IETF Logo Mail Archive

Re: [CFRG] compact representation and HPKE

denis bider <denisbider.ietf@gmail.com> Wed, 17 February 2021 04:13 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C20743A1474 for <cfrg@ietfa.amsl.com>; Tue, 16 Feb 2021 20:13:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nf_zCsdl9eZm for <cfrg@ietfa.amsl.com>; Tue, 16 Feb 2021 20:13:36 -0800 (PST)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 225FF3A1471 for <cfrg@irtf.org>; Tue, 16 Feb 2021 20:13:35 -0800 (PST)
Received: by mail-oi1-x22b.google.com with SMTP id v193so13671694oie.8 for <cfrg@irtf.org>; Tue, 16 Feb 2021 20:13:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ImDJi/BbwHIIjg9GMBIhxfe/onemW2iq4XER/yfVY6I=; b=ZnOppNVbDrhz53GKAlHUB0DoqhS4eg2ge7gdD+th2j6/NE1ZlX7s5WTDdJjhbazRav dN2b31vtnbaix46NcJR0POCAtPQgHljkxJn0UC1VIXh2tZckPOza6/DO0XfMfFyYJx04 0R6zTxo+MaN2MrU5pdswFfaKp6W8KScK6pvGO9Od30kyjUBvgg1sDxTLKcrZqql1BTnI y0kcbegJsEsEGX06SWZu+Whxc4iNW0OLikUs9um97B8pmDR4CPjwphUBsgkfjXEkiiZ/ eNNPco/v07SRYOg9Lrco2Ab1BHCdF5w2EXeSJ7ckn5WWj/ZT0hnjRMPUMa+oRl4Pq+Gl 6NKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ImDJi/BbwHIIjg9GMBIhxfe/onemW2iq4XER/yfVY6I=; b=AING7jbaxARkV3RxwgYpaUIoizEPe2kagqHnPAbbPv48cHS7umr6t6hoh+pbmVlyPU zZPibWZ2ivlIUH8olJvyGlU5FuCpxmfEmxQyIOwjaeEKNHsF9CJCS1l/jnu1JqNtP9E2 DkalU/fkgUfjsCLVGVPdFOEcSsVwmzvaY6MIIs0hNUeRmaTCmQE2iMuYdc56gOU1AJ41 k/QeUNJA1V0i1SvBpUXqQXYe3aSO9umC30c97n90Q82jCkw5b6kX17+c8Ml6ZU87sNNY FzF1r9e7zeHhPzWwmwHwSz3mFFf4SqADaqXwOpcvHTFp3mdnfjzv4dm4zXXrNGa703yk FTCg==
X-Gm-Message-State: AOAM530bzPVE58hFC9vLu4sbr1UVl16Vqc4YRl7hFnjaDFc90AJtTOs2 s2Scj2rhRIx/zT2s1wQc1bTNPJy1/dITW5An9Eg=
X-Google-Smtp-Source: ABdhPJxsuSXVQK/V3TxGx6qFDABeVAxx18HPxp8btcHSwkj+rO+j8bRDB89oLaaYxwp0lyFMmIZicEnbmKK7+N8pAZw=
X-Received: by 2002:aca:5483:: with SMTP id i125mr4775982oib.61.1613535215286; Tue, 16 Feb 2021 20:13:35 -0800 (PST)
MIME-Version: 1.0
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <CABcZeBMGJQ7sAKovy3japXVVLWRB8ydpsDzZxhijvFCtXptsZQ@mail.gmail.com> <e19e3ca1-e209-40c6-82e3-24c6d330bff8@www.fastmail.com> <24202a57-0fff-1a56-480c-dfb59989ab8e@lounge.org> <D2A7FD5D-7261-4908-8675-3C7EE2626E8D@inria.fr> <CAL02cgRwrzVHShr3uSd6mkzo_2RULKCDzKBfLz-YxTizWq63_g@mail.gmail.com> <CAFeDd5Z152yMCKHd8NK57KNGfajU4GuzA+u4tjtHaDVhKv0rVg@mail.gmail.com>
In-Reply-To: <CAFeDd5Z152yMCKHd8NK57KNGfajU4GuzA+u4tjtHaDVhKv0rVg@mail.gmail.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Tue, 16 Feb 2021 22:13:24 -0600
Message-ID: <CADPMZDABfw5GGQ31FKtmes+XF37uiRbcs+2K_WaJN4C_-nxr4w@mail.gmail.com>
To: Billy Brumley <bbrumley@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000056faf505bb80716f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rFofRUS0M8uq5hBuyredxHPULaI>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 04:13:38 -0000

I really dislike this sort of idealism, it's like purporting that proper
communism simply hasn't been tried yet.

In theory, a cryptographic library would implement a high-level interface
that (1) covers the way an algorithm is used in the protocol you're
implementing, (2) covers all the niche cases of use in that protocol.

In practice, the cryptographic (1) has some well-intended high-level
interfaces, which happen to not support the exact way the algorithm is used
in the protocol you're implementing, or (2) it doesn't cover all the niche
cases of use in that protocol.

So, as is the case with most abstractions, eventually you realize that you
have to bypass the abstraction and go to the nuts and bolts. Your life is
made much easier that way.

Cases in point:

- Windows CNG implements nice abstractions for DH and ECDH, and since these
abstractions are so nice and safe, there is no way provided to access the
agreed value. Instead you have a bunch of computations you can apply to the
agreed value, which works for protocols like TLS.

But none of those functions work for SSH. So how do you get the agreed
value for SSH? Trade secret that involves accessing internal Windows CNG
structures which have changed multiple times as Windows is auto-updated,
requiring the software to be updated as well.

- In the case of OpenSSL, the easiest way I've found to initialize an
ECDSA/secp256k1 public key from its SSH encoding is by
calling EC_KEY_set_public_key_affine_coordinates, which involves BN_bin2bn
to convert x and y.

There may be a more "kosher" way, but this works and fits my usage.

So. I really dislike "but the proper way to use it is our well-meant
high-level abstraction", cause it boils down to a design for hypothetical
theory instead of for useful practice.

denis


On Tue, Feb 16, 2021 at 12:40 AM Billy Brumley <bbrumley@gmail.com> wrote:

> > I think Karthik is on the right track here.  While the compact
> representation undoubtedly has its benefits, it seems like there is no
> disagreement that it is not widely supported in either standards or crypto
> libraries.  So there is a sizable community for whom a requirement to use
> the compact format would render HPKE unusable.
>
> In the case of OpenSSL, I disagree.
>
> If you (=application developer) are dealing with points directly in
> OpenSSL, you are probably already doing it wrong.
>
> Using the correct abstractions in OpenSSL, whether a "point" has 1, 2,
> 3, or 42 coordinates shouldn't matter. In fact when using the correct
> abstraction in OpenSSL, you shouldn't know it's a point at all. Just a
> byte string.
>
> So I support this one, in the spirit of forward thinking, rather than
> propagating ideas from two decades old standards
>
> > (1) A technically superior approach (x-coordinate only)
>
> I would suggest soliciting an opinion from the OpenSSL OTC before
> making any decision based on perceived API difficulties.
>
> My 2c, having never even read the HPKE draft.
>
> BBB
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email