IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Andrey Jivsov <crypto@brainhub.org> Fri, 13 March 2015 17:46 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237731A896A for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 10:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M31ziHr3r3qL for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 10:46:04 -0700 (PDT)
Received: from resqmta-po-08v.sys.comcast.net (resqmta-po-08v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:167]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF6801A8931 for <cfrg@irtf.org>; Fri, 13 Mar 2015 10:46:03 -0700 (PDT)
Received: from resomta-po-01v.sys.comcast.net ([96.114.154.225]) by resqmta-po-08v.sys.comcast.net with comcast id 35lv1q0014s37d4015m3ho; Fri, 13 Mar 2015 17:46:03 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-po-01v.sys.comcast.net with comcast id 35m21q0054uhcbK015m2cD; Fri, 13 Mar 2015 17:46:03 +0000
Message-ID: <55032259.5090704@brainhub.org>
Date: Fri, 13 Mar 2015 10:46:01 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cfrg@irtf.org
X-Priority: 5 (Lowest)
References: <54F8E735.2010202@isode.com> <5501E6A5.5040608@brainhub.org> <5502D58F.3030806@rwth-aachen.de> <5502F920.5050505@gmail.com> <20150313163336.GA3479@localhost>
In-Reply-To: <20150313163336.GA3479@localhost>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1426268763; bh=c7/co8acvPW4bF3j9ubZvlR6afVPwdM+Ii+2/Nc/G4Q=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=Otyry7kAb3mLCSXK57yhHeGLfUKc9iYaqZ/sO1fyNvl3fc41dn1vd4DF67OhFgxJo 9/F3jQRCOF/4das/yVev530/UHT1qPc8eiV58Rp0u2ZstFYKd3u97tKQOrzRzFG2/Q 0lGtSLRRb+P5GE6eD3OGyQbYLvPBg1Q5SSYwvj/fbKSxGbLbF+8W2BIWJjmG8GYNHS YaoMSUSziWbGbMW5CiWigV56sbBGO6Thmzy/L8QWUgp7HwMF7umvbkA1r6vynUlQNp 2T2YAypAkkHWfhw3eok58PCic4xNB6FPp5qa2PGz9jxtk+ZawprqgN+7uEZTe0M+eD Mf+74o9V/4JMA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/GbgaqpQ5G3e1iEjFiTaZe5E59BA>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 17:46:10 -0000

On 03/13/2015 09:33 AM, Nico Williams wrote:
> On Fri, Mar 13, 2015 at 10:50:08AM -0400, Rene Struik wrote:
>> a) use of public key in computations.
>> Here, Andrey Jivsov's point was that receipt of a full point (x,y)
>> on a curve, rather than a compressed point or simply the
>> x-coordinate, does not artificially impose a performance penalty on
>> all implementations except x-coordinate-only ones (Montgomery).
> A "penalty" of some sort is involved in *all* possible choices, and
> there isn't one that is ideal for all use-cases.  Others have pointed
> this out.
>
> ECDH-only applications will exist and will be a/the common case.  Add to
> this the simplicity arguments, and clearly x-only Montgomery is a better
> choice for ECDH.
>
> Some trade-offs:
>
>   - x-only -> you must either have a Montgomery ladder implementation
>               *and* other implementations if you *also* support
>               signatures
>
>               or
>
>               you must have point conversion code *and* use it for ECDH
>               (10% penalty)
>
>     Obviously (I think), the first choice is better: it's a development-
>     and compile-time cost, with the small additional run-time cost of
>     extra text footprint IF you need both around (point coversion also
>     has this extra text footprint at run-time).
>
>   - (x,y)  -> bandwidth waste Montogmery ladder implementations

Is "wasting" of 32 extra per TLS/SSH session that important?

Considering average TLS session reuse rate today, this is 16 bytes per 
TLS session (and is likely to be fewer bytes than this).

>
>     This is not nothing (see Mike H.'s posts).
>
> Similarly for (x,sign(y)).
>
>> b) representation of public key in white list.
>> Here, one can use many methods to map a public key Q to a condensed
>> (perhaps, even human-recognizable) format f(Q).
>> This condensed format could take the form affine format curve point,
>> compressed format, hash, leftmost n-octets, hash value, etc.
> For (b), I don't see why x-only isn't good enough.  Can you elaborate?
>
> Nico

v2.23.0 | Report a Bug | By Email