Re: [Cfrg] 25519 naming
Dan Brown <dbrown@certicom.com> Wed, 27 August 2014 15:28 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E44FA1A0AE0 for <cfrg@ietfa.amsl.com>; Wed, 27 Aug 2014 08:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Level:
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CTYPE_001C_B=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpWblH6wuD4Q for <cfrg@ietfa.amsl.com>; Wed, 27 Aug 2014 08:28:22 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 1CD111A0ACA for <cfrg@irtf.org>; Wed, 27 Aug 2014 08:28:21 -0700 (PDT)
Received: from xct108cnc.rim.net ([10.65.161.208]) by mhs214cnc.rim.net with ESMTP/TLS/AES128-SHA; 27 Aug 2014 11:28:19 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT108CNC.rim.net ([fe80::8dc1:9551:6ed8:c618%17]) with mapi id 14.03.0174.001; Wed, 27 Aug 2014 11:28:17 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] 25519 naming
Thread-Index: AQHPwXToHfyXCW9D/EmDkFwuSkeYqZvkfCBw
Date: Wed, 27 Aug 2014 15:28:17 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5CD3966@XMB116CNC.rim.net>
References: <20140825234305.7799.qmail@cr.yp.to>
In-Reply-To: <20140825234305.7799.qmail@cr.yp.to>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0000_01CFC1E9.FF4BEB60"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/654XLebSfoVcFTvfdzIUMJgXYxo
Subject: Re: [Cfrg] 25519 naming
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 15:28:24 -0000
> -----Original Message----- > From: D. J. Bernstein > Sent: Monday, August 25, 2014 7:43 PM > > use short Weierstrass x and y coordinates for everything (as required by, > e.g., the ANSI and NIST ECDSA standards), With an ANSI hat on: Just a small clarification, because I think saying "for everything" overstates the ANSI ECDSA requirements. The quoted statement "for everything" to me suggests that ANSI requires these formats for transmission, but that's not strictly true. While ANSI X9.62 ECDSA and ANSI X9.63 do specify recommended formats such octet string conversions and some ASN.1 types, using these formats for transmitting public keys is *not* a requirement to claim compliance to the algorithms in ANSI X9.62 or ANSI X9.63. (Unless I'm missed something today in my quick review of these documents, or have forgotten some requirement text.) Of course, it is correct that some conversions *are required* in the internal algorithm calculations, in order to obtain interoperability: - Both the ECDSA and ECMQV algorithms specify a required operation that takes a short Weierstrass x-coordinate of an ephemeral public key and convert to an integer. - Both ECDH and ECMQV algorithms specify a required operation that takes a short Weierstrass x-coordinate of a shared secret and converts it to a bit string. Both ends of the communication must use the same internal conversions to achieve interoperability. I think that the choice of short Weierstrass was mainly motivated by being able to work for any curve. Recall, that ANSI optionally users to specify their own curves, even providing an ASN.1 format to help them out. (Aside: some IETF specs forbade this general curve specifying format, so, in a weak sense, it is really IETF disallowing the curve part of Curve25519, not ANSI ;-) With ANSI hat off now: I'm not sure at the moment at the costs or benefits of changing the algorithm internal conversions with new curves, but here are some tentative thoughts: - I think one might be able to separate/tie the curve choice from/to the internal representations used in the algorithms above, but one would need to expand the algorithms slightly, and if things are more separated, then add some mechanisms to negotiate the relevant internals. - Most of the hard work, i.e. scalar multiplication, can be done in whatever format is convenient, with wire-format and final algorithm conversions being done just when needed. - From a security perspective, these internal conversion functions require some very mild security properties (e.g. they must not cluster at one output value) that I think most reasonable alternatives would easily meet, perhaps with proof. Regarding NIST requirements: I'm not sure because there are more layers documents involved, and in particular, there's FIPS 140-3 with the CAVP and CMVP program and so on, which I think get rather more specific by mandating formats, which is indeed almost "everything". Maybe people have been, or still are, more interested in NIST than in ANSI, anyway. So, another reason this is a just small clarification. Best regards, Dan
- [Cfrg] 25519 naming D. J. Bernstein
- Re: [Cfrg] 25519 naming Tony Arcieri
- Re: [Cfrg] 25519 naming David Leon Gil
- Re: [Cfrg] 25519 naming Dan Brown
- Re: [Cfrg] 25519 naming Watson Ladd
- [Cfrg] Fwd: 25519 naming David Leon Gil
- Re: [Cfrg] 25519 naming D. J. Bernstein
- Re: [Cfrg] 25519 naming Andrey Jivsov
- Re: [Cfrg] 25519 naming Robert Ransom
- Re: [Cfrg] 25519 naming Andrey Jivsov
- Re: [Cfrg] 25519 naming Robert Ransom