Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS

Andrey Jivsov <crypto@brainhub.org> Fri, 24 January 2014 06:31 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 312F11A012A for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 22:31:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByA808-JTahX for <cfrg@ietfa.amsl.com>; Thu, 23 Jan 2014 22:31:11 -0800 (PST)
Received: from qmta08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:80]) by ietfa.amsl.com (Postfix) with ESMTP id C6DA21A00FD for <cfrg@irtf.org>; Thu, 23 Jan 2014 22:31:11 -0800 (PST)
Received: from omta06.emeryville.ca.mail.comcast.net ([76.96.30.51]) by qmta08.emeryville.ca.mail.comcast.net with comcast id HiQG1n00316AWCUA8iXAcx; Fri, 24 Jan 2014 06:31:10 +0000
Received: from [192.168.1.8] ([71.202.164.227]) by omta06.emeryville.ca.mail.comcast.net with comcast id HiX91n00W4uhcbK8SiXAUZ; Fri, 24 Jan 2014 06:31:10 +0000
Message-ID: <52E208AD.2020100@brainhub.org>
Date: Thu, 23 Jan 2014 22:31:09 -0800
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Michael Hamburg <mike@shiftleft.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <CABqy+sozYSOTh7pbUS2GXf=4kYV3zgztXZBa10Bx=s-N8zHHyA@mail.gmail.com> <CABqy+soSojSMfx=yU9eFhmAeuJaJ_r=4h=RDR6JtOchYZ9zsQA@mail.gmail.com> <52E1BAE0.8060809@brainhub.org> <2311ADE0-B85D-4EEA-A675-03ED3735DE1D@shiftleft.org>
In-Reply-To: <2311ADE0-B85D-4EEA-A675-03ED3735DE1D@shiftleft.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1390545070; bh=nPqAX+v0hTgxH0ikvkNxVrtdiTodqvWaWMm2XBk+kq0=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=atxXQHVhmdjXvaALCo4pyoauXS/c5QYukVgGzhS6t23u+A17gTLQc1yW1EPWl4EP0 trQsSO5sUtGO1lilN04353SBK6OdeE3rwGxmBDQvhuCJ54hS/uFP81coZO3KuZJ/QQ 9BnYCsPkfx5tmAiw7f6jkMIC1hcD37uYRGyn9Wu2WSaZ/d/2mFoDiNdvF9u4PYsmev psVIZevHldZU1jrVbwQxWEq8s9HIbHb1QLZph2dnG7vNaWZ4kWfoqkHpRj6ctJgKWa JVgDIDPIShwyrgqIVXumJNg/Q5/AEfpYqSQ+9IU14Sush51gpGUYg/rGKOM6Ps0Sr9 H2aK1IeyvRelg==
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 06:31:14 -0000

On 01/23/2014 06:08 PM, Michael Hamburg wrote:
> On Jan 23, 2014, at 4:59 PM, Andrey Jivsov <crypto@brainhub.org> wrote:
>>
>> Wouldn't http://tools.ietf.org/html/draft-jivsov-ecc-compact be another method?
>>
>> Traditionally the problem was solved by carrying 1 bit and then finding a place to fit it in and defining what it means, etc. There is another way. One can adjust the private key to make the coordinate that we drop, x in this case, be the smallest of the two possibilities.
>>
>> The nice feature of my proposal is that you can still also encode the bit if you wish so, as you proposed.
>
> This is interesting, but I think it works better with the Edwards x-coordinate instead of the Montgomery y-coordinate.  That is, it applies well to Watson’s (Montgomery x, Edwards x) representation.  This is because not every point you might want to transmit is a public key; it might be the product of something which does not support an easy negation, such as PAKE.  In this case, with your proposal, implementers have to send the sign bit, and we have two wire formats again.  But if the Edwards x-coordinate is used, you can also fast-adjust by adding the point of order 2, which maps EdX to -EdX.  (It maps EdY to -EdY and MontX to 1/MontX.)  If the protocol wipes out the cofactor (almost every protocol does for security reasons), then this is more likely to be acceptable than negating the point.
>
> Then again, any discussion like this is fraught with issues about alternative encodings for non-wire formats, implementation compatibility, uniqueness, covert channels, etc.  Might take some hashing out.
>
> Cheers,
> — Mike
>

It seems to me that it will be possible to find an option to tweak the 
private scalar in more complex protocols, while making this an internal 
adjustment.

For example, in
http://tools.ietf.org/search/draft-irtf-cfrg-dragonfly-02#page-10

the PE is never sent out, so its generation doesn't change.

The Element is a point, which is very similar to a public key for our 
purpose. The Element is sent to the other peer and it needs to be 
"compliant". The element is generated from a random mask and PE; thus 
the mask can be adjusted appropriately so that the Element is 
"compliant" (then the 'scalar' is calculated with the appropriately 
adjusted mask).