IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Michael Hamburg <mike@shiftleft.org> Fri, 13 March 2015 18:39 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 811751A1A07 for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 11:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.156
X-Spam-Level: **
X-Spam-Status: No, score=2.156 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvnLx5mOUWKV for <cfrg@ietfa.amsl.com>; Fri, 13 Mar 2015 11:39:40 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E6191A0194 for <cfrg@irtf.org>; Fri, 13 Mar 2015 11:39:40 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 6A21D3AA41; Fri, 13 Mar 2015 11:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1426271801; bh=Qw3TxIa9cpyj4mWrXgMfuhqZgbrKc29LjLt99LISKoY=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=KPBrrP82SDrayN3zE0Vxjtf9/MW0wCjm8UdE0NDVjzXrKLnFSzBNYGz52kLiiIrDI W+n4Vo33wopgmhR+CLStrw4v425izODmQxKIDLV56s/0btDtrHh7jsb7EetAx3387M 3r3mN2gBWssljbaoV9zTzKQiXaeNCsBq/t2o3VAA=
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2087\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_CE196A8D-2373-4347-93BF-2BE46D528C5F"
From: Michael Hamburg <mike@shiftleft.org>
X-Priority: 5 (Lowest)
In-Reply-To: <55032259.5090704@brainhub.org>
Date: Fri, 13 Mar 2015 11:39:37 -0700
Message-Id: <A6F30412-8E0A-4D8D-9F26-580307B46874@shiftleft.org>
References: <54F8E735.2010202@isode.com> <5501E6A5.5040608@brainhub.org> <5502D58F.3030806@rwth-aachen.de> <5502F920.5050505@gmail.com> <20150313163336.GA3479@localhost> <55032259.5090704@brainhub.org>
To: Andrey Jivsov <crypto@brainhub.org>
X-Mailer: Apple Mail (2.2087)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lrrYBNn47AgPWY2Dqr7gNQYRKgI>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 18:39:42 -0000

So, here is my view on this.

For ECDH, it is strongly preferable to have x-only output, so that the Montgomery ladder works.  It is also preferable if the ECDH ephemerals can be produced by the Montgomery ladder with minimal or no modification, because that reduces code size for embedded applications.  The fastest and simplest ECDH variable-base implementations will use the Montgomery ladder, so sending the y-coordinate is a waste.  Therefore, there’s a big advantage to x-only or x+sign for the wire format.

Between x-only and x+sign, there’s very little difference for ECDH.  The sign takes an extra bit (+0 bytes for Curve25519 and +1byte for Goldilocks).  If a sign bit is required, Montgomery ladder ECDH-only implementations can set it arbitrarily (eg, to 0).  If the bit is omitted, non-Montgomery implementations can choose it arbitrarily, since it doesn’t affect the shared secret.



For non-ECDH, x-only is insufficient, and most systems will need to decompress points if they’re compressed.  There’s very little security or performance difference between the two options: compression prevents some attacks but adds complexity; it saves time and energy on radio links but costs time and energy on wired ones or when the point is cached.  I prefer compressed points, but I admit that this is largely for aesthetic reasons.

However, if we choose x+sign then we can use it for both point formats.  That’s a big enough deal to make me prefer it.



It is also possible to use an implicit sign bit, eg “y/x is always positive” (positive meaning even, or maybe less than p/2).  This can be done with Andrey Jivsov’s trick of negating the secret key if y/x is not positive.  But that doesn’t work as a wire format for eg PAKE or MQV.  A more general solution is to invert x if y isn’t positive (the decaf trick), since (x,y) -> (1/x,-y/x^2) is the 2-torsion action and negates y/x.

As with x+sign, this implicit sign bit would not be used in the Montgomery ladder’s output, so it would affect only signatures and the like.  The advantage of implicit sign bit is that it gives all EC points the same format as the Montgomery ladder for very little cost.

— Mike

> On Mar 13, 2015, at 10:46 AM, Andrey Jivsov <crypto@brainhub.org> wrote:
> 
> On 03/13/2015 09:33 AM, Nico Williams wrote:
>> On Fri, Mar 13, 2015 at 10:50:08AM -0400, Rene Struik wrote:
>>> a) use of public key in computations.
>>> Here, Andrey Jivsov's point was that receipt of a full point (x,y)
>>> on a curve, rather than a compressed point or simply the
>>> x-coordinate, does not artificially impose a performance penalty on
>>> all implementations except x-coordinate-only ones (Montgomery).
>> A "penalty" of some sort is involved in *all* possible choices, and
>> there isn't one that is ideal for all use-cases.  Others have pointed
>> this out.
>> 
>> ECDH-only applications will exist and will be a/the common case.  Add to
>> this the simplicity arguments, and clearly x-only Montgomery is a better
>> choice for ECDH.
>> 
>> Some trade-offs:
>> 
>>  - x-only -> you must either have a Montgomery ladder implementation
>>              *and* other implementations if you *also* support
>>              signatures
>> 
>>              or
>> 
>>              you must have point conversion code *and* use it for ECDH
>>              (10% penalty)
>> 
>>    Obviously (I think), the first choice is better: it's a development-
>>    and compile-time cost, with the small additional run-time cost of
>>    extra text footprint IF you need both around (point coversion also
>>    has this extra text footprint at run-time).
>> 
>>  - (x,y)  -> bandwidth waste Montogmery ladder implementations
> 
> Is "wasting" of 32 extra per TLS/SSH session that important?
> 
> Considering average TLS session reuse rate today, this is 16 bytes per TLS session (and is likely to be fewer bytes than this).
> 
>> 
>>    This is not nothing (see Mike H.'s posts).
>> 
>> Similarly for (x,sign(y)).
>> 
>>> b) representation of public key in white list.
>>> Here, one can use many methods to map a public key Q to a condensed
>>> (perhaps, even human-recognizable) format f(Q).
>>> This condensed format could take the form affine format curve point,
>>> compressed format, hash, leftmost n-octets, hash value, etc.
>> For (b), I don't see why x-only isn't good enough.  Can you elaborate?
>> 
>> Nico
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email