Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
Watson Ladd <watsonbladd@gmail.com> Fri, 13 March 2015 15:20 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6780B1A8A82 for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 08:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1EE6oop3vBj for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 08:20:28 -0700 (PDT)
Received: from mail-yh0-x230.google.com (mail-yh0-x230.google.com [IPv6:2607:f8b0:4002:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B56051A8A62 for <cfrg@irtf.org>; Fri, 13 Mar 2015 08:20:28 -0700 (PDT)
Received: by yhaf73 with SMTP id f73so12099074yha.12 for <cfrg@irtf.org>; Fri, 13 Mar 2015 08:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=6lOrI4G92JIsuzydld2rZUhTbyN7l8RdRB/9e7dNA54=; b=F/ve428lYzYfr0lpW+o7kTKKIHZNPGjKXo8auLqYoanOJ/0mY8yBtlfLYqgSRQ+vCW JXiXhp2k6Ek9mpCXk7albYS23QSfd3Uv7F6qzYWXqGKlr3YKku9U1lVXpb5PKfGzPj6e RXcAuomZNV2U3PcLPK9cSn4aaMCqx/ZJpQLDY8uxuFxRP43Bj/OfRBanfdW0+N0oSEPm f3teWXpvLpT6JFo6TYTr/WrYfKK8SD59CgGCsd+9Op/bucmwFxvD3t6WZs8GswKtChfF OPEoHSkVRmDiGw+RZCPXxwGyFWP2q44thBowUIQe7yu5usEl8xfeLk0qlGRcQ5rixpWf DRWA==
MIME-Version: 1.0
X-Received: by 10.236.220.65 with SMTP id n61mr47016996yhp.44.1426260028087; Fri, 13 Mar 2015 08:20:28 -0700 (PDT)
Received: by 10.170.58.201 with HTTP; Fri, 13 Mar 2015 08:20:28 -0700 (PDT)
In-Reply-To: <5502F920.5050505@gmail.com>
References: <54F8E735.2010202@isode.com> <5501E6A5.5040608@brainhub.org> <5502D58F.3030806@rwth-aachen.de> <5502F920.5050505@gmail.com>
Date: Fri, 13 Mar 2015 08:20:28 -0700
Message-ID: <CACsn0ckERomjBvQvs1T89VLYdOuj-WPDmzg_67mrQnaUe+0crA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/4_kiPtPnRK4rXWIMe-N9iYFOu1w>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 15:20:36 -0000
On Fri, Mar 13, 2015 at 7:50 AM, Rene Struik <rstruik.ext@gmail.com> wrote: > Hi Jakob: > > This confuses different discussions: > > a) use of public key in computations. > Here, Andrey Jivsov's point was that receipt of a full point (x,y) on a > curve, rather than a compressed point or simply the x-coordinate, does not > artificially impose a performance penalty on all implementations except > x-coordinate-only ones (Montgomery). This isn't artificial: use of compressed and x only coordinate representations has security benefits, because it makes the simplest implementation very simple. > b) representation of public key in white list. > Here, one can use many methods to map a public key Q to a condensed > (perhaps, even human-recognizable) format f(Q). > This condensed format could take the form affine format curve point, > compressed format, hash, leftmost n-octets, hash value, etc. > > My own take: > > Ad a): > I fully agree with Andrey Jivsov's point and think using x-coordinate only > representations imposes a "moat" around ECC implementations, by imposing a > levy on all implementations that, for whatever reason, may want to use > something else than Montgomery arithmetic. {Please note that this levy is > incurred (in the context of ECDH) during *online* computations.} Such fully > specified points are particularly useful in settings, including > multiple-point multiplication, combined key computations and signature > verifications, batch computations, since may allow significant performance > advantages in those settings. But we're discussing ECDH, which isn't any of these cases. Of course, there is no performance penalty: the Montgomery ladder is the fastest variable scalar multiplication. Users who don't care about performance can incur the square root cost: they don't care. Users who do care about performance are already going to use the Montgomery ladder. > > Ad b): > This is a non-issue in representation discussions with CFRG with ECC, since > dealing with protocol issues, not user interfaces. > Nevertheless, here is a comparison that illustrates some condensed > representations that are possibly in a completely standardized way, resp. > "cooked up" for user interfaces: > > Comparison example: > example P-256 public key, with affine coordinates (x,y), > x-coord = 6b 17 d1 f2 e1 2c 42 47 f8 bc e6 e5 63 a4 40 f2 77 03 7d 81 2d eb > 33 a0 f4 a1 39 45 d8 98 c2 96 > y-coord = 4f e3 42 e2 fe 1a 7f 9b 8e e7 eb 4a 7c 0f 9e 16 2b ce 33 57 6b 31 > 5e ce cb b6 40 68 37 bf 51 f5 > a) standardized affine format: (0x04 || x-coord || y-coord) {65 octets} > b) standardized compressed format: (0x03 || x-coordinate) {33 octets} > c) non-standard, x-coordinate-only: x-coordinate {32 octets} > d) non-standard, truncated x-coordinate (x-coordinate mod 2^128): 77 03 7d > 81 2d eb 33 a0 f4 a1 39 45 d8 98 c2 96 {16 octets} > > example Curve25519, Alice's public key (source: > draft-irtf-agl-cfrgcurve-00): > x-coord = 85 20 f0 09 89 30 a7 54 74 8b 7d dc b4 3e f7 5a 0d bf 3a 0d 26 38 > 1a f4 eb a4 a9 8e aa 9b 4e 6a > c) non-standard, x-coordinate-only: x-coordinate {32 octets} > > On 3/13/2015 8:18 AM, Jakob Breier wrote: >> >> On 12.03.2015 20:19, Andrey Jivsov wrote: >>> >>> * This proposal incurs 32 additional bytes of storage overhead for the >>> public key, for the total of 64 bytes (compare this with 260+ bytes for RSA >>> 2048). >> >> >> The storage costs and transmission costs might be insignificant for >> machines, but I'd like to point out the human storage and transmission >> costs. Take a look at SSH keys for example. Compare how well you can >> visually parse several lines of keys in an authorized_keys file in these >> three formats: >> >> ssh-rsa >> AAAAB3NzaC1yc2EAAAADAQABAAABAQDRTSfbRohGanse3u4gnu8wOId85f5KKyEzo/l >> >> MabVM4J92n6r4NPgN46pQ3bTc8XzLO5zHXY/mPSwQru3Ks+6Mcut7bDo0ohPcLcdIYGTbqXkfz3 >> >> KNDbdXwPMcaPamLmugNnj9UK2cPe8Q7F9DGSLaQc1eiC0JS/Qm0gG3ULqX3DEDFQbLBzH326Lov >> >> 9gplu/U7D0bBiM7q7VQs32sz11L4KWY3RzUhuy6bQ7GGrkGvp78l7f+56AvQNeIV8fDOWKNE73s >> >> Q3NybxWxQ771c5c+AZGYzkERlHWjxaxGA6V8ZUiE2VftHZMY4k6z4DC9hiadxwmr85qWriC7RrT >> OjmN9 Alice-HomePc >> >> ecdsa-sha2-nistp256 >> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLB >> >> RUKndAEfMluniDolf8eJIdhh1l9C2iXKtnbvbM9vFbBMQ+l47i7wusn4G2RMYsFPbwlV4XQt4TT >> sEwkrcLss= Alice-HomePc >> >> ssh-ed25519 >> AAAAC3NzaC1lZDI1NTE5AAAAICxtv8s7nwLqhkhryoY+w/u9ZrY7dr0ZPZhYuOS >> bxTIb Alice-HomePc >> >> They are in turn: RSA (2048 bit), 65 byte long nistp256 key and 32 byte >> long ed25519 key (apparently, openssh already uses point compression for >> this format). The difference would be even more pronounced, if the SSH key >> storage format was more efficient, but the result of factor two decrease >> from 64 byte to 32 byte keys is still significant. And these are keys that >> you often copy and paste as plain text instead of sending pubkey files, e.g. >> when you add one to GitHub or instant message it to a friend. >> >> Another example is TextSecure, the end-to-end encrypted messenger app, >> that allows you to verify the 33 byte "identity" (32 byte Curve25519 key + >> 0x05 prefix) by comparing them manually as 66 hex characters (or scanning a >> QR-code). Threema, another encrypted messenger app, also directly compares >> the public key (32 byte Curve25519) in the QR-code. (Threema does also >> feature a 128bit fingerprint, though, that can be compared by reading it >> aloud.) >> >> As all three examples feature interactive protocols anyway, they could use >> fingerprints instead, but for various reasons don't and thus profit from >> short key sizes. >> >> An example that does not have the alternative of using fingerprints are >> key revocation certificates. I have a few of these printed out for RSA keys >> and I fear the day I actually have to type them in. >> Also, if we'll ever have a chance to bring strong end-to-end cryptography >> to the masses, then we need inexperienced users to backup their private key. >> And I trust my parents far more to securely store, and later on use, a slip >> of paper - which means writing down and later typing back in the key - than >> a USB stick / a memory card / a CD / …, all which have to be periodically >> checked whether they are still readable. And while this would be totally >> impractical with RSA keys, with EC keys this becomes borderline usable. And >> here the difference between 64 and 32 bytes is enormous. >> >> Best regards, >> Jakob Breier >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg > > > > -- > email: rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… David Leon Gil
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Viktor Dukhovni
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Salz, Rich
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alexey Melnikov
- [Cfrg] Elliptic Curves - curve form and coordinat… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nadim Kobeissi
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paul Lambert
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg