Re: [Cfrg] Point format for Edwards curves
Watson Ladd <watsonbladd@gmail.com> Mon, 18 May 2015 17:48 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A21C31A1B4B for <cfrg@ietfa.amsl.com>; Mon, 18 May 2015 10:48:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_SUMOF=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EesB4C4rsEGr for <cfrg@ietfa.amsl.com>; Mon, 18 May 2015 10:48:44 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74F9D1A1ACA for <cfrg@irtf.org>; Mon, 18 May 2015 10:48:44 -0700 (PDT)
Received: by wicmx19 with SMTP id mx19so88429651wic.0 for <cfrg@irtf.org>; Mon, 18 May 2015 10:48:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pteb0GTwc6CHGM/cLAMwO1tDy01Ib89cDZFpERayByY=; b=v/Yg5NX30itNabrHCK4c0NFsND5YMbkyxsJ1BGom8XdubdtYCTi7Hep5LY02kzHjw/ ank8BIhht6HU7vcoW+rqC62t4EDusgyFR7wJ5oJJB/nHGWpA7YLh0vpO1ATki36HHAnc xW3ZEQx6XkGBYM8TcLCpuq+SkhL61UTchyzVCc93Beej1lE+0X94tLs9UIooEd5qd1Wr 4Kt+YMWjbCXkRnl+SdoeWU60tcZKcjLJpt/COc6XzpzfkcQSct7ATV7CUzfF+mMRCZoC +PGMjUQARqePyXNsxnBuNGgs8J2ZBfeBArygUVm3QQXvN1yroOgfSQV3XjfY7tlYh1Eo Ud3Q==
MIME-Version: 1.0
X-Received: by 10.194.123.4 with SMTP id lw4mr37036678wjb.94.1431971323067; Mon, 18 May 2015 10:48:43 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Mon, 18 May 2015 10:48:42 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Mon, 18 May 2015 10:48:42 -0700 (PDT)
In-Reply-To: <20150518173936.GN7287@localhost>
References: <CACsn0cmBpyHsG4YVwND7+TXe6nf5v9+w6qZ9Daqr+PKMSG-SYA@mail.gmail.com> <555962E4.9000909@brainhub.org> <20150518154940.GJ7287@localhost> <CACsn0ckFWGEKC7qjuh-U=EY5w_Cr9qkFwipk3YS_14-Vmv4OXQ@mail.gmail.com> <20150518173936.GN7287@localhost>
Date: Mon, 18 May 2015 10:48:42 -0700
Message-ID: <CACsn0c=rcy_u2L0swQE8yXd2xtZBLTD68u_aLMq7OwVesx8=3Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="089e01227ee00a4b1e05165ece04"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Eg9FLq9GhR0cNXho1aWzQRWS2KE>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Point format for Edwards curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 17:48:46 -0000
On May 18, 2015 10:39 AM, "Nico Williams" <nico@cryptonector.com> wrote: > > On Mon, May 18, 2015 at 09:57:31AM -0700, Watson Ladd wrote: > > On May 18, 2015 8:49 AM, "Nico Williams" <nico@cryptonector.com> wrote: > > > On Sun, May 17, 2015 at 08:56:20PM -0700, Andrey Jivsov wrote: > > > > The sign bit of T can also be implicit when T=wM+xG in your draft is > > > > required to have the positive 't_x' for T={t_x, t_y} (or > > > > "compliant" T). The "encoding" of T can be done very efficiently > > > > because the sender chooses a random x. > > > > > > Even better. > > > > > > > https://tools.ietf.org/html/draft-jivsov-ecc-compact-05#section-4.2.3 > > > > describes the algorithm for the sum of points. > > > > > > There's a timing variation, but it's entirely to do with the sums of > > > randomly selected points, not the fixed point derived from the password, > > > which means there's no side channel. Very nice. > > > > And this proposal will not work with batchable signature schemes. It also > > never gets to the byte level. > > I didn't take Andrey's proposal as a generic point encoding for a > signature scheme, just for the SPAKE2. That's convenient mainly because > there are implementors who might ship SPAKE2 with Curve255129 and > Goldilocks, but they can't do it without a point encoding for addition > -- Andrey's proposal saves them having to wait for CFRG to specify it. But I'm proposing we solve that right now, rather then adopt a workaround. There is no reason not to decide now. > > For the signature scheme I agree we need a generic point encoding that > permits addition, and for that I support your proposal (y plus sign of x). That is extra byte for sign bit, little endian? > > Nico > --
- [Cfrg] Point format for Edwards curves Watson Ladd
- Re: [Cfrg] Point format for Edwards curves Andrey Jivsov
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Watson Ladd
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Watson Ladd
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Michael Hamburg
- Re: [Cfrg] Point format for Edwards curves Andrey Jivsov
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Andrey Jivsov