IETF Logo Mail Archive

Re: [Cfrg] Point format for Edwards curves

Michael Hamburg <mike@shiftleft.org> Mon, 18 May 2015 18:39 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 505481B29FF for <cfrg@ietfa.amsl.com>; Mon, 18 May 2015 11:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.454
X-Spam-Level: ****
X-Spam-Status: No, score=4.454 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, GB_SUMOF=1, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CpSWYtJLOKt9 for <cfrg@ietfa.amsl.com>; Mon, 18 May 2015 11:39:23 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3FEC1A0021 for <cfrg@irtf.org>; Mon, 18 May 2015 11:39:16 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id F34CCF211E; Mon, 18 May 2015 11:38:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1431974313; bh=j18He3ZAwNWjPG+Lnp2tXhMrCYJX3pchjiYzs6xx2pU=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=EnStfYPvq7cpO05wKFqmGk4FtCs5xq36cmqSiJxgpXZ+LJVGCXoxNI7UuuemroYxd E5bZijIU2UXFXnEbRcj6kWoBChgaxiJ5brYWpsogWz/SbARGGJxtSvknNcvXSfXt6t Ku5gdnuEcOGIdK2hsW7TbIRxEg0fIyb7pttFaLms=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2100\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <555962E4.9000909@brainhub.org>
Date: Mon, 18 May 2015 11:39:13 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <DDC34E6D-2059-4896-8C29-F786160DEB22@shiftleft.org>
References: <CACsn0cmBpyHsG4YVwND7+TXe6nf5v9+w6qZ9Daqr+PKMSG-SYA@mail.gmail.com> <555962E4.9000909@brainhub.org>
To: IRTF Crypto Forum Research Group <cfrg@irtf.org>
X-Mailer: Apple Mail (2.2100)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/V0lbpSnAVY78sILC73Wk4WFYz2M>
Subject: Re: [Cfrg] Point format for Edwards curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 18:39:25 -0000

Resending with more information because it didn’t seem to go through last time?

I agree that CFRG really ought to choose a point format sometime soon, and (x,sign y) is as good as any.

If you want to spend complexity to get a point format compatible with the curves draft, please consider the "half-caf” solution, which is related to Jivsov’s trick: Montgomery x such that Montgomery y/x is positive, or 0 for the cases Curve25519 would say 0 (i.e. the identity and 2tor points).  Positive means even, or in [0,(p-1)/2], or similar.  The point encoding can be found by replacing (x,y) with (1/x, -y/x^2) if x/y is odd, since this changes the sign of y/x.  No adjustment to the secret scalar is required.

This method quotients out the 2-torsion of the group (or to be precise, one of the 2-torsion points if in case there’s more than 1).  This causes no problems with the final output if you clear the cofactor, or use the same encoding for the output, or both.  This means that it can interoperate with the systems in the curves draft, which clear the cofactor (but of course do not use the same encoding for output).

Using this change does mean that if you need to compare two points internally for some reason, and you haven’t cleared the cofactor yet, then you need to compare (in Edwards coordinates) both X:Y:Z and -X:-Y:Z.  (In the decaf version of this you only need to compare X:Y, so it actually makes your equality checker simpler, but I haven’t checked whether that works for half-caf.)  For SPAKE you don’t ever compare points, so this doesn’t matter.

Anyway, I think that this trick is simpler, faster and less stateful than Jivsov’s trick, and it generalizes better to other protocols.

— Mike


> On May 17, 2015, at 8:56 PM, Andrey Jivsov <crypto@brainhub.org> wrote:
> 
> On 05/16/2015 03:02 PM, Watson Ladd wrote:
>> Dear all,
>> 
>> I hope to upload version 02 of my SPAKE2 draft soon, however, I was
>> hoping to have points on Ed448Goldilocks and Ed25519 in it. This can't
>> currently happen because we've not decided on a point format for
>> Edwards curves. The existing point formats in the CFRG draft will not
>> work because I need addition. I'm aware this has taken quite a bit of
>> conversation spread out, but something like a little endian y
>> coordinate and sign bit of x doesn't seem to be wrong enough to not
>> put forward.
> 
> The sign bit of T can also be implicit when T=wM+xG in your draft is required to have the positive 't_x' for T={t_x, t_y}  (or "compliant" T). The "encoding" of T can be done very efficiently because the sender chooses a random x.
> 
> https://tools.ietf.org/html/draft-jivsov-ecc-compact-05#section-4.2.3 describes the algorithm for the sum of points.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email