[Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-mult-for-7748-00.txt

Richard Barnes <rlb@ipv.sx> Mon, 04 November 2019 23:52 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9638D120123 for <cfrg@ietfa.amsl.com>; Mon, 4 Nov 2019 15:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 98qdmE0jy91b for <cfrg@ietfa.amsl.com>; Mon, 4 Nov 2019 15:52:48 -0800 (PST)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1849120114 for <cfrg@ietf.org>; Mon, 4 Nov 2019 15:52:47 -0800 (PST)
Received: by mail-oi1-x22b.google.com with SMTP id s71so15839004oih.11 for <cfrg@ietf.org>; Mon, 04 Nov 2019 15:52:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m1+T3QQP7QrnIIbt041LKFPKOS47tkmO+AsDuQPMokA=; b=H0cN7eOLtb8X+ugHDKmqYAvOSTlyPN15AR/pw2mEFceQDMBxL2ilKjnw1wv+XnMiWw c07njhHYMUvDrgt4YERgr6xLRjyzC9UJCM9Ukcet8+8AUb7cdQtI682+81JC2aIhj+Ka UUkZ4Yxr7WGixkgiwD17B47NsIoUoUq2wfSD35C8Dwl+s+d6SSbj4i/NxCohNHmM/WwK TgtojS+8KQ9qoqdS6hk6nTGZphu5CIith/EpHsny3w+0jKNGllitjiAaOUDfj6SdYyNA nTJJMaZ+Z97jdNEwiofyb5nYgGeGdJ3qQ9mj2lF9l1Ma/kG1K6lX9kMi7GwfZNIFrrap ikfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m1+T3QQP7QrnIIbt041LKFPKOS47tkmO+AsDuQPMokA=; b=JzDcDCsbxakqpxN3/dJsMpC7XRYMLuS7SfYXTcIEjRVfQfqIqMcg6/DhRQAVrxla95 LadIdQ0azjbDlNfdXzXFXu4lkFLUxsP1Y5d64j/1ymdWeGCYCr7C1nkwVWpKhuEfd6KL LwNCByNi4qb1N9Zu3YxRSkT9FTZMdlECltyS46ugG0TjY13j3SZjcZ0TW3AqCqMGC+Dv 1rGg0VgJAty+pTjbS/EOLBWP/kxokN3/bgFPeC6/bgToE6RB5UHjuGfWGBsbzPw8R7rD 1OQiVvNAnBG6xQXf8NVrTErJo/MOPYAhA2L5bmj+5TH7bKpSPev0IIVB5Fxnidj1UH2U 9EQg==
X-Gm-Message-State: APjAAAXE44PZ2oF89bVSSsYPVK0mPCsEWK/84i/Y/7L37hqXBRgKu3J+ qGZyhQUDuXNlG/8a09vktqsYRiYEfUweeixN97EgJOfFRGo=
X-Google-Smtp-Source: APXvYqycDgnvHBStfwlaEbzJ4AIcZUTZBa6GbvCSEsprw/K8RJDa2zijjSBUs3gIyZiL2UgIYEN4YgZLpV27ziyu75U=
X-Received: by 2002:a05:6808:2d0:: with SMTP id a16mr1322221oid.149.1572911566749; Mon, 04 Nov 2019 15:52:46 -0800 (PST)
MIME-Version: 1.0
References: <157291108173.13892.5112993721217644254.idtracker@ietfa.amsl.com>
In-Reply-To: <157291108173.13892.5112993721217644254.idtracker@ietfa.amsl.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 4 Nov 2019 18:52:19 -0500
Message-ID: <CAL02cgSgLaU4VMqnzvFyr_v3vErdc_mv5=E_gjgAofa2dmGg2w@mail.gmail.com>
To: cfrg@ietf.org
Cc: Joel Alwen <jalwen@wickr.com>, Sandro Coretti <corettis@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000330a8c05968e03c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fpqnz7K8u_TXZ0SvkJjgOJOT2Tg>
Subject: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-mult-for-7748-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 23:52:53 -0000

Hi CFRG folks,

This draft is a proposal to address a deficiency in X25519 and X448 that
has been noted a couple of times on this list (e.g., [1]), namely the fact
that multiplication of scalars and point multiplication do not commute.
While looking into applications of updateable public-key encryption in the
context of MLS [2], my co-authors came upon a solution that while not
perfect, works in all but a statistically insignificant number of cases.

The draft describes how to do scalar multiplication in a way that is
compatible with point multiplication in the X25519 and X448 groups,
describes the cases where these algorithms can fail, and provides methods
for detecting failure.  While "move to Ristretto" is also a solution to
this problem, it seemed like a solution for X25519 / X448, even if partial,
might have a slightly faster path to deployment.

As with any -00 draft, feedback is very welcome!  If Go is your preferred
medium, we've also implemented the relevant concepts in the corresponding
GitHub repo [3].


[1] https://mailarchive.ietf.org/arch/msg/cfrg/JVg30dldjr4pcwZ1perpA1k-OGQ
[2] https://eprint.iacr.org/2019/1189
[3] https://github.com/bifurcation/draft-barnes-cfrg-mult-for-7748/

---------- Forwarded message ---------
From: <internet-drafts@ietf.org>;
Date: Mon, Nov 4, 2019 at 6:44 PM
Subject: New Version Notification for draft-barnes-cfrg-mult-for-7748-00.txt
To: Richard L. Barnes <rlb@ipv.sx>;, Joël Alwen <jalwen@wickr.com>;, Sandro
Corretti <corettis@gmail.com>;

A new version of I-D, draft-barnes-cfrg-mult-for-7748-00.txt
has been successfully submitted by Richard L. Barnes and posted to the
IETF repository.

Name:           draft-barnes-cfrg-mult-for-7748
Revision:       00
Title:          Homomorphic Multiplication for X25519 and X448
Document date:  2019-11-04
Group:          Individual Submission
Pages:          10

   In some contexts it is useful for holders of the private and public
   parts of an elliptic curve key pair to be able to independently apply
   an updates to those values, such that the resulting updated public
   key corresponds to the updated private key.  Such updates are
   straightforward for older elliptic curves, but for X25519 and X448,
   the "clamping" prescribed for scalars requires some additional
   processing.  This document defines a multiplication procedure that
   can be used to update X25519 and X448 key pairs.  This algorithm can
   fail to produce a result, but only with negligible probability.
   Failures can be detected by the holder of the private key.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat