IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Michael Hamburg <mike@shiftleft.org> Fri, 13 March 2015 22:26 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 275591A8A01 for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 15:26:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.565
X-Spam-Level: *
X-Spam-Status: No, score=1.565 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_TVD_FUZZY_SECURITIES=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5G_Mm1loq6uq for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 15:26:45 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E86DE1A6FEC for <cfrg@irtf.org>; Fri, 13 Mar 2015 15:26:44 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id A4F9C3AA41; Fri, 13 Mar 2015 15:23:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1426285426; bh=S+koHhvjXZesgrCWJKBRWaLJHchfiwUA1Lcr+fl+3p0=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=gwYIpKlDgRmg/zndWZe3TuG9A2OdC7VMkIJyEutaP1xDsi03JS791pBxkK/YQYMC4 2shY9iHZKi2wxbsDeEddadrbXCU6CPyrublwujs0Zw3tQigRSPjpdd/M8nHh4L1I3v E3wVeKfUpZPemM9VvGctF4VsSQJemVZtoNE7xZD8=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2087\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <55034DAB.9010800@brainhub.org>
Date: Fri, 13 Mar 2015 15:26:42 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <1ACEA3CD-029A-40D2-A05E-C1B5DDF2E7C0@shiftleft.org>
References: <54F8E735.2010202@isode.com> <5501E6A5.5040608@brainhub.org> <5502D58F.3030806@rwth-aachen.de> <5502F920.5050505@gmail.com> <20150313163336.GA3479@localhost> <55032259.5090704@brainhub.org> <A6F30412-8E0A-4D8D-9F26-580307B46874@shiftleft.org> <55034DAB.9010800@brainhub.org>
To: Andrey Jivsov <crypto@brainhub.org>
X-Mailer: Apple Mail (2.2087)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/V8ehq1dhrcN_okC6mu4YwoyjqD8>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 22:26:46 -0000

I just realized that this is attached to a poll which supposedly just ended.  That said, does anyone want to change their input to the poll?

I personally am still happy with Montgomery u for ECDH.  For non-ECDH, we can discuss further since that’s not what the poll is about, but I still prefer u with an implicit or explicit sign bit.

— Mike

PS: In my earlier email with implicit sign bit, I wrote “invert x if y isn’t positive” which of course should be “invert x if y/x isn’t positive”.

> On Mar 13, 2015, at 1:50 PM, Andrey Jivsov <crypto@brainhub.org> wrote:
> 
> When proposing uncompressed form of a point I recognize that diverse applications have opposite requirements regarding storage/computational efficiency. One way to come closer to pleasing everybody is the following:
> 
> * CFRG defines the canonical point representation as (u,v) u in Montgomery form, v=SQRT(u^3 + 486662*u^2 + u). (v might be in any other form to avoid the SQRT for the recipient.) This is a 64 byte octet string, always padded, on the wire.
> 
> * Define the compressed version as u, done with e.g. memcpy( dest_u, src_uv, is_compressed ? 32 : 64 ). In other words, the compression is done by the non-crypto code. This is easy for ECDH applications. For non-ECDH -- use "my trick" (in public domain since 2013 whatever I "invented", if any), or don't adopt the compressed form.
> 
> With this approach the support for compression and uncompressed input doesn't require changes to existing single-format APIs. The compression is trivially done outside of crypto API. The decompression is handled by the existing API (presumably by an import function), which knows that if the input is 32 bytes -- the (non-Montgomery) implementation will need to recover the second half, otherwise, it is importing a point in canonical representation.
> 
> * Each protocol selects a single format: either (u) or (u,v). I believe TLS/PKI should do (u,v). Storage security, esp. cases of encrypting to multiple recipients, bandwidth-constrained or memory-constrained applications, or keys entered by humans will prefer (u).

v2.23.0 | Report a Bug | By Email