IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Jakob Breier <Jakob.Breier@rwth-aachen.de> Fri, 13 March 2015 17:39 UTC

Return-Path: <Jakob.Breier@rwth-aachen.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 762491A1A6A for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 10:39:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.738
X-Spam-Level:
X-Spam-Status: No, score=-2.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, URI_HEX=1.122] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6-dEJVyZQmx for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 10:39:41 -0700 (PDT)
Received: from mx-out-1.rwth-aachen.de (mx-out-1.rwth-aachen.de [134.130.5.186]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 390711A01A9 for <cfrg@irtf.org>; Fri, 13 Mar 2015 10:39:41 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.11,396,1422918000"; d="scan'208";a="378561923"
Received: from hub2.rwth-ad.de (HELO mail.rwth-aachen.de) ([134.130.26.143]) by mx-1.rz.rwth-aachen.de with ESMTP; 13 Mar 2015 18:39:39 +0100
Received: from [192.168.1.2] (78.49.65.19) by mail.rwth-aachen.de (134.130.26.143) with Microsoft SMTP Server (TLS) id 14.3.224.2; Fri, 13 Mar 2015 18:39:39 +0100
Message-ID: <550320DA.2030604@rwth-aachen.de>
Date: Fri, 13 Mar 2015 18:39:38 +0100
From: Jakob Breier <Jakob.Breier@rwth-aachen.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>, cfrg@irtf.org
References: <54F8E735.2010202@isode.com> <5501E6A5.5040608@brainhub.org> <5502D58F.3030806@rwth-aachen.de> <5502F920.5050505@gmail.com>
In-Reply-To: <5502F920.5050505@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-PMWin-Version: 3.1.3.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dlms0Ro4hcVckujTDmugKaH6E4k>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 17:39:44 -0000

Hey Rene,

thanks for your reply. I was well aware of the distinction between a) 
and b). The implicit argument, which I did not spell out unfortunately, 
was that

1. It's desirable to have as few point formats for a curve as possible 
(KISS rule). Elliptic curve cryptography might be a mess already, but if 
we never start simplifying things, it will still be a mess in 20 years. 
I'd like to be able to point people to the new IETF curves when the CFRG 
is through and tell them "use these curves / point formats (and if 
possible only those) and life will be as easy as ECC can get". A 
separate x-coordinate-only format for Montgomery multiplication is worth 
it in my opinion because of the implementation simplicity it affords, 
but having an additional compressed format is probably not.

2. Implementers will likely not go through the hassle of adding an 
additional compressed point format, but instead use the wire format they 
have to support. I'd like to be proven wrong on this, though.
As evidence I point to the OpenSSH key formats. They could already have 
used compressed points with nistp256 and, as far as I can tell, OpenSSL 
as well as the chosen storage format even supports them (the latter of 
which you have pointed out - thanks btw, I didn't recognize that 
before). But they only switched when they were forced to move away from 
OpenSSL to support Ed25519 and imported the SUPERCOP implementation [1] 
which *only* supports compressed points [2]. So only having one "right" 
format apparently did make the difference between having nice user 
facing point formats or not.

Please note however, that all the points I've made so far are second 
order arguments. While I would love to finally have short asymmetric 
keys, the far more important aspect for me is to assert that 
implementers cannot screw up point validation. And point compression 
seems to be necessary towards that end. I'll not rehash the reasons why 
implementers cannot be entrusted with such an easy step as plugging 
variables into an equation - this has already been amply discussed on 
this list and those reasons either convince you already, or don't.

I've only brought up the "human bandwidth" line of reasoning (which I 
nonetheless find significant) and caused the associated extra noise, 
because I'm afraid that point validation alone does not swing the tide 
towards compressed points.

Best regards,
Jakob Breier

[1] 
https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-December/031871.html
[2] See e.g. the python implementation 
http://ed25519.cr.yp.to/python/ed25519.py , especially encodepoint and 
decodepoint.


On 13.03.2015 15:50, Rene Struik wrote:
> Hi Jakob:
>
> This confuses different discussions:
>
> a) use of public key in computations.
> Here, Andrey Jivsov's point was that receipt of a full point (x,y) on 
> a curve, rather than a compressed point or simply the x-coordinate, 
> does not artificially impose a performance penalty on all 
> implementations except x-coordinate-only ones (Montgomery).
> b) representation of public key in white list.
> Here, one can use many methods to map a public key Q to a condensed 
> (perhaps, even human-recognizable) format f(Q).
> This condensed format could take the form affine format curve point, 
> compressed format, hash, leftmost n-octets, hash value, etc.
>
> My own take:
>
> Ad a):
> I fully agree with Andrey Jivsov's point and think using x-coordinate 
> only representations imposes a "moat" around ECC implementations, by 
> imposing a levy on all implementations that, for whatever reason, may 
> want to use something else than Montgomery arithmetic. {Please note 
> that this levy is incurred (in the context of ECDH) during *online* 
> computations.} Such fully specified points are particularly useful in 
> settings, including multiple-point multiplication, combined key 
> computations and signature verifications, batch computations, since 
> may allow significant performance advantages in those settings.
>
> Ad b):
> This is a non-issue in representation discussions with CFRG with ECC, 
> since dealing with protocol issues, not user interfaces.
> Nevertheless, here is a comparison that illustrates some condensed 
> representations that are possibly in a completely standardized way, 
> resp. "cooked up" for user interfaces:
>
> Comparison example:
> example P-256 public key, with affine coordinates (x,y),
> x-coord = 6b 17 d1 f2 e1 2c 42 47 f8 bc e6 e5 63 a4 40 f2 77 03 7d 81 
> 2d eb 33 a0 f4 a1 39 45 d8 98 c2 96
> y-coord = 4f e3 42 e2 fe 1a 7f 9b 8e e7 eb 4a 7c 0f 9e 16 2b ce 33 57 
> 6b 31 5e ce cb b6 40 68 37 bf 51 f5
> a) standardized affine format: (0x04 || x-coord || y-coord) {65 octets}
> b) standardized compressed format: (0x03 || x-coordinate) {33 octets}
> c) non-standard, x-coordinate-only: x-coordinate {32 octets}
> d) non-standard, truncated x-coordinate (x-coordinate mod 2^128): 77 
> 03 7d 81 2d eb 33 a0 f4 a1 39 45 d8 98 c2 96 {16 octets}
>
> example Curve25519, Alice's public key (source: 
> draft-irtf-agl-cfrgcurve-00):
> x-coord = 85 20 f0 09 89 30 a7 54 74 8b 7d dc b4 3e f7 5a 0d bf 3a 0d 
> 26 38 1a f4 eb a4 a9 8e aa 9b 4e 6a
> c) non-standard, x-coordinate-only: x-coordinate {32 octets}

v2.23.0 | Report a Bug | By Email