[Cfrg] Comments on draft-hdevalence-cfrg-ristretto-01
Watson Ladd <watsonbladd@gmail.com> Thu, 25 July 2019 18:17 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D0AC12018A for <cfrg@ietfa.amsl.com>; Thu, 25 Jul 2019 11:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7_PvFDfBf_n for <cfrg@ietfa.amsl.com>; Thu, 25 Jul 2019 11:17:28 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80B54120183 for <cfrg@irtf.org>; Thu, 25 Jul 2019 11:17:28 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id v18so48870633ljh.6 for <cfrg@irtf.org>; Thu, 25 Jul 2019 11:17:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=stfN7tARypYbCQyNjh5WgzXQ3LjKyjxjkxlQ6f7JSss=; b=Ul1wcN9mDTUeUKylgWH32zvEXkd2soqVDssE1UV3Iz69crtl/OCM4HPydqD9zWfIes ePr9A1udlhS4YEq7Og9fiZiyZNRQ/uYLMwBJ1eMQsVTDxgq845+X9SenRWu3eCzJ23DW Z4FrYeh2GO/86Z73hqqP1qLijCJ09L0BCO1noDBLxaD17sMqDh4CcMMnitGN6PLRwMfa sZQp6mIJa+ooKZWzqiCca+4eCCl8Zrl/ADx+ktFI+nG+GfkUbQhz2SSx7xJfVXJtvFw9 UDEQ/GdhzzEU+qBFoq1/O9qn96/pqEoabAgvl5ej57wYUgRC6L5SFFPzKM7c0F8TKM72 FDqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=stfN7tARypYbCQyNjh5WgzXQ3LjKyjxjkxlQ6f7JSss=; b=ciAYxJo4UKPPWDNn+2xrsPrujHbxbwNIdZ6zHcZkbhaSgj6LOpwMREjXRhJiqmdTe3 0TGGdq1+EmzkdhNbn1CtC5fonJBHoBXBUCqh5ttA5Eqbjld/W9oG8CJTxSwdxBEml8oF 5PwF1tS12cYe3w7IzDFzMT5uRInK7uR+gmnDOYqbcGtJLbn5CexY060wNgw+w8P6fYdx iQlnO+92o/N+QGML1ry3CBK+M7eVZdLjeIpk9mzJwZvFI9rMk0qXEakRgyt7Y+/ZZT8O JTYY5IupkF0GBm9XENj9RipgFDK+bLSN9xhGYB24iaw/3ulAPDhBRH6P5ZjgEo0UPJow N2SQ==
X-Gm-Message-State: APjAAAXtvnMLGgJBRMyVE4EAVwsmpKXufILPrra5ked9E2mai6OIBQHU YEge1ST/onOLt5kqYfZX7p6v9i/eef5kEUE4IO9uGULx
X-Google-Smtp-Source: APXvYqya/Xxpi52WxMb6z23ery37XGOhdo98DPiETUg/su/FXbeAIzOPzGpExuxtuv8e3R6kVae9tjxu5VLwrsGoaJM=
X-Received: by 2002:a2e:9f0d:: with SMTP id u13mr745294ljk.186.1564078646372; Thu, 25 Jul 2019 11:17:26 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 25 Jul 2019 11:17:14 -0700
Message-ID: <CACsn0cmhYT_JSR+DbQ2kypufahqCfGBECgQ3N0ppiO+oN5380Q@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_HiDaosztWpQbvdEg1UEYM9DIzk>
Subject: [Cfrg] Comments on draft-hdevalence-cfrg-ristretto-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 18:17:30 -0000
Dear all, I read the draft and don't really have a technical comment so much as a broader organizational comment and perhaps mathematical, verging on philosophical concerns. The first thrust of my concerns is that it's always important to understand why calculations take the form they do. And this missing from the draft. I think the word isogeny (although not quite right: Edwards curves aren't smooth, it's a more complicated thing) really does need to appear, as does an explanation of what the EQUALS routine is doing. Otherwise the routines appear decontextualized and it is difficult to understand why they have to be used in the manner they are. Given that the draft extends Decaf I'd like to be e able to mechanically check the equations for typos and the like and verify the assertions made. I recall there is such a thing floating about, I just don't remember where I saw it. The draft talks about a group G, and says that we have ENCODING and DECODING maps to this other group G'. G' is of course the twisted Edwards form of Ed25519 aka Curve25519. But what isn't mentioned is what these maps are really doing: G is actually a sort of mysterious combination of a subgroup and a product (and I'm not sure I understand the Decaf paper well enough to say precisely what) and the maps are lifting to elements of G'. So the ENCODING map has a very nontrivial kernel and is squashing the equivalence classes down. The DECODING map sections the ENCODING map. The problem of course is that the group structure on G is left very implicit. What I think should be said explicitly is you do group operations by DECODING, performing the operations and then ENCODING. Then there is the question of exposure. I don't understand what is meant by implementation exposing something. Having used Ed25519 libraries that expose the multiple point representations used for efficient calculation and taking advantage of that extra exposure, I think the issue is really a protocol level one: if you are using risttreto you should output and input ristretto points, not any internal form, just as internal representations as Jacobian points should never be input and output but used as intermediates in calculations. Perhaps this is the same as Riad's point: I'm not quite sure I understood that one either. Sincerely, Watson