IETF Logo Mail Archive

Re: [Cfrg] Point format for Edwards curves

Andrey Jivsov <crypto@brainhub.org> Wed, 20 May 2015 06:20 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7C4E1A020A for <cfrg@ietfa.amsl.com>; Tue, 19 May 2015 23:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.999
X-Spam-Level: **
X-Spam-Status: No, score=2.999 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_SUMOF=1, J_CHICKENPOX_12=0.6, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9k1u9svCfFr for <cfrg@ietfa.amsl.com>; Tue, 19 May 2015 23:20:18 -0700 (PDT)
Received: from resqmta-po-05v.sys.comcast.net (resqmta-po-05v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:164]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C536A1A0204 for <cfrg@irtf.org>; Tue, 19 May 2015 23:20:18 -0700 (PDT)
Received: from resomta-po-18v.sys.comcast.net ([96.114.154.242]) by resqmta-po-05v.sys.comcast.net with comcast id W6LJ1q0035E3ZMc016LJe4; Wed, 20 May 2015 06:20:18 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-18v.sys.comcast.net with comcast id W6LF1q0094uhcbK016LGyu; Wed, 20 May 2015 06:20:18 +0000
Message-ID: <555C279F.90003@brainhub.org>
Date: Tue, 19 May 2015 23:20:15 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <CACsn0cmBpyHsG4YVwND7+TXe6nf5v9+w6qZ9Daqr+PKMSG-SYA@mail.gmail.com> <555962E4.9000909@brainhub.org> <20150518154940.GJ7287@localhost> <CACsn0ckFWGEKC7qjuh-U=EY5w_Cr9qkFwipk3YS_14-Vmv4OXQ@mail.gmail.com> <555A6489.2010509@brainhub.org> <20150519232415.GA19183@localhost>
In-Reply-To: <20150519232415.GA19183@localhost>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1432102818; bh=3I//nmZFzWVYfDn1phQkAJm/vBg0u0Ex/CtByJF44ZE=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=R3nM3ztvBclzXQqoT0mRN3eSsj7zQBOeVh3w418I+psHok7ts7m+WeQ5xWD4JAD8E tZZfXDUaSXqlyU9uAikQmrLPhjZFGtbECgaCyiYJZLvChMYxUOCwI/5wuBd+hC3a+u Jihyr8f96T2XHt3HANscW616fBSYcn35+bk+nNqd60aV5sLIMXRKH+BnMSWxfhkbrO CUorcFSkCjER4/p+yMUu9DPSKHke9md+DBypNpNw+ccupyuxrw2Ls0Xn+AQ7Fe5ydT iaB1bcjZF18/8LPrYSH/BmjWEcgf90h3C90Kxa7mHtjQe6RcopUc0eaw4M1jYhb3n4 rTNBldaVTIOvA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/O47CLT-HfsfXxnucI2_XjgWkrq0>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Point format for Edwards curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 06:20:21 -0000

On 05/19/2015 04:24 PM, Nico Williams wrote:
> On Mon, May 18, 2015 at 03:15:37PM -0700, Andrey Jivsov wrote:
>> On 05/18/2015 09:57 AM, Watson Ladd wrote:
>>>>> https://tools.ietf.org/html/draft-jivsov-ecc-compact-05#section-4.2.3
>>>>> describes the algorithm for the sum of points.
>>>
>>> And this proposal will not work with batchable signature schemes.
>>> It also never gets to the byte level.
>>
>> Can you please elaborate?
>>
>> I assume that:
>> * these schemes include a (long-term) public key and thus
>> https://tools.ietf.org/html/draft-jivsov-ecc-compact-05#section-4.2.2
>> works.
>> * If you are talking about r in {r,s}, this method actually helps
>> because r=(kG)_x can be made equivalent to R=kG using the same
>> method (making ECDSA==ECDSA*==ECDSA#).
>
> If the signature scheme is deterministic and we're using something like
> r = H(key1, M) then this doesn't work.  We could add a small delta input
> to the derivation of r, but this then makes the system have a timing
> leak.  The iterations needed to find a suitable delta could be quite a
> few as first we need to derive a suitable R, then a suitable S.

S is an integer in ECDSA.

The number of trails until the first success of generating a "compliant" 
R is 2 with a "black box" or with additions, but this is the worst case. 
Algorithms like ECDSA would only need a simple and deterministic r := 
order-r, on average for every other R=rG. This saves the check later 
regarding whether the second coordinate is to be encoded with 0 or 1 
(but order-r or order<r are tiny steps).

> Where timing leaks are unimportant (e.g., an off-line CA) this makes a
> nice compression scheme, compressing public keys and signatures.  But as
> a part of a general purpose deterministic signature scheme this won't
> do.  It would work for a randomized signature scheme, but it would trade
> off signature size for other things (e.g., signing gets slower).

I don't think there is a concern about leakage of 0.5 bit because we 
base the decision on public information, e.g. the sign of y. r and 
order-r have the same amount of entropy, or, equivalently, (x,y) is as 
strong as (x,-y).

If I only generate a key in a deterministic way (a very uncommon 
operation), the implicit encoding of y cannot work. The only case where 
this may be needed, as noted by Watson, is for batchable ECDSA# with 
deterministic r in R=rG of {R, s}. Long-term ECDSA# public keys, just as 
ECDSA keys, are not affected. (The same applies to EdDSA). The other 
example I knew about but thought it was not worth mentioning even though 
there is a software product that does this, is generation of public key 
pairs from unsalted passwords.

>
> Watson's proposal for point encoding for addition works for me.
>
> Nico
>

v2.23.0 | Report a Bug | By Email