Re: [CFRG] compact representation and HPKE
Dan Harkins <dharkins@lounge.org> Wed, 10 February 2021 12:42 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54FED3A0ECB for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 04:42:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T43wdXTgFsTg for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 04:42:52 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143F83A0EC6 for <cfrg@irtf.org>; Wed, 10 Feb 2021 04:42:52 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QOB0AYKICNFA6@wwwlocal.goatley.com> for cfrg@irtf.org; Wed, 10 Feb 2021 06:42:51 -0600 (CST)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QOB00OB6CLYX0@trixy.bergandi.net> for cfrg@irtf.org; Wed, 10 Feb 2021 04:42:03 -0800 (PST)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 10 Feb 2021 04:42:03 -0800
Date: Wed, 10 Feb 2021 04:42:44 -0800
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAEseHRr4TZ9hf1KLhVh+A3ku=RYm8Ycn2b5KdLsamO7sio1v5g@mail.gmail.com>
To: cfrg@irtf.org
Message-id: <472e7324-4f86-7cff-f266-8c8bd7791b26@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_U4xMZqn//7g28QqPDa/5ow)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <4C4DE4EC-1A5B-48F5-871E-B7D323EF63D5@ericsson.com> <CAL02cgQFGcWjpFV1nFVg2T3aCat6U-uuzUQ_YsUYLHvQq+ZuiQ@mail.gmail.com> <5C12F8B7-99E2-40DA-8A3C-8930E652C77F@shiftleft.org> <99c28b97-332d-af67-0895-a1bd251153bb@lounge.org> <934cbf19-1e16-24cd-7442-85fb8d41fcb1@lounge.org> <CAEseHRpZE7=smgZs-te4yDb1kTD6aSg92mASn_WZrsB=FqdisQ@mail.gmail.com> <CAEseHRr4TZ9hf1KLhVh+A3ku=RYm8Ycn2b5KdLsamO7sio1v5g@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [210208] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/k-yK9ztQi6ZiQXUpB5YhUcuUk2w>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 12:42:54 -0000
For all of these curves, p = 3 mod 4 so doing a modular square root is just exponentiation to (p + 1)/4. Not sure how onerous an additional exponentiation is. But then Mike Hamburg was saying that one can do a x-only Montgomery Ladder for these curves if an exponentiation is, indeed, onerous so there are options to consider. Really, there isn't a downside. We get a cleaner and more consistent API, and less cruft required to be exported/imported. regards, Dan. On 2/10/21 4:29 AM, Michael Scott wrote: > ... but then again if y is definitely not needed, maybe there truly is > no downside. > > Mike > > On Wed, Feb 10, 2021 at 12:28 PM Michael Scott <mike.scott@miracl.com > <mailto:mike.scott@miracl.com>> wrote: > > Well, there is a minor downside - the recipient has to do some > extra work (a modular square root) to reconstitute the y coordinate. > > For an enfeebled recipient this might be quite onerous. > > Mike > > On Mon, Feb 8, 2021 at 10:42 PM Dan Harkins <dharkins@lounge.org > <mailto:dharkins@lounge.org>> wrote: > > > Hello again, > > I'd like to resurrect this before it becomes "it's too late > to make changes > that affect the wire". I created a pull request on github some > time ago but > it's been ignored so let me try again here (we still > technically do our work > on mailing lists). > > When I brought it up initially there was a +1 and, as Mike > notes, the > y-coordinate is not needed. This 04 || x || y format for a key > is just some > ancient Certicom proposal and there's really no reason to > perpetuate that. > > The y-coordinate is extraneous. Getting rid of it for the > NIST curves will > make the API much cleaner and consistent. > > This will reduce the size of the serialized public key by > more than 50% > and for apps that care about such things this would be a > tremendous > improvement. > > Richard noted that one can lop off the 04 and the > y-coordinate after > serialization and pass x alone as part of the app using HPKE > and then have > the other size reconstruct it (with either y since the sign > doesn't > matter) before passing it on to be deserialized. While > technically true, > that completely defeats the whole point of formalizing this > process. > > In my pull request I noted that it does change the test > vectors and that > I would be happy to generate them. Well, I did it. I have new > test vectors > (based on -07) and will happily contribute them if asked. If > the test vectors > get changed again (with a new version string) I can reproduce > new ones minus > the y-coordinate in a matter of minutes. > > Please consider this request. There is no downside to it. > > regards, > > Dan. > > On 11/6/20 4:44 PM, Dan Harkins wrote: >> >> Yes, this is exactly right. The y-coordinate is not needed >> for these KEMs >> as the sign is unimportant. >> >> The spec will be simpler and the interface more uniform if >> you do this. >> >> The whole point of HPKE is to make a callable API out of >> this process that >> had been done ad hoc. Requiring a app that is taking >> advantage of this API >> to take the output of the API and parse through it, throwing >> away one half >> of one of the output strings and lopping off the first octet, >> is defeating >> the whole purpose and is expecting a lot. The more this is a >> black box the >> better. >> >> regards, >> >> Dan. >> >> On 11/6/20 3:19 PM, Mike Hamburg wrote: >>> Hello Richard, >>> >>> I haven’t paid much attention to HPKE, so it’s likely I’m >>> missing something here, but why not use the x-only >>> Montgomery ladder on NIST curves? That’s the fastest and >>> simplest approach, and it can operate with or without the >>> y-coordinates. >>> >>> Also, some implementations do not compute both the x- and >>> y-coordinates, and it would be more convenient not to >>> compute or send even a sign bit if you’re intending to use >>> an x-only ladder. >>> >>> Cheers, >>> — Mike >>> >>>> On Nov 6, 2020, at 10:19 PM, Richard Barnes <rlb@ipv.sx >>>> <mailto:rlb@ipv.sx>> wrote: >>>> >>>> Nothing about this says that you have to *send* the keys >>>> uncompressed. You can use whatever representation you want >>>> on the wire. You just have to decompress them before you >>>> put them into the key schedule. Which you're probably doing >>>> anyway, because you need both coordinates to do point >>>> multiplication with these curves. So I am inclined not to >>>> make this change. >>>> >>>> --Richard >>>> >>>> On Fri, Nov 6, 2020 at 4:52 PM John Mattsson >>>> <john.mattsson=40ericsson.com@dmarc.ietf.org >>>> <mailto:40ericsson.com@dmarc.ietf.org>> wrote: >>>> >>>> +1 >>>> >>>> Sending the keys uncompressed makes HPKE unsuitable for >>>> constrained IoT. >>>> >>>> -----Original Message----- >>>> From: CFRG <cfrg-bounces@irtf.org >>>> <mailto:cfrg-bounces@irtf.org>> on behalf of Dan >>>> Harkins <dharkins@lounge.org <mailto:dharkins@lounge.org>> >>>> Date: Friday, 6 November 2020 at 21:00 >>>> To: CFRG <cfrg@irtf.org <mailto:cfrg@irtf.org>> >>>> Subject: [CFRG] compact representation and HPKE >>>> >>>> Hello, >>>> >>>> When doing a DH-based KEM with the NIST curves, HPKE >>>> specifies that >>>> SerializePublicKey and DeserializePublicKey use the >>>> uncompressed format >>>> from SECG. This ends up using 2*Ndh+1 octets to >>>> represent the serial >>>> form of the public key. >>>> >>>> Since compact output is being used in DH-based >>>> KEMs-- that is, the >>>> secret result of DH() is the x-coordinate of the >>>> resulting EC point-- >>>> it would also be possible to use compact representation >>>> (per RFC 6090) >>>> and have SerializePublicKey merely do integer-to-octet >>>> string >>>> conversions of the x-coordinate. DeserializePublicKey >>>> would then >>>> do octet string-to-integer conversion for the >>>> x-coordinate and use the >>>> equation of the curve to choose the y-coordinate. The >>>> sign isn't >>>> important because we're doing compact output. >>>> >>>> This would make the interface for the NIST curves >>>> and the Bernstein >>>> curves be uniform-- Serialize would produce an octet >>>> string of Ndh >>>> and Deserialize would consume an octet string of Ndh-- >>>> at the cost >>>> of some CPU inside DeserializePublicKey. >>>> >>>> Please consider this suggestion. >>>> >>>> regards, >>>> >>>> Dan. >>>> >>>> -- >>>> "The object of life is not to be on the side of the >>>> majority, but to >>>> escape finding oneself in the ranks of the insane." -- >>>> Marcus Aurelius >>>> >>>> _______________________________________________ >>>> CFRG mailing list >>>> CFRG@irtf.org <mailto:CFRG@irtf.org> >>>> https://protect2.fireeye.com/v1/url?k=513cd874-0ea7e231-513c98ef-867b36d1634c-ce26b08a2499b9a3&q=1&e=4f2b4ce0-8d52-4a80-b41e-0f7537355d35&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg >>>> >>>> _______________________________________________ >>>> CFRG mailing list >>>> CFRG@irtf.org <mailto:CFRG@irtf.org> >>>> https://www.irtf.org/mailman/listinfo/cfrg >>>> >>>> _______________________________________________ >>>> CFRG mailing list >>>> CFRG@irtf.org <mailto:CFRG@irtf.org> >>>> https://www.irtf.org/mailman/listinfo/cfrg >>> >>> >>> _______________________________________________ >>> CFRG mailing list >>> CFRG@irtf.org <mailto:CFRG@irtf.org> >>> https://www.irtf.org/mailman/listinfo/cfrg >> >> -- >> "The object of life is not to be on the side of the majority, but to >> escape finding oneself in the ranks of the insane." -- Marcus Aurelius >> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org <mailto:CFRG@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg > > -- > "The object of life is not to be on the side of the majority, but to > escape finding oneself in the ranks of the insane." -- Marcus Aurelius > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org <mailto:CFRG@irtf.org> > https://www.irtf.org/mailman/listinfo/cfrg > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Richard Barnes
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Michael Scott
- Re: [CFRG] compact representation and HPKE Michael Scott
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Benjamin Beurdouche
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Loup Vaillant-David
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Christopher Wood
- Re: [CFRG] compact representation and HPKE Paul Hoffman
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Andrey Jivsov
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Loup Vaillant-David
- Re: [CFRG] compact representation and HPKE Salz, Rich
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Peter Gutmann
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Benjamin Lipp
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Salz, Rich
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Karthik Bhargavan
- Re: [CFRG] compact representation and HPKE Richard Barnes
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Benjamin Beurdouche
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Billy Brumley
- Re: [CFRG] compact representation and HPKE Stanislav V. Smyshlyaev
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Stanislav V. Smyshlyaev
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE denis bider