IETF Logo Mail Archive

[Cfrg] On h2c implementation

Watson Ladd <watsonbladd@gmail.com> Sat, 07 December 2019 05:55 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC1BF120110 for <cfrg@ietfa.amsl.com>; Fri, 6 Dec 2019 21:55:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LK_Tdu_qeany for <cfrg@ietfa.amsl.com>; Fri, 6 Dec 2019 21:55:39 -0800 (PST)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D4151200FE for <cfrg@irtf.org>; Fri, 6 Dec 2019 21:55:39 -0800 (PST)
Received: by mail-lf1-x12f.google.com with SMTP id r14so6898197lfm.5 for <cfrg@irtf.org>; Fri, 06 Dec 2019 21:55:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=o6gwVMWR35gZMrneFMmM37EsXA7F/ycTB04LQdyAOPQ=; b=lZwwwKXXXrzzuHhBXbFNSxQCYoi6Epm5rOyyO/Aus1dpnFsBwx9X4TzJgRSj/IjfGy eFrcRzpmKIGBBLgvZGeYMR18/r+f0CVTp9OMwiGu/otkmBbnyRgT7bvqGqFXyT4wLO3f 12ZS0FC/5ZEkiw+jsghD6dWJKG59fgYRBW4qcNj7+VnSsANBImc8b3gMQLMEUBa0Odo4 KjBgUoLk8/AWJnWaWiaCRCrePtXlltbmV1alU2oaSGt/onUUIk3IgqHH3I0MMcfyLdNm Hy9x7OZEDjtyLCcDmkP1RhHap8PMEjWJt8GazsZ/mLNVgqHGxm2Typ1/PQ+njpE7U8J3 RAJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=o6gwVMWR35gZMrneFMmM37EsXA7F/ycTB04LQdyAOPQ=; b=EA0zBpwyj/u1DxjysKxXOC7z0GL4zaFRGBCJoPT/rK+AapLTWJQWzUm+jZHfpMVrZ0 2Y02R5dJ/SYRrmXn3ODUM+BGAgjpVqehoiJ15/0+4Hw1g5zCDihS8zgaE8hSMXA4PfGR fKpsSEaUktMArrBxvPNlzuHTKMI+vVs0HRB+XVmvcdhe8o/OHkjQR+2MZf7KsQ55Z1Tb UWdwgWQlBPuEduOjES7SN/L0t0wkZBLryySSCRbrGt29Vr+z43tOuDGVTBSnOwfIJzg5 mEpHjQARhxtk5DkmdTPE+qmibMhzXCbsTkB6rvh+K4dmGJjm4+oAEd+YD8UH9c6yUO+Z FaVg==
X-Gm-Message-State: APjAAAXsHbKwQRKLo2ype/JB8ROYKQV/18BBEsINnxxMnNGxAwStGRO5 /ZrKTymgcE09kNwYTORJ4ws35JQcBOYvA441sy66lyUK
X-Google-Smtp-Source: APXvYqxDnDF5femvC5S5qIec7OteBWt1VEB18Oqd35kT72aO7zHYX69akZjVkwTLyuiXFo9j0wtVRL0DoGdt+gFrf0o=
X-Received: by 2002:a19:7502:: with SMTP id y2mr9166400lfe.55.1575698137209; Fri, 06 Dec 2019 21:55:37 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 06 Dec 2019 21:55:26 -0800
Message-ID: <CACsn0ckWdJXnMDTGqdcCSWE3x9yvD2ZX_ZD8ff176T-Vz9zx-Q@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000bde035059916cf7c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KjfAJSC0iohJECzWOK6JXEcaXXM>
Subject: [Cfrg] On h2c implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2019 05:55:41 -0000

Dear all,

Recently one of my colleagues ran into some unexpected difficulties in
implementing the hash to curve draft. The underlying curve implementation
did not implement general purpose field arithmetic, but rather carried out
enough reduction at each step to be able to multiply a small number of
summands, and only at the end fully reduced.

This is a common way to avoid the cost of a full carry chain, but has the
disadvantage that the arithmetic functions need to be wrapped to properly
carry out comparisons to constants.

It may be worth calling this out in the document.

Sincerely,
Watson

v2.23.0 | Report a Bug | By Email