IETF Logo Mail Archive

Re: [Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto

Watson Ladd <watsonbladd@gmail.com> Thu, 25 July 2019 05:25 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF67712027F for <cfrg@ietfa.amsl.com>; Wed, 24 Jul 2019 22:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.002
X-Spam-Level: ***
X-Spam-Status: No, score=3.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_SUMOF=5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQSiPZQs6ABj for <cfrg@ietfa.amsl.com>; Wed, 24 Jul 2019 22:25:37 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44E7F120234 for <cfrg@irtf.org>; Wed, 24 Jul 2019 22:25:37 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id m23so46643743lje.12 for <cfrg@irtf.org>; Wed, 24 Jul 2019 22:25:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uJdcVCa16XTbghi+mM+Gi0Y7JnTXO5f1rjdacod2dks=; b=M68Bgn7rWOrwlfEzz70DJQpREsJEoapKYpagLhOdlKQ1rHInjQuDyHvdhVQo7jMNUX q09E4mNpGU5DRMpOGc0PvcoRzC3NSm61FfJI6sRW/XXDp/CT5+eE7JU2AlDlxyB9BYlG HJSt0xOSR8K5thXJnWj6vC3VO/S7mWCcbQ2XmmM3WOnzJ9KkHQKaW0d6C/OVh8a+qAbi ZlNHrdNtkAHUiJeXxva5wM9drmMwtpbOH1CmCtp04EuVFZS35JKRwuXPCPDjR+foDB9X xeM6tuHYfKOR2d3BFaXxf/9aayfJA4sC33i8zxlH9eMTwanrtMzsJ4vDBtsy5WWOxc6K 2Ung==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uJdcVCa16XTbghi+mM+Gi0Y7JnTXO5f1rjdacod2dks=; b=q9YuH8MUaBdbO+oY3xTZGazdcTHC9iBQTiRhc6Uy9k18UXUXmOlIpoCpgdA6+R5WGN Peu5sgGxOJOsNf3Tt2rEqCoAJFBfXKFRtHD9PdinmauQk4FRzequZaMVolY3Ka3YKSi+ u15yd8NjTJ6McpSijnkI5ZFQ2Zkhln5Izkae1bgcrE8to6ii0CPHjPKIkD+O37C9uNw5 93bRCZnK1nmW3PP9OYWxefilXN4k5NyV0aUeYlQtze9NlFeE3An3vRpLbPcySLsW/SSK JIgj0QHVTueCDEwdq3Z10nw2UcFWRDC2o0/BO5Oa3azoAARXZ+qQet7HTIT4fbRhb9tc k6sA==
X-Gm-Message-State: APjAAAVzFiQtn2IdeMPYQHKvwwwiNxuX0nnby0UEVvZdBZmjJ+9/duxW pBzUngLTSMpk4e4RsPzcL/2ggdTJOM7fgdkeKhw=
X-Google-Smtp-Source: APXvYqxYqaY4zgTv3z+HuDDhrpbQ8H2u4aF4dEU4LH07p5Ux/I5x2P9bYu47Y9LkLXoqohKzdsBCqJh1wqvT96BsnlI=
X-Received: by 2002:a2e:890a:: with SMTP id d10mr45317081lji.145.1564032335369; Wed, 24 Jul 2019 22:25:35 -0700 (PDT)
MIME-Version: 1.0
References: <a505c99b-32a9-447a-9c69-a8efe3ed1b70@www.fastmail.com> <0370cd6b-adf3-4be2-9ab4-79693b9dc096@www.fastmail.com> <B7F73174-29F0-4B83-8AC0-A7D42D372D4A@inf.ethz.ch> <075d43b1-e123-42a9-ccd9-64fe45306f8b@web3.foundation> <20190724212030.ddcswlg5uxm3muzo@positron.jfet.org> <CAPC=aNVCV2cn62rhQsu+RsJsdjt2Dqqw_rqooLsuc8J5v9s3kQ@mail.gmail.com> <20190725004633.l5k7toldcgy7uthb@positron.jfet.org>
In-Reply-To: <20190725004633.l5k7toldcgy7uthb@positron.jfet.org>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 24 Jul 2019 22:25:24 -0700
Message-ID: <CACsn0c=Tx1d-H6-2TRiEHkxz7p+mWPWbwr+SEpV8js3uL=ZVpw@mail.gmail.com>
To: "Riad S. Wahby" <rsw@jfet.org>
Cc: Jack Grigg <ietf@jackgrigg.com>, CFRG <cfrg@irtf.org>, draft-hdevalence-cfrg-ristretto@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bArxIr74iR6jX_b5JkAkGrpR5hs>
Subject: Re: [Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 05:25:39 -0000

On Wed, Jul 24, 2019 at 5:48 PM Riad S. Wahby <rsw@jfet.org> wrote:
>
> Hi Jack,
>
> Thanks very much for the answers. Can you please help me understand
> a bit more what's going on?
>
> (At the risk of protesting too much, I want to be clear that the
> concerns below are sincere: I really cannot square the claims in
> this thread with the content of the document or my understanding of
> Decaf/Ristretto. As background, I've read the Decaf paper carefully
> and implemented it fully. So I don't think it is much of a stretch
> to suppose that if I can't parse what's going on in this document,
> there are plenty of others out there who won't be able to, either.)
>
> Jack Grigg <ietf@jackgrigg.com> wrote:
> > The ability for ristretto255 implementations to interoperate, despite using
> > different internal representations, is contingent on implementors following
> > the normative requirement that the internal representations are not
> > exposed, or operated on except via the Ristretto APIs. This precludes any
> > mapping from ristretto255 elements to edwards25519 points.
>
> Sorry, I don't understand. Per the rest of your email, DECODE as
> specified in Section 3 is exactly such a mapping. So how am I to
> interpret what you've said above?
>
> Concretely: let's say I want to output the sum of two ristretto255
> points, P1 and P2. To do that, I think I need to do something like this
> (all functions as specified in Section 3):
>
>     P1_decoded = DECODE(P1)
>     P2_decoded = DECODE(P2)
>     Q_decoded = P1_decoded (+) P2_decoded
>     Q = ENCODE(Q_decoded)
>
> The problem is, the document as currently written does not tell me
> how to implement the (+) operator on the third line above. It implies
> that such an operator exists (in Section 3.3), but as far as I can
> tell it does not tell me what it is.
>
> Is it edwards25519 point addition? If so, then I just don't see how
> it can be true that the "internal representation" in Section 3 is
> not an edwards25519 point. (Sure, equality testing is different.
> What else is different? What is the same?)

Let's look at the Decaf paper: The group is E/E[4] for E some curve.
So if you represent with points there is an arbitrary element of E[4]
floating around, and it's an implementation detail what that is
provided you normalize on output. That's the whole story. I would
recommend an algebra book to learn more.

Of course a similar story is common in elliptic curve cryptography.
Any point has multiple projective representations, but the final
normalization obscures this. Likewise one can use any desired
coordinate system or formula for the calculations, provided the right
answer is arrived at for the end.

v2.23.0 | Report a Bug | By Email