Re: [CFRG] compact representation and HPKE
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 12 February 2021 22:11 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9D93A0FEC for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2021 14:11:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acsCI7SjApO6 for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2021 14:11:30 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F9613A0FEB for <cfrg@irtf.org>; Fri, 12 Feb 2021 14:11:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id BB11FBFAB; Fri, 12 Feb 2021 22:11:25 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9c2gJP2FNNmx; Fri, 12 Feb 2021 22:11:16 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5ED28BFBA; Fri, 12 Feb 2021 22:11:16 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1613167876; bh=1c1Rb8HkWMCjAculjtwVKFkJAK1+X2DovhKAyOyoi7I=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=S1cXYTDzlapScFhYPjoDVx+ykhhEfWPnfaKUeWyWKVrlydzbWedaZ4IpTudjD28oT /OBFUofJfi8jI85PTepKMjXK+SdPK3rL1qp5vjyigGZ4eTiEZOiQmeVqiQQ4Boy5Sz ic6fHm/AAHgXTBEsOxyURKfKVI1bXYitxJl87LIg=
To: Dan Harkins <dharkins@lounge.org>, Eric Rescorla <ekr@rtfm.com>
Cc: CFRG <cfrg@irtf.org>
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <CABcZeBMGJQ7sAKovy3japXVVLWRB8ydpsDzZxhijvFCtXptsZQ@mail.gmail.com> <b7bd5286-ccc1-c753-9d09-c647619581b5@lounge.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <e09c73e0-27f4-cfdc-efab-3cdb8686d5b0@cs.tcd.ie>
Date: Fri, 12 Feb 2021 22:11:14 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <b7bd5286-ccc1-c753-9d09-c647619581b5@lounge.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="1Od7YrAcXf5tajMYYqoQTgLRlXVwHeiGm"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Lpx6UsJut4DCQLLqE0KAnjJUJbc>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 22:11:34 -0000
Hiya, On 12/02/2021 22:00, Dan Harkins wrote: > > On 2/12/21 1:10 PM, Eric Rescorla wrote: >> As I understand it, the competing values here are: >> >> (1) A technically superior approach (x-coordinate only) >> (2) Consistency with existing uses of these curves (e.g., in TLS 1.3, >> which uses x-coordinate-only form for CFRG curves but uncompressed >> form for NIST curves). >> >> Assuming I understand this correctly, I think I value consistency >> more, especially in light of the fact that we are encouraging people >> to move to CFRG curves anyway, which are already in the technically >> superior form. I need to check (and haven't) but IIRC for an earlier draft I had a problem that the OpenSSL APIs didn't support the compressed form for NIST curves, so it'd have been both a PITA to use those and would mean you could do HPKE with a FIPS compliant implementation IIUC. (Note: I could be recalling wrong, and if so, apologies, but if not...) for me, this isn't a case of encouraging cfrg curves but rather one of enabling simpler and more broad implementation. Cheers, S. > > I see. So we go with the technically inferior approach, in order to > "encourage people > to move to the CFRG curves." > > That's akin to "the beatings will continue until moral improves" and > I don't think > that's what we're supposed to be doing here. > > We should go with the "technically superior approach", especially > when that results > in a cleaner and more consistent API for HPKE. > > Dan. > >> -Ekr >> >> >> >> On Fri, Nov 6, 2020 at 12:00 PM Dan Harkins <dharkins@lounge.org >> <mailto:dharkins@lounge.org>> wrote: >> >> >> Hello, >> >> When doing a DH-based KEM with the NIST curves, HPKE specifies >> that >> SerializePublicKey and DeserializePublicKey use the uncompressed >> format >> from SECG. This ends up using 2*Ndh+1 octets to represent the serial >> form of the public key. >> >> Since compact output is being used in DH-based KEMs-- that is, the >> secret result of DH() is the x-coordinate of the resulting EC point-- >> it would also be possible to use compact representation (per RFC >> 6090) >> and have SerializePublicKey merely do integer-to-octet string >> conversions of the x-coordinate. DeserializePublicKey would then >> do octet string-to-integer conversion for the x-coordinate and use >> the >> equation of the curve to choose the y-coordinate. The sign isn't >> important because we're doing compact output. >> >> This would make the interface for the NIST curves and the >> Bernstein >> curves be uniform-- Serialize would produce an octet string of Ndh >> and Deserialize would consume an octet string of Ndh-- at the cost >> of some CPU inside DeserializePublicKey. >> >> Please consider this suggestion. >> >> regards, >> >> Dan. >> >> -- "The object of life is not to be on the side of the >> majority, but to >> escape finding oneself in the ranks of the insane." -- Marcus >> Aurelius >> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org <mailto:CFRG@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg >> > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Richard Barnes
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Michael Scott
- Re: [CFRG] compact representation and HPKE Michael Scott
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Benjamin Beurdouche
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Loup Vaillant-David
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Christopher Wood
- Re: [CFRG] compact representation and HPKE Paul Hoffman
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Andrey Jivsov
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Loup Vaillant-David
- Re: [CFRG] compact representation and HPKE Salz, Rich
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Peter Gutmann
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Benjamin Lipp
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Salz, Rich
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Karthik Bhargavan
- Re: [CFRG] compact representation and HPKE Richard Barnes
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Benjamin Beurdouche
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Billy Brumley
- Re: [CFRG] compact representation and HPKE Stanislav V. Smyshlyaev
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Stanislav V. Smyshlyaev
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE denis bider