Re: [Cfrg] Point format for Edwards curves
Nico Williams <nico@cryptonector.com> Mon, 18 May 2015 15:49 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F223C1AC401 for <cfrg@ietfa.amsl.com>; Mon, 18 May 2015 08:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.034
X-Spam-Level: **
X-Spam-Status: No, score=2.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_SUMOF=1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W1w2eYqcTcfe for <cfrg@ietfa.amsl.com>; Mon, 18 May 2015 08:49:44 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF681AC400 for <cfrg@irtf.org>; Mon, 18 May 2015 08:49:44 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id B24D7584075; Mon, 18 May 2015 08:49:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=O5QXOaHydOlHhw J1Xca4o4nV0OQ=; b=azTk7qCIc3CxrGOQTuiPkNX3o4LBDhnDCdVTmvzE3Dj6Sk 77jmOUXtzBgLmd01UzrbRXvIV6qejzKY+1TgsmCLmbF9juxxWqs1U8r5ID+jHvuN mFgRrNe7UJRd2A1hfhjpnkr66lBeWfX1/ruRLkeb8hx/KmS48pFaPDPhptFdI=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPA id 29ED0584071; Mon, 18 May 2015 08:49:42 -0700 (PDT)
Date: Mon, 18 May 2015 10:49:41 -0500
From: Nico Williams <nico@cryptonector.com>
To: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <20150518154940.GJ7287@localhost>
References: <CACsn0cmBpyHsG4YVwND7+TXe6nf5v9+w6qZ9Daqr+PKMSG-SYA@mail.gmail.com> <555962E4.9000909@brainhub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <555962E4.9000909@brainhub.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/YxHnwtUj0uhWev-zHEingsz9gWA>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Point format for Edwards curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 15:49:47 -0000
On Sun, May 17, 2015 at 08:56:20PM -0700, Andrey Jivsov wrote:
> On 05/16/2015 03:02 PM, Watson Ladd wrote:
> >I hope to upload version 02 of my SPAKE2 draft soon, however, I was
> >hoping to have points on Ed448Goldilocks and Ed25519 in it. This can't
> >currently happen because we've not decided on a point format for
> >Edwards curves. The existing point formats in the CFRG draft will not
> >work because I need addition. I'm aware this has taken quite a bit of
> >conversation spread out, but something like a little endian y
> >coordinate and sign bit of x doesn't seem to be wrong enough to not
> >put forward.
Sure.
> The sign bit of T can also be implicit when T=wM+xG in your draft is
> required to have the positive 't_x' for T={t_x, t_y} (or
> "compliant" T). The "encoding" of T can be done very efficiently
> because the sender chooses a random x.
Even better.
> https://tools.ietf.org/html/draft-jivsov-ecc-compact-05#section-4.2.3
> describes the algorithm for the sum of points.
There's a timing variation, but it's entirely to do with the sums of
randomly selected points, not the fixed point derived from the password,
which means there's no side channel. Very nice.
Nico
--
- [Cfrg] Point format for Edwards curves Watson Ladd
- Re: [Cfrg] Point format for Edwards curves Andrey Jivsov
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Watson Ladd
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Watson Ladd
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Michael Hamburg
- Re: [Cfrg] Point format for Edwards curves Andrey Jivsov
- Re: [Cfrg] Point format for Edwards curves Nico Williams
- Re: [Cfrg] Point format for Edwards curves Andrey Jivsov