Re: [Cfrg] Point format endian (was: Adoption of draft-ladd-spake2 as a RG document)

[Watson Ladd <watsonbladd@gmail.com>]

On Jan 27, 2015 9:30 AM, "Dan Harkins" <dharkins@lounge.org> wrote:
>
>
>
> On Tue, January 27, 2015 9:07 am, Watson Ladd wrote:
> >
> > My SPAKE2 draft contains specified M&N, generated by a C program
> > Nathan McCullum sent me. I've been unable to determine what that
> > program does in anything more than the vaguest terms because OpenSSL
> > internals are opaque, but users do not need to generate their own
> > points.
>
>   Yes, it's opaque to you, the application writer. That's the point! But
> to have curve25519 as a special case then you'd have to pry into the
> opacity of the code and figure out what's going on.
>
>   So to allow Nathan McCullum to send you a chunk of code that
> should work with any curve supported by OpenSSL, and have it just
> work without you knowing any opaque internals, it requires a
> canonical conversion of bitstring to integer to field element and
> back.
>
>   If, as you say, users do not need to generate their own points then
> they're gonna have to have a registry of M and N for all curves. And
> to import a bitstring (for instance from the appendix of your draft)
> into code requires converting that bitstring into an element. And
> without the canonical conversion then you need to know about the
> opaque internals.

What makes you think I wouldn't write the point appropriately? More
importantly, if this encoding was different for each curve, how would I
notice, except when I generate the table? Every point has a representation
either way.

I can always do the calculation in PARI and reverse and pad the result. In
fact, PARI only uses decimal IO so I have to convert anyway. I'm not
insisting on decimal format to make my tools work.

There is an encoding of x coordinates as 32 byte strings. The intent is
that this encoding is used for everything having to do with Curve25519. Why
is this such a large problem? At least with the Weierstrass coordinate on
the wire proposal there was a clear rationale for the change in terms of
compatibility. But this has nothing to do with compatibility: you will need
to write new code anyway.

Of course, it's not the case that there is a single universal key format.
SEC1 serializes bignums as fixed-width in keys and variable width in
signatures. PGP uses a different length encoding from TLS. Nor do all
algorithms on words take the words the same way: MD5 uses a little-endian
length encoding, and encodes the low byte first. SHA1 uses a big-endian
length encoding and big-endian words.

Furthermore, forcing applications to carry out encoding and decoding,
instead of having the library do it has several bad effects. It makes it
more complicated to use Curve25519. It prevents codesharing among
libraries, unless they have identical bignum APIs. It makes applications
non portable across libraries.

Defining Curve25519 as a function of bigintegers was considered and
rejected by multiple people due to interoperability problems historically
caused by lack of canonical byte encodings: TLS DHE uses two distinct
encodings at some point.

What's wrong with the API everyone is already using?

Sincerely,
Watson Ladd

>
>   Thank you for illustrating my point so well!

>
>   Dan.
>
>