Re: [Cfrg] On why point and APIs formats matter (Re: Submission of curve25519 to NIST from CFRG -> was RE: On "non-NIST")
Nico Williams <nico@cryptonector.com> Thu, 12 March 2015 16:49 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42E1E1A0092 for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 09:49:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CrsNCQHrt5YT for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 09:49:00 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 617FB1A0015 for <cfrg@irtf.org>; Thu, 12 Mar 2015 09:49:00 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id BB64E67C07F; Thu, 12 Mar 2015 09:48:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=y5iAadPgoKs461 0k82kdjRTIkcE=; b=Qoo1p/bJ7fGiylMIb/DI4XqcfGUUu4/iCso+v44uVyCwli JHVue01sqZfyJ6b/e+7DnstQfpXCSbEFYtNkMbOJT54YDGA+WomooSXVAZSB3rZz F10QHgq9nMtB++/mmyBuajpXGHNttmxdrU/nDty/Abj+guQWKjOLLiMhMAQd0=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPA id 2B76867C06D; Thu, 12 Mar 2015 09:48:59 -0700 (PDT)
Date: Thu, 12 Mar 2015 11:48:58 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dan Brown <dbrown@certicom.com>
Message-ID: <20150312164857.GV7286@localhost>
References: <20150312114032.6463568.23668.27363@certicom.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150312114032.6463568.23668.27363@certicom.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/ZXkezDLtQIU3kbof63PZ-hRQpBY>
Cc: Viktor Dukhovni <cfrg@irtf.org>
Subject: Re: [Cfrg] On why point and APIs formats matter (Re: Submission of curve25519 to NIST from CFRG -> was RE: On "non-NIST")
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 16:49:01 -0000
On Thu, Mar 12, 2015 at 11:40:35AM +0000, Dan Brown wrote: > Anyway, I slightly prefer the old formats, but don't mind adjusting > them on a per curve basis, or perhaps per hash/KDF/signature_alg, if > people say that's easy. [...] The ECDH Curve25519 point representation doesn't work for signatures. That same curve can be used with signatures in the Edwards form, but we're calling it a different curve for this purpose. So Curve25519 has one point representation, and Ed25519 has another, even though they are the same curve. That's fine. (Code duplication here is not a concern: it's either that or point representation conversion code, and either way there's plenty of storage for code like this in most every application. Micro SDcards nowadays are a complete computer, complete with RAM and flash storage for the code run and state kept.) > [...] It kinda precludes an old generic curve > implementation being able to talk Curve25519 with a new > implementation, but maybe that's what's wanted, anyway. Neither that nor the opposite is nor should be a goal. This is icing-on-cake territory. ECC implementations tend to be highly optimized for each curve. Genericity went out the window naturally, and that's OK. Mind you, if someone wants genericity, they can have it: just keep a table of curve point representations and conversions. That's not unlike having codepoint assignments for Oakley MODP groups, just bigger tables, and only slightly more code (after all, there's already a variety of point representations to support generically, as you listed them). It's just not a big deal, but it does mean change for an "old generic curve implementation", but that's not a breaking change. Whereas changing Curve25519's point representation would be a breaking change. Codepoint assignments for standardized groups/curves are a very useful thing from the points of view just about everyone. We then start talking about "groups" and "curves" as the registered objects rather than the mathematical objects -- a small price to pay for the convenience of codepoint assignments. Nico --
- [Cfrg] On why point and APIs formats matter (Re: … Watson Ladd
- Re: [Cfrg] On why point and APIs formats matter (… Nico Williams
- Re: [Cfrg] On why point and APIs formats matter (… Viktor Dukhovni
- Re: [Cfrg] On why point and APIs formats matter (… Dan Brown
- Re: [Cfrg] On why point and APIs formats matter (… James Cloos
- Re: [Cfrg] On why point and APIs formats matter (… Nico Williams
- Re: [Cfrg] On why point and APIs formats matter (… Nico Williams
- Re: [Cfrg] On why point and APIs formats matter (… Salz, Rich
- Re: [Cfrg] On why point and APIs formats matter (… Watson Ladd