IETF Logo Mail Archive

Re: [CFRG] compact representation and HPKE

Dan Harkins <dharkins@lounge.org> Sat, 07 November 2020 00:44 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCE7B3A0E52 for <cfrg@ietfa.amsl.com>; Fri, 6 Nov 2020 16:44:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Level:
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HfnpQ2CBQOre for <cfrg@ietfa.amsl.com>; Fri, 6 Nov 2020 16:44:31 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C73373A0E4F for <cfrg@irtf.org>; Fri, 6 Nov 2020 16:44:31 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QJE15XILI279K@wwwlocal.goatley.com> for cfrg@irtf.org; Fri, 06 Nov 2020 18:44:31 -0600 (CST)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QJE00LEBI0YM4@trixy.bergandi.net> for cfrg@irtf.org; Fri, 06 Nov 2020 16:43:47 -0800 (PST)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Fri, 06 Nov 2020 16:43:47 -0800
Date: Fri, 06 Nov 2020 16:44:29 -0800
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <5C12F8B7-99E2-40DA-8A3C-8930E652C77F@shiftleft.org>
To: cfrg@irtf.org
Message-id: <99c28b97-332d-af67-0895-a1bd251153bb@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_jEqsUVj1prQKxEgswaLfMw)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <4C4DE4EC-1A5B-48F5-871E-B7D323EF63D5@ericsson.com> <CAL02cgQFGcWjpFV1nFVg2T3aCat6U-uuzUQ_YsUYLHvQq+ZuiQ@mail.gmail.com> <5C12F8B7-99E2-40DA-8A3C-8930E652C77F@shiftleft.org>
X-PMAS-Software: PreciseMail V3.3 [201104a] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dINiC7L1hBSbgBq_dIW5bIF_lVY>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2020 00:44:34 -0000

   Yes, this is exactly right. The y-coordinate is not needed for these KEMs
as the sign is unimportant.

   The spec will be simpler and the interface more uniform if you do this.

   The whole point of HPKE is to make a callable API out of this process 
that
had been done ad hoc. Requiring a app that is taking advantage of this API
to take the output of the API and parse through it, throwing away one half
of one of the output strings and lopping off the first octet, is defeating
the whole purpose and is expecting a lot. The more this is a black box the
better.

   regards,

   Dan.

On 11/6/20 3:19 PM, Mike Hamburg wrote:
> Hello Richard,
>
> I haven’t paid much attention to HPKE, so it’s likely I’m missing 
> something here, but why not use the x-only Montgomery ladder on NIST 
> curves?  That’s the fastest and simplest approach, and it can operate 
> with or without the y-coordinates.
>
> Also, some implementations do not compute both the x- and 
> y-coordinates, and it would be more convenient not to compute or send 
> even a sign bit if you’re intending to use an x-only ladder.
>
> Cheers,
> — Mike
>
>> On Nov 6, 2020, at 10:19 PM, Richard Barnes <rlb@ipv.sx 
>> <mailto:rlb@ipv.sx>> wrote:
>>
>> Nothing about this says that you have to *send* the keys 
>> uncompressed.  You can use whatever representation you want on the 
>> wire.  You just have to decompress them before you put them into the 
>> key schedule. Which you're probably doing anyway, because you need 
>> both coordinates to do point multiplication with these curves.  So I 
>> am inclined not to make this change.
>>
>> --Richard
>>
>> On Fri, Nov 6, 2020 at 4:52 PM John Mattsson 
>> <john.mattsson=40ericsson.com@dmarc.ietf.org 
>> <mailto:40ericsson.com@dmarc.ietf.org>> wrote:
>>
>>     +1
>>
>>     Sending the keys uncompressed makes HPKE unsuitable for
>>     constrained IoT.
>>
>>     -----Original Message-----
>>     From: CFRG <cfrg-bounces@irtf.org <mailto:cfrg-bounces@irtf.org>>
>>     on behalf of Dan Harkins <dharkins@lounge.org
>>     <mailto:dharkins@lounge.org>>
>>     Date: Friday, 6 November 2020 at 21:00
>>     To: CFRG <cfrg@irtf.org <mailto:cfrg@irtf.org>>
>>     Subject: [CFRG] compact representation and HPKE
>>
>>        Hello,
>>
>>        When doing a DH-based KEM with the NIST curves, HPKE specifies
>>     that
>>     SerializePublicKey and DeserializePublicKey use the uncompressed
>>     format
>>     from SECG. This ends up using 2*Ndh+1 octets to represent the serial
>>     form of the public key.
>>
>>        Since compact output is being used in DH-based KEMs-- that is, the
>>     secret result of DH() is the x-coordinate of the resulting EC point--
>>     it would also be possible to use compact representation (per RFC
>>     6090)
>>     and have SerializePublicKey merely do integer-to-octet string
>>     conversions of the x-coordinate. DeserializePublicKey would then
>>     do octet string-to-integer conversion for the x-coordinate and
>>     use the
>>     equation of the curve to choose the y-coordinate. The sign isn't
>>     important because we're doing compact output.
>>
>>        This would make the interface for the NIST curves and the
>>     Bernstein
>>     curves be uniform-- Serialize would produce an octet string of Ndh
>>     and Deserialize would consume an octet string of Ndh-- at the cost
>>     of some CPU inside DeserializePublicKey.
>>
>>        Please consider this suggestion.
>>
>>        regards,
>>
>>        Dan.
>>
>>     -- 
>>     "The object of life is not to be on the side of the majority, but to
>>     escape finding oneself in the ranks of the insane." -- Marcus
>>     Aurelius
>>
>>     _______________________________________________
>>     CFRG mailing list
>>     CFRG@irtf.org <mailto:CFRG@irtf.org>
>>     https://protect2.fireeye.com/v1/url?k=513cd874-0ea7e231-513c98ef-867b36d1634c-ce26b08a2499b9a3&q=1&e=4f2b4ce0-8d52-4a80-b41e-0f7537355d35&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg
>>
>>     _______________________________________________
>>     CFRG mailing list
>>     CFRG@irtf.org <mailto:CFRG@irtf.org>
>>     https://www.irtf.org/mailman/listinfo/cfrg
>>
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org <mailto:CFRG@irtf.org>
>> https://www.irtf.org/mailman/listinfo/cfrg
>
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email