Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
Jakob Breier <Jakob.Breier@rwth-aachen.de> Fri, 13 March 2015 17:39 UTC
Return-Path: <Jakob.Breier@rwth-aachen.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 762491A1A6A for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 10:39:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.738
X-Spam-Level:
X-Spam-Status: No, score=-2.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, URI_HEX=1.122] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6-dEJVyZQmx for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 10:39:41 -0700 (PDT)
Received: from mx-out-1.rwth-aachen.de (mx-out-1.rwth-aachen.de [134.130.5.186]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 390711A01A9 for <cfrg@irtf.org>; Fri, 13 Mar 2015 10:39:41 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.11,396,1422918000"; d="scan'208";a="378561923"
Received: from hub2.rwth-ad.de (HELO mail.rwth-aachen.de) ([134.130.26.143]) by mx-1.rz.rwth-aachen.de with ESMTP; 13 Mar 2015 18:39:39 +0100
Received: from [192.168.1.2] (78.49.65.19) by mail.rwth-aachen.de (134.130.26.143) with Microsoft SMTP Server (TLS) id 14.3.224.2; Fri, 13 Mar 2015 18:39:39 +0100
Message-ID: <550320DA.2030604@rwth-aachen.de>
Date: Fri, 13 Mar 2015 18:39:38 +0100
From: Jakob Breier <Jakob.Breier@rwth-aachen.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>, cfrg@irtf.org
References: <54F8E735.2010202@isode.com> <5501E6A5.5040608@brainhub.org> <5502D58F.3030806@rwth-aachen.de> <5502F920.5050505@gmail.com>
In-Reply-To: <5502F920.5050505@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-PMWin-Version: 3.1.3.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dlms0Ro4hcVckujTDmugKaH6E4k>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 17:39:44 -0000
Hey Rene, thanks for your reply. I was well aware of the distinction between a) and b). The implicit argument, which I did not spell out unfortunately, was that 1. It's desirable to have as few point formats for a curve as possible (KISS rule). Elliptic curve cryptography might be a mess already, but if we never start simplifying things, it will still be a mess in 20 years. I'd like to be able to point people to the new IETF curves when the CFRG is through and tell them "use these curves / point formats (and if possible only those) and life will be as easy as ECC can get". A separate x-coordinate-only format for Montgomery multiplication is worth it in my opinion because of the implementation simplicity it affords, but having an additional compressed format is probably not. 2. Implementers will likely not go through the hassle of adding an additional compressed point format, but instead use the wire format they have to support. I'd like to be proven wrong on this, though. As evidence I point to the OpenSSH key formats. They could already have used compressed points with nistp256 and, as far as I can tell, OpenSSL as well as the chosen storage format even supports them (the latter of which you have pointed out - thanks btw, I didn't recognize that before). But they only switched when they were forced to move away from OpenSSL to support Ed25519 and imported the SUPERCOP implementation [1] which *only* supports compressed points [2]. So only having one "right" format apparently did make the difference between having nice user facing point formats or not. Please note however, that all the points I've made so far are second order arguments. While I would love to finally have short asymmetric keys, the far more important aspect for me is to assert that implementers cannot screw up point validation. And point compression seems to be necessary towards that end. I'll not rehash the reasons why implementers cannot be entrusted with such an easy step as plugging variables into an equation - this has already been amply discussed on this list and those reasons either convince you already, or don't. I've only brought up the "human bandwidth" line of reasoning (which I nonetheless find significant) and caused the associated extra noise, because I'm afraid that point validation alone does not swing the tide towards compressed points. Best regards, Jakob Breier [1] https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-December/031871.html [2] See e.g. the python implementation http://ed25519.cr.yp.to/python/ed25519.py , especially encodepoint and decodepoint. On 13.03.2015 15:50, Rene Struik wrote: > Hi Jakob: > > This confuses different discussions: > > a) use of public key in computations. > Here, Andrey Jivsov's point was that receipt of a full point (x,y) on > a curve, rather than a compressed point or simply the x-coordinate, > does not artificially impose a performance penalty on all > implementations except x-coordinate-only ones (Montgomery). > b) representation of public key in white list. > Here, one can use many methods to map a public key Q to a condensed > (perhaps, even human-recognizable) format f(Q). > This condensed format could take the form affine format curve point, > compressed format, hash, leftmost n-octets, hash value, etc. > > My own take: > > Ad a): > I fully agree with Andrey Jivsov's point and think using x-coordinate > only representations imposes a "moat" around ECC implementations, by > imposing a levy on all implementations that, for whatever reason, may > want to use something else than Montgomery arithmetic. {Please note > that this levy is incurred (in the context of ECDH) during *online* > computations.} Such fully specified points are particularly useful in > settings, including multiple-point multiplication, combined key > computations and signature verifications, batch computations, since > may allow significant performance advantages in those settings. > > Ad b): > This is a non-issue in representation discussions with CFRG with ECC, > since dealing with protocol issues, not user interfaces. > Nevertheless, here is a comparison that illustrates some condensed > representations that are possibly in a completely standardized way, > resp. "cooked up" for user interfaces: > > Comparison example: > example P-256 public key, with affine coordinates (x,y), > x-coord = 6b 17 d1 f2 e1 2c 42 47 f8 bc e6 e5 63 a4 40 f2 77 03 7d 81 > 2d eb 33 a0 f4 a1 39 45 d8 98 c2 96 > y-coord = 4f e3 42 e2 fe 1a 7f 9b 8e e7 eb 4a 7c 0f 9e 16 2b ce 33 57 > 6b 31 5e ce cb b6 40 68 37 bf 51 f5 > a) standardized affine format: (0x04 || x-coord || y-coord) {65 octets} > b) standardized compressed format: (0x03 || x-coordinate) {33 octets} > c) non-standard, x-coordinate-only: x-coordinate {32 octets} > d) non-standard, truncated x-coordinate (x-coordinate mod 2^128): 77 > 03 7d 81 2d eb 33 a0 f4 a1 39 45 d8 98 c2 96 {16 octets} > > example Curve25519, Alice's public key (source: > draft-irtf-agl-cfrgcurve-00): > x-coord = 85 20 f0 09 89 30 a7 54 74 8b 7d dc b4 3e f7 5a 0d bf 3a 0d > 26 38 1a f4 eb a4 a9 8e aa 9b 4e 6a > c) non-standard, x-coordinate-only: x-coordinate {32 octets}
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… David Leon Gil
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Viktor Dukhovni
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Salz, Rich
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alexey Melnikov
- [Cfrg] Elliptic Curves - curve form and coordinat… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nadim Kobeissi
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paul Lambert
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg