Re: [Cfrg] [saag] A proposal for compact representation of an elliptic curve point (ECC point compression)
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Wed, 12 December 2012 20:10 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2556911E80E4 for <cfrg@ietfa.amsl.com>; Wed, 12 Dec 2012 12:10:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tGmMmWbqRZ-n for <cfrg@ietfa.amsl.com>; Wed, 12 Dec 2012 12:10:55 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 17D8911E80DC for <cfrg@irtf.org>; Wed, 12 Dec 2012 12:10:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5125; q=dns/txt; s=iport; t=1355343055; x=1356552655; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=4NIuTZ3/j2mG1xF6w3EEnf7Q7xPNR/DU6IqzU2TehnY=; b=Sjqrk1vszWhl+T5q+gdCacU9Lf1P46PvEP/sqmnDq/ci6xzv7gr/hMYi lr4hOGjqW6RVJuJOFxYIK76Idu1Ge4ylWvqjPxwskgs5EN+lSprskt0l/ uUfieELlVdDJgbJ9hhlr8iNSbluT4xGBCM5T/frKfqYrp+nCF2Tl9zw8r g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAP/jyFCtJXG9/2dsb2JhbABCA78YFnOCHgEBAQIBAQEBATc0CwwEAgEIDgMEAQEBChQFBAchBgsUCQgCBA4FCAELh2sDCQYMtAsNiVWLYmkLgQqCTWEDilGIBYFdjQ2FEYJzgW01
X-IronPort-AV: E=Sophos;i="4.84,268,1355097600"; d="scan'208";a="152269685"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-5.cisco.com with ESMTP; 12 Dec 2012 20:10:54 +0000
Received: from xhc-aln-x04.cisco.com (xhc-aln-x04.cisco.com [173.36.12.78]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id qBCKAs09029605 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 12 Dec 2012 20:10:54 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.29]) by xhc-aln-x04.cisco.com ([173.36.12.78]) with mapi id 14.02.0318.004; Wed, 12 Dec 2012 14:10:54 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Andrey Jivsov <openpgp@brainhub.org>
Thread-Topic: [Cfrg] [saag] A proposal for compact representation of an elliptic curve point (ECC point compression)
Thread-Index: AQHN2HN1n0mZdiOeF06/Mfx4iUhUp5gVYE2ggACJ5oD//6zskA==
Date: Wed, 12 Dec 2012 20:10:53 +0000
Message-ID: <A113ACFD9DF8B04F96395BDEACB340421E69E4@xmb-rcd-x04.cisco.com>
References: <E1TiZ2u-0004cU-P0@login01.fos.auckland.ac.nz> <50C7C3AC.7010405@brainhub.org> <50C891E7.4000009@gmail.com> <A113ACFD9DF8B04F96395BDEACB340421E67CA@xmb-rcd-x04.cisco.com> <50C8D4D1.8050805@brainhub.org>
In-Reply-To: <50C8D4D1.8050805@brainhub.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.32.244.86]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [Cfrg] [saag] A proposal for compact representation of an elliptic curve point (ECC point compression)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2012 20:10:56 -0000
> -----Original Message----- > From: Andrey Jivsov [mailto:openpgp@brainhub.org] > Sent: Wednesday, December 12, 2012 2:03 PM > To: Scott Fluhrer (sfluhrer) > Cc: Rene Struik; cfrg@irtf.org; saag@ietf.org; Peter Gutmann > Subject: Re: [Cfrg] [saag] A proposal for compact representation of an > elliptic curve point (ECC point compression) > > I have the same comment as Scott, but I am not sure exactly what Rene > means. > > I will assume that Rene says that because there are two y for each x, one can > calculate the corresponding y or p-y and choose one at random. > > The format I proposed indeed fits very well with the feature of the ECDH- > based protocol that Scott refers to (which covers ECC encryption and key > agreement). As the draft shows, one simply drops the y coordinate to obtain > the compact representation, while there are no extra steps for ECDH key > generation (because ECDH keys are not sensitive to maintaining the "right" > y). > > The extra key generation step is only needed for ECDSA keys. Actually, as Rene pointed out to me privately, it isn't much more for ECDSA, at least with the standard algorithm. The ECDSA verification is a check whether r = (uG + vQ)_x, where Q is the public key. If you are given only the x coordinate of Q, what you do is to pick a corresponding y coordinate (so you get a point S where either S=Q or S=-Q, where Q is the original public key), and check if one of these two holds: r = (uG + vS)_x r = (uG - vS)_x If either does, the signature verifies. This adds the cost of a single point addition (and the cost of generating the y coordinate of S); fairly small. > > On 12/12/2012 08:52 AM, Scott Fluhrer (sfluhrer) wrote: > > > > > >> -----Original Message----- > >> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf > >> Of Rene Struik > >> Sent: Wednesday, December 12, 2012 9:17 AM > >> To: Andrey Jivsov > >> Cc: cfrg@irtf.org; saag@ietf.org; Peter Gutmann > >> Subject: Re: [Cfrg] [saag] A proposal for compact representation of > >> an elliptic curve point (ECC point compression) > >> > >> Hi Andrey: > >> > >> One can already implement the x-coordinate only representation of an > >> elliptic curve point simply by converting the affine representation > >> into compressed representation and randomizing the compression "bit". > >> The reverse operation then yields the point or its inverse (which > >> have the same x-coordinate). > >> > >> To my knowledge, this does not require any changes to data formatting > >> (nor additional bytes). > > > > That randomization of the y-component works fine for ECDH (at least, if > you use only the x-component of the shared secret); however, it doesn't > work for ECDSA public keys. > > > >> > >> Best regards, > >> > >> Rene > >> > >> On 12/11/2012 6:37 PM, Andrey Jivsov wrote: > >>> On 12/11/2012 03:15 PM, Peter Gutmann wrote: > >>>> Andrey Jivsov <openpgp@brainhub.org> writes: > >>>> > >>>>> I thought that it would be useful for the Internet community to > >>>>> have an IETF document that describes how to encode an ECC point. > >>>> > >>>> Maybe I'm missing something here, but wouldn't this just consist of: > >>>> > >>>> -- Snip -- > >>>> > >>>> See [1]. > >>>> > >>>> [1] X9.62-2005, "Public Key Cryptography for the Financial Services > >>>> Industry: > >>>> The Elliptic Curve Digital Signature Standard (ECDSA)", November, > 2005. > >>>> > >>>> -- Snip -- > >>>> > >>>> That's what every existing RFC that uses ECC seems to be using. > >>>> > >>>> Peter. > >>>> > >>> > >>> Hello Peter. > >>> > >>> "X9.62-2005" in the search engine lends me on a page that asks for > >>> $100. I think http://www.secg.org/collateral/sec1_final.pdf [SEC1] > >>> is more popular as a reference (assuming they are identical > >>> regarding the point compression method). > >>> > >>> I claim that what I submitted is better in many respects than SEC1. > >>> > >>> Let me expand on one of the benefits not covered in the spec. It's > >>> very likely that an employee of a commercial company thinking about > >>> using [SEC1] compression with any ECC method would get an order from > >>> the legal department to stay away from compression. The fact that > >>> somebody on the Internet posted something to the contrary has little > >>> weight for them. My contribution is an attempt towards a compact > >>> representation that is actually usable in practice. It's the most > >>> direct extension to the 1985 idea by [Miller] (see my document for > >>> details). > >>> > >>> Thank you. > >>> > >>> _______________________________________________ > >>> saag mailing list > >>> saag@ietf.org > >>> https://www.ietf.org/mailman/listinfo/saag > >> > >> > >> -- > >> email: rstruik.ext@gmail.com | Skype: rstruik > >> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > >> > >> _______________________________________________ > >> Cfrg mailing list > >> Cfrg@irtf.org > >> http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] [saag] A proposal for compact represen… Rene Struik
- Re: [Cfrg] [saag] A proposal for compact represen… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [saag] A proposal for compact represen… Dan Brown
- Re: [Cfrg] [saag] A proposal for compact represen… Russ Housley
- Re: [Cfrg] [saag] A proposal for compact represen… Rene Struik
- Re: [Cfrg] [saag] A proposal for compact represen… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [saag] A proposal for compact represen… Vadym Fedyukovych