IETF Logo Mail Archive

Re: [CFRG] compact representation and HPKE

Christopher Wood <caw@heapingbits.net> Fri, 12 February 2021 21:40 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FC913A0EF6 for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2021 13:40:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=YRZbHLjQ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=V96VTasc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24wjLqIjmO86 for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2021 13:40:24 -0800 (PST)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AD633A0EF4 for <cfrg@irtf.org>; Fri, 12 Feb 2021 13:40:24 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id A2120A9F for <cfrg@irtf.org>; Fri, 12 Feb 2021 16:40:23 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute4.internal (MEProxy); Fri, 12 Feb 2021 16:40:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=XPfbBiE3doqnnT2zv43bLK8IM/+RclB MzP353yT7ZiY=; b=YRZbHLjQBwPS6yENfgyBdtimwci+rJK5qMaQw9XIcqAA+Rl R6OZGz2L19C9az1LdJPR7jtpXqFBe4lBVMb3l7MzZPMluIVeRkokArzRm2sSg7wL mzV1q5Sx0CD6HXyverOCN1IzX1Ck/bfmRKYr+LoYGWy2VlJxMV6fxMgfiGC2GjHd q6Xeh5uDD1mk8xIPaB6eoApsXwVjLibgryv5+rO9+xxp7tZyInO6bdCesUQzZpld H0rJ5dZCz7s7HXyXxcugKQpyrVTo92EezgoxyR0W8+cW2HCcRz69Zzls3PEOm4H8 faPlWEXSsdZ/CdjzE58lzinTsQi8fy62X4zTm8A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=XPfbBi E3doqnnT2zv43bLK8IM/+RclBMzP353yT7ZiY=; b=V96VTascbBtOJulOvtw2G0 GCZKkFcU2MGJ0pk9etLk1LPckDbKkHqfIGbNIk3Jgj9BbTUlZiwNnJXiW8B50vDt fhcpD6ifxxuKuDtFmm5j6lgtybYKK/L2ohjv+wP0B7G9/JbWRDVuwhq4rnOx3gn4 GJNzl9AzeY+gVqvqIWgJj1UitLlmOUqDzC2fIn9T6v3YPr5x5dE1RzYQQPEN6Ip6 MTsLIWlsJypbyEYGWIXJRFRJWuekgNKMAtQCJQ/OiLmHama+R/QL2fPKsZH8uVjo jVsm3zKB5YJU6Ycs1rhVcK90H4hxU/PGgctmTMAupHRkUsrLHtdtk0dSGYT+ysFg ==
X-ME-Sender: <xms:xvUmYLEFpT09BSj4Bwx48uUkuQfH8417m9V4wBN8yE_9lylmgrwQVw> <xme:xvUmYIWOgocAxX0oB-_arXgoiT3XUtzl9u1X5K1jri0Nne3kpP5QldM3IMWETgsQZ WNBWQ2dOXWHsCWotrw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledriedugdduheegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucggtffrrghtthgvrhhnpedvgfdthfdule etudefgefffffgledtffdvtddvffekffekffffkefgleegfefhgeenucffohhmrghinhep ihgvthhfrdhorhhgpdhirhhtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:xvUmYNKEnq63oHR8CEw5HH1YuF3FQ5yXwMHsmKJSaLfY7Th41LUYNg> <xmx:xvUmYJGlTpdDYyYwDtieKmdD6Rgannp2UAsWnfxrKgdKpYufX-4lfQ> <xmx:xvUmYBWJLLGYsP_uL_0bOIbPTivhkwgHO48HKbZ8a3uftzVAkl_RbA> <xmx:x_UmYJgVtL62SIWn_9Mbu0_vm_iaEXOv-7PvyCgh76iIr5WSOrfbPA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id CBA1E1602A9; Fri, 12 Feb 2021 16:40:22 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-141-gf094924a34-fm-20210210.001-gf094924a
Mime-Version: 1.0
Message-Id: <e19e3ca1-e209-40c6-82e3-24c6d330bff8@www.fastmail.com>
In-Reply-To: <CABcZeBMGJQ7sAKovy3japXVVLWRB8ydpsDzZxhijvFCtXptsZQ@mail.gmail.com>
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <CABcZeBMGJQ7sAKovy3japXVVLWRB8ydpsDzZxhijvFCtXptsZQ@mail.gmail.com>
Date: Fri, 12 Feb 2021 13:40:02 -0800
From: Christopher Wood <caw@heapingbits.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rY3kbtNfvYzS20a2K_GA7XwfsJc>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 21:40:27 -0000

On Fri, Feb 12, 2021, at 1:10 PM, Eric Rescorla wrote:
> As I understand it, the competing values here are:
> 
> (1) A technically superior approach (x-coordinate only)
> (2) Consistency with existing uses of these curves (e.g., in TLS 1.3, 
> which uses x-coordinate-only form for CFRG curves but uncompressed form 
> for NIST curves).
> 
> Assuming I understand this correctly, I think I value consistency more, 
> especially in light of the fact that we are encouraging people to move 
> to CFRG curves anyway, which are already in the technically superior 
> form.

To my knowledge, the compact representation (x-only) is (a) not widely supported, (b) not really standard (I don't think RFC 6090 or the related expired draft [1] rise to the level of a standard format), and (c) not FIPS compliant. Similarly, compressed representation seems not as widely supported as the uncompressed representation. 

So I concur with Ekr and Richard here: let's leave this as is. 

Best,
Chris

[1] https://tools.ietf.org/html/draft-jivsov-ecc-compact-05

> 
> -Ekr
> 
> 
> 
> On Fri, Nov 6, 2020 at 12:00 PM Dan Harkins <dharkins@lounge.org> wrote:
> > 
> >    Hello,
> > 
> >    When doing a DH-based KEM with the NIST curves, HPKE specifies that
> > SerializePublicKey and DeserializePublicKey use the uncompressed format
> > from SECG. This ends up using 2*Ndh+1 octets to represent the serial
> > form of the public key.
> > 
> >    Since compact output is being used in DH-based KEMs-- that is, the
> > secret result of DH() is the x-coordinate of the resulting EC point--
> > it would also be possible to use compact representation (per RFC 6090)
> > and have SerializePublicKey merely do integer-to-octet string
> > conversions of the x-coordinate. DeserializePublicKey would then
> > do octet string-to-integer conversion for the x-coordinate and use the
> > equation of the curve to choose the y-coordinate. The sign isn't
> > important because we're doing compact output.
> > 
> >    This would make the interface for the NIST curves and the Bernstein
> > curves be uniform-- Serialize would produce an octet string of Ndh
> > and Deserialize would consume an octet string of Ndh-- at the cost
> > of some CPU inside DeserializePublicKey.
> > 
> >    Please consider this suggestion.
> > 
> >    regards,
> > 
> >    Dan.
> > 
> > -- 
> > "The object of life is not to be on the side of the majority, but to
> > escape finding oneself in the ranks of the insane." -- Marcus Aurelius
> > 
> > _______________________________________________
> > CFRG mailing list
> > CFRG@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email