Re: [Cfrg] On the use of Montgomery form curves for key agreement
Nico Williams <nico@cryptonector.com> Tue, 02 September 2014 23:00 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED0F1A8874 for <cfrg@ietfa.amsl.com>; Tue, 2 Sep 2014 16:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olQoOR0wrbkR for <cfrg@ietfa.amsl.com>; Tue, 2 Sep 2014 16:00:02 -0700 (PDT)
Received: from homiemail-a63.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9801A885F for <cfrg@irtf.org>; Tue, 2 Sep 2014 16:00:02 -0700 (PDT)
Received: from homiemail-a63.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTP id D3A2E2F4059 for <cfrg@irtf.org>; Tue, 2 Sep 2014 15:59:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=k/pInKTFIAEurNPU9yuU xyaj5vk=; b=oZkYFQb4ZqfQvVggbe0BgYjip2wfbO1eSwJQK86L+xLTflljUCmO cEVid2NLG9ZqEiGHMobiy4hhYoO4i74fWkwU1/2vX5/8GaIPryhcFEGk2NtDMagt 2qzlDIpxqi4XP+8MiagdbJ5aLWCgmqefP/8y5EYISORQoD9D+3rV7qE=
Received: from mail-we0-f175.google.com (mail-we0-f175.google.com [74.125.82.175]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTPSA id 7D38A2F4057 for <cfrg@irtf.org>; Tue, 2 Sep 2014 15:59:59 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id k48so7676467wev.34 for <cfrg@irtf.org>; Tue, 02 Sep 2014 15:59:57 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.208.111 with SMTP id md15mr30683294wic.3.1409698797968; Tue, 02 Sep 2014 15:59:57 -0700 (PDT)
Received: by 10.216.231.131 with HTTP; Tue, 2 Sep 2014 15:59:57 -0700 (PDT)
In-Reply-To: <54063D8B.7020302@brainhub.org>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <CALCETrUby2o5O3=tMkv20JTVkahSo5Wan4oSCPOspRnXhFCg+g@mail.gmail.com> <b53e2c5417d247199f4496e0c0d5c29c@BL2PR03MB242.namprd03.prod.outlook.com> <CACsn0cktxTyPpeaqKU-oL+DiP4Fu0risHB1Wx8-by+94s30h=g@mail.gmail.com> <CA+Vbu7yMvyPzRAGrtVH38mzaYy3XQ1wswEUQisqbwpT10JfQVg@mail.gmail.com> <54058021.9040801@cs.tcd.ie> <CACsn0c=XV4bQSa7Oh3=s+JvFpJdT3Lm16wQHRG2ACEjxuU-dvg@mail.gmail.com> <5405E343.7010302@cs.tcd.ie> <5406387E.4060507@brainhub.org> <54063AEA.7060903@cs.tcd.ie> <54063D8B.7020302@brainhub.org>
Date: Tue, 02 Sep 2014 17:59:57 -0500
Message-ID: <CAK3OfOgJWkYS5NkO2ffJQshE8sO1hFu0UJGZ-akSs93PxSbTBw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/hYXeo-4ekDOVZcrY9mwH5Bcnvuo
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 23:00:05 -0000
On Tue, Sep 2, 2014 at 4:58 PM, Andrey Jivsov <crypto@brainhub.org> wrote: > On 09/02/2014 02:47 PM, Stephen Farrell wrote: >> Can you give me an example of such an IETF protocol? Without >> having thought much about it, I think there are always different >> codepoints allocated for DH and signatures, and I doubt we'd >> want the same private values shared anyway, so I'm not sure >> if that's a real or a theoretical issue. +1. We generally strive for key hygiene. We'd not use a key for different purposes. What is the use of using the same key for DH and signatures in the same protocol? I can only think of a round-trip optimization, but what I have in mind is very handwavy and not likely to be a win (partly because it means losing PFS). > A few examples of dual-key use and a bit braader question of whether would > want to add points as oppose to only do scalar multiplication. > > Some TLS server side fixed-base optimization will benefit from point > addition. Can you give some more details of what this would mean protocol-wise? > While OpenPGP RFC 4880 has a concept of a "bundle of keys" things are easier > when the top key can have both encryption and signing capability. There are > products that add X.509 certs to PGP keys. Yes, I could see this. Though key bundles have been around for long enough (and in widespread enough use) that it doesn't seem likely to matter much. > Signing a certificate request for a DH key to prove key possession. A self-signed DH cert. OK, this one makes some sense, but if the price is losing PFS or paying extra CPU cycles if you want PFS, then it seems not worthwhile. On the other hand, if using the same key for DH and signatures is worthwhile, then it seems likely that point form conversion won't be a big deal. No? > Protocols for applications with space-saving requirements : keys on URLs or > e-mail aliases, pre-generate keys "for everybody" to represent identities. > Keys that are handled by humans (e.g. typed in base32 encoding), etc Yes, this is a clear win. But again, any point conversion penalty seems minor for such a protocol. Nico --
- [Cfrg] On the use of Montgomery form curves for k… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… D. J. Bernstein
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Tony Arcieri
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Robert Ransom
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Robert Ransom
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Tanja Lange
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Michael Hamburg
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Tanja Lange
- Re: [Cfrg] On the use of Montgomery form curves f… Paterson, Kenny
- Re: [Cfrg] On the use of Montgomery form curves f… Jim Schaad
- Re: [Cfrg] On the use of Montgomery form curves f… Markulf Kohlweiss
- Re: [Cfrg] On the use of Montgomery form curves f… Paterson, Kenny
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… Manuel Pégourié-Gonnard
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov