Re: [CFRG] compact representation and HPKE

Mike Hamburg <> Fri, 12 February 2021 22:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 11A303A101C for <>; Fri, 12 Feb 2021 14:33:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ETzehhX62EQC for <>; Fri, 12 Feb 2021 14:32:58 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4A733A0C83 for <>; Fri, 12 Feb 2021 14:32:58 -0800 (PST)
Received: from [] (unknown []) (Authenticated sender: mike) by (Postfix) with ESMTPSA id 11A42BB808; Fri, 12 Feb 2021 22:32:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=sldo; t=1613169178; bh=VaZpkI6zC4TquqDPuxd9IdKO4lm/BypBNZrT4+8buio=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=FCNeIoMhW6gNhrSs3SkbOIh+AX9akr24rtWzuvMwzcswbduxYiwJIgZ9YVnaC9wHX Q8PzMSw8pNB7S5HyPJmTRet0y5Nkh3Q65NPtXTyinbC1u6HFNLbcuBO+e/o3Qrpf/y sk8Wz5TQ4QGGhuSxTLvY1wMJX5oHmSih8D1TMEyA=
From: Mike Hamburg <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CB984A75-5735-4B07-9EAB-7890BF28C337"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Fri, 12 Feb 2021 18:32:55 -0400
In-Reply-To: <>
Cc: CFRG <>
To: Paul Hoffman <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [CFRG] compact representation and HPKE
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Feb 2021 22:33:01 -0000

> On Feb 12, 2021, at 5:59 PM, Paul Hoffman <> wrote:
> On 12 Feb 2021, at 13:40, Christopher Wood wrote:
>> (I don't think RFC 6090 or the related expired draft [1] rise to the level of a standard format)>
>> [1]
> For those of you who were not here a decade ago:
> - RFC 6090 was never meant to be a standard. It was written and published to show that there was ample prior art for elliptic curves against some patent concerns that people had. To a large extent, it met that goal and discussions of ECC stopped ending with "but what about the patents", then they stopped having patents come up at all.

It’s worth mentioning, on the subject of “but what about the patents”: the fastest set of x-only formulas I’m aware of, 11M/bit as described in <>, are patented by my employer (not my choice to make).  On the second-fastest set I’m aware of, 12M/bit as described in <>, I’m not aware of any patents.

As for HPKE: I’m always sad to see a technically better solution passed up, especially since I’ve done so much research to improve it.  But if it’s not standardized or widely supported at all yet, then a decision to use the existing structures makes sense.  I’m actually pretty surprised that it’s not standardized anywhere: it’s weird that everyone uses x-only output with short Weierstrass curves, but nobody uses x-only wire formats with them.

For FIPS: would HPKE be FIPS-compliant anyway?  Don’t FIPS-compliant ECC private keys have to be generated directly from an approved DRBG, or something like that?

— Mike