-coordinate.  I'll work with my coauthors to get this


[1] Section of
[2] Section 3.3.1 of

On Thu, Aug 20, 2020 at 2:04 PM Stephen Farrell <>

> Hi,
> I ran into an interop problem with draft-05 that I think is
> worth bringing to the list.
> Draft-05 says:
> "For the variants of DHKEM defined in this document, the
> size Ndh of the Diffie-Hellman shared secret is equal to
> Npk, and the size Nsecret of the KEM shared secret is equal
> to the output length of the hash function underlying the
> KDF."
> What that means is that, for the NIST curves, the DH
> value (used to be zz I think) is represented as a public
> key in uncompressed form. My code uses the OpenSSL
> EVP_PKEY_derive() function (same as it did for draft-02)
> which only gives me the X co-ordinate, and OpenSSL doesn't
> seem to have an easy way to get the uncompressed version
> from that. I don't know, but I'd guess that other libraries
> might be similar. In draft-02 only the X co-ordinate was
> used btw, and I don't recall this change being brought
> up on the list.
> I don't think there's any security benefit in treating
> the output of the DH operation as a public key. If there
> were, then I'd be fine with changing to use lower level
> calls to do the DH operation. But that seems a bit wrong,
> so I'd argue that we'd be better to not treat the DH
> shared secret value as a public key when encoding that.
> Separately, it'd be good to add those values to the
> test vectors - took me a while to find this - in the
> end I had to add more tracing to the go implementation
> to spit out these values.
> Lastly, even if we don't make a change, it'd be good
> to add text to clarify this, but I think I'd prefer we
> make the change if there's no security downside.
> Cheers,
> S.
> _______________________________________________
> Cfrg mailing list