IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)

Andrey Jivsov <crypto@brainhub.org> Thu, 12 March 2015 19:19 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883271A000B for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 12:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FbCR2jUL9ppY for <cfrg@ietfa.amsl.com>; Thu, 12 Mar 2015 12:19:03 -0700 (PDT)
Received: from resqmta-po-02v.sys.comcast.net (resqmta-po-02v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:161]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 464B21A1BB9 for <cfrg@irtf.org>; Thu, 12 Mar 2015 12:19:02 -0700 (PDT)
Received: from resomta-po-08v.sys.comcast.net ([96.114.154.232]) by resqmta-po-02v.sys.comcast.net with comcast id 2jJf1q003516pyw01jK2LE; Thu, 12 Mar 2015 19:19:02 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-po-08v.sys.comcast.net with comcast id 2jK11q00G4uhcbK01jK2sM; Thu, 12 Mar 2015 19:19:02 +0000
Message-ID: <5501E6A5.5040608@brainhub.org>
Date: Thu, 12 Mar 2015 12:19:01 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <54F8E735.2010202@isode.com>
In-Reply-To: <54F8E735.2010202@isode.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1426187942; bh=yFu6ZNLZNk+o/amlquNE7WqwWFZ4MHPSGTdAFZ9L988=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=WL/WaOl1ehfhQN+ioM1FEJVZSdVaNAqk+IL+YMl93BZPvSCeNMCJ9xRypCfAg6T9g E6eH4sjHNu4N4uhuRb4tG9mUYx1++HrFEvj+cf6Y1OZgiCBB3Gp3BTt6vGWIQfGGwx WgC6OnZKxbYaX++Cl0n1dZuwJvDFTAv0RJT8EK45Kk8Qn5G2rDqac9WJ+Cshyjokrj KQ8LeORi9ZwwTbfuaHo3pFnCVVaE7rWbLKXKHWvIVie5yifD4yFj1N53npYwXrfbUp DTGU0Qds+P9khgQG2ie5ftRqAxryxfPa0ITF6WumVIw0BaKnznnDlhiiNtnHeMy4hK gfIse/TEN/aWQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/ssVPBEVxCejjrrJiN2hld6e9QKQ>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems (ends on March 12th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 19:19:05 -0000

On 03/05/2015 03:31 PM, Alexey Melnikov wrote:
> CFRG chairs are starting discussion of the next topic:
>
> Q4: draft-irtf-cfrg-curves-01 currently contains curves in both 
> Montgomery form and Edwards form. The scalar multiplication routine is 
> specified using Montgomery form (and is specific to Curve25519, which 
> will need to be changed given our decision to include a higher 
> security level curve). Its input is a scalar and the u-coordinate of a 
> point on a Montgomery-form curve; its output is the u-coordinate of a 
> point on a Montgomery-form curve. The DH function builds on this 
> routine. Do we want to stay with specifying the inputs and outputs in 
> Montgomery form for these routines? Or do we want to switch to an 
> alternative curve form and coordinate system for defining the 
> routines? If so, which form and coordinate system?
>
>
> [Chairs are aware that it is possible to switch back and forward 
> between different curve forms and coordinate systems, with associated 
> costs, no matter which form is specified for the inputs and outputs of 
> the routines. But we now have to decide *which* form we want to use 
> for inputs and outputs, so as to ensure interoperability between Alice 
> and Bob. Chairs did not want to implicitly force the choice of 
> Montgomery form/coordinates without polling the group first.]
>
>
>
> Once this issues is settled, we will be discussing (in no particular 
> order. Chairs reserve the right to add additional questions) wire 
> format, byte order and signature schemes. Please don't discuss any of 
> these future topics at this time.

A unified binary representation for a public key Q=k*G on the same curve 
is preferred, regardless of the fact that the Q is used with ECDH, 
ECDSA, EdDSA, PAKE, etc. My proposal incurs no (measurable) performance 
penalty for the proposed unification.

Consider the benefits of a single set of test vectors, code reuse, and 
the benefits of sharing pre-computed values. This proposal simply 
matches the capability of currently deployed ECC.

I propose the Montgomery curve representation (u, v), which can be used 
for signatures on the same curve.

"u" is identical to the sec 9 of 
https://tools.ietf.org/html/draft-agl-cfrgcurve-00.
"v" is calculated (at virtually no additional computational cost) as v = 
u^3 + 486662*u^2 + u

I am aware of the desire to enforce a key use type at the crypto level, 
but a widely used practice today on TLS servers is to require that a RSA 
server has both digitalSignature | keyEncipherment in its X.509 cert, 
otherwise such a TLS Web server cannot support ECDHE-RSA-AES128-SHA 
(digital signature) and AES128-SHA (RSA key transport) ciphersuites 
preferred by different clients with a single RSA key pair.

A sample of the interest in unified format can be found here:
https://github.com/agl/ed25519/blob/master/extra25519/extra25519.go 
(converts from Edwards to Montgomery for Curve25519)
https://github.com/dchest/ed2curve-js (dedicated to this conversion). 
Also please check other references listed in "Other libraries" there.

* An implementation that uses a Montgomery ladder simply ignores v (it 
only calculates v by reusing F(p) operations from its ECDH scalar 
multiplication code)
* This format allows more internal implementation choices
* The format is friendly for crypto algorithms that need to add points 
(as opposed to ECDH only)
* When a software library must implement both signatures and ECDH 
(something we assume to be common in the future) or even is interested 
in truly ephemeral public keys for ECDHE, the Montgomery ladder in sec 9 
is insufficient. Once that "other code" is written, it can do the job of 
Montgomery ladder at about the same speed.
* This proposal incurs 32 additional bytes of storage overhead for the 
public key, for the total of 64 bytes (compare this with 260+ bytes for 
RSA 2048).

Not sending u means that an implementation must incur ~10% performance 
penalty to recover v (unless the implementation is a Montgomery ladder, 
which doesn't need v). This is a headwind for any future internal 
improvement. On the other hand, calculating the v costs about 2M, under 
0.1% of the entire ECDHE cost.

v2.23.0 | Report a Bug | By Email