Re: [Cfrg] [saag] A proposal for compact representation of an elliptic curve point (ECC point compression)
Dan Brown <dbrown@certicom.com> Wed, 12 December 2012 18:41 UTC
Return-Path: <prvs=9693c77741=dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF5601F0CDC for <cfrg@ietfa.amsl.com>; Wed, 12 Dec 2012 10:41:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.053
X-Spam-Level:
X-Spam-Status: No, score=-5.053 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNC5umwAzq9C for <cfrg@ietfa.amsl.com>; Wed, 12 Dec 2012 10:41:04 -0800 (PST)
Received: from mhs060cnc.rim.net (mhs060cnc.rim.net [208.65.73.34]) by ietfa.amsl.com (Postfix) with ESMTP id 199C01F0CDA for <cfrg@irtf.org>; Wed, 12 Dec 2012 10:41:03 -0800 (PST)
X-AuditID: 0a41282f-b7fea6d000001d56-c0-50c8cfb13308
Received: from XCT106CNC.rim.net (xct106cnc.rim.net [10.65.161.206]) by mhs060cnc.rim.net (SBG) with SMTP id 6D.59.07510.1BFC8C05; Wed, 12 Dec 2012 12:40:49 -0600 (CST)
Received: from XCT111CNC.rim.net (10.65.161.211) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.2.318.1; Wed, 12 Dec 2012 13:40:49 -0500
Received: from XMB111CNC.rim.net ([fe80::fcd6:cc6c:9e0b:25bc]) by XCT111CNC.rim.net ([::1]) with mapi id 14.02.0318.001; Wed, 12 Dec 2012 13:40:48 -0500
From: Dan Brown <dbrown@certicom.com>
To: 'Andrey Jivsov' <openpgp@brainhub.org>, "saag@ietf.org" <saag@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [saag] A proposal for compact representation of an elliptic curve point (ECC point compression)
Thread-Index: AQHN1+JKYfEillVVT0CYN/ZbTZXZi5gVcVkg
Date: Wed, 12 Dec 2012 18:40:48 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF50ECB6A@XMB111CNC.rim.net>
References: <50C79E2A.9040100@brainhub.org>
In-Reply-To: <50C79E2A.9040100@brainhub.org>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.245]
Content-Type: text/plain; charset="us-ascii"
content-transfer-encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOKsWRmVeSWpSXmKPExsXC5bjwnO7G8ycCDJZP07To/nGQyeJ11y8m iyn9nUwOzB63px9m81iy5CeTx+SNh9kCmKMaGG2SEkvKgjPT8/TtbBLz8vJLEktSFVJSi5Nt lXxS0xNzFAKKMssSkysVXDKLk3MSM3NTi5QUMlNslUyUFApyEpNTc1PzSmyVEgsKUvNSlOy4 FDCADVBZZp5Cal5yfkpmXrqtkmewv66FhamlrqGSnW5CJ0/GlOO3WAqmKlfMb3jI2MB4QKaL kYNDQsBE4kWTdhcjJ5ApJnHh3nq2LkYuDiGBVYwSs/uWM0E4Kxklbi4/C+XMYZQ42NvICNLC JqAqcf/oOWaQSSICeRL/tteBhIWBzO7La9hAbBGBfInN+9dD2UYSLbt62UFsFqDW1vlHmEBs XgE3ieX/14CNFBLQlnja/gasnlNAR+LSuyfMIDajgKzE7rPXweqZBcQlbj2ZzwRxtYDEkj3n mSFsUYmXj/+xQtiKEqtf3WKDqNeRWLD7E5StLbFs4WtmiL2CEidnPmGB2KsgceX6PpYJjOKz kKyYhaR9FpL2WUjaFzCyrGIUzM0oNjAzSM5L1ivKzNXLSy3ZxAhOKRr6Oxjfvrc4xCjAwajE wztxx4kAIdbEsuLK3EOMEhzMSiK8bgeAQrwpiZVVqUX58UWlOanFhxhdgSE0kVmKOzkfmO7y SuKNDQxwc5TEeZWZDwYICaQDk1V2ampBahHMHCYOTpA9XFIixcCUk1qUWFqSEQ9KjPHFwNQo 1cCY8tIgWk3/1eqLvz8kbDmXdsF1r+2Lk2cvZ7RZHmN3OfegwUf2U2fs1n9L1nbM4b7PL2vc sEFhcsBFhgu9Dsfzu3qCHy32O2fgaVvx66I5h8fL8jSTx15pRl9THDy/3/q2KsSAb6Zs2DfO sDvmxxrffFh+NHe9ypyVHgof/WIm85yYmzxN4dMvJZbijERDLeai4kQA4ER++WoDAAA=
Subject: Re: [Cfrg] [saag] A proposal for compact representation of an elliptic curve point (ECC point compression)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2012 18:41:05 -0000
Hi Andrey, Some quibbles. The SEC1 EC point format profiles the ANSI X9.62 and IEEE 1363 formats. My belief is that octet strings, rather than integers, were chosen (long before I was involved) for these formats because (at least partly, and perhaps mainly) these standards also allowed other finite fields (binary and odd characteristic extension fields), which are not naturally represented by integers. The SEC1 format also has the property of being a prefix-free encoding (for a given elliptic curve), which I think was intentional. My limited understanding of networking theory is that prefix-free encoding helps to avoid misinterpretations of streams. Well, at least DER encoding of ASN.1 seems (to me) to be prefix-free. Certainly, the SEC1 format prefix-free property is redundant when inside an ASN.1 wrapper, but otherwise, if used outside of ASN.1, the prefix-free property of SEC1 may be a little helpful. Your ID mentions power-of-two byte alignment. I understand alignment to be quite important for storage, but how important is it for networking? (Octet string formats help networking interoperability; for local storage, an implementation can really use any format.) Because your format specifies integers, it can fit into an ASN.1 type. The current ASN.1 types for ECC public keys (and generators in domain parameters) expect ASN.1 octet string types. These ASN.1 ECC public key formats would need to be changed. Some formats use two's complement, which assumes signed integers. I think that BER and DER use it for integers. This forces a sign bit, which could add a byte. Section 6 of your ID says a P-256 point will never exceed 32 bytes, but it might need an extra byte if DER encoded. (Please correct me if I am wrong, which is likely, since I am not an ASN.1 expert.) The extra sign byte would have value zero, which slightly conflicts with the SEC1 format for the point-at-infinity. Also, since DER encodings are variable length, the power-of-two alignment might suffer. Best regards, Daniel Brown Research In Motion Limited > -----Original Message----- > From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf Of > Andrey Jivsov > Sent: Tuesday, December 11, 2012 3:57 PM > To: saag@ietf.org; cfrg@irtf.org > Subject: [saag] A proposal for compact representation of an elliptic > curve point (ECC point compression) > > Greetings. > > > I thought that it would be useful for the Internet community to have an > IETF document that describes how to encode an ECC point. I will focus > on the elliptic curves over the prime fields here. > > http://datatracker.ietf.org/doc/draft-jivsov-ecc-compact > > > Cryptographic protocols defined in IETF most often work with large > integers, such as the modulus of an RSA key, which they encode with > some applicable protocol-specific method. > > Unfortunately, the default representation of an ECC point is not just a > "large integer". It is either a pair of integers of x,y, or x with > optional information about y. Additional metadata tagged to x,y is > common. The encoding of an ECC point needs further definition, plus the > additional complexity is present due to the decisions to make ECC point > compression optional (I suspect on the ground of IPR concerns). > > In the ideal world the situation would be the following: there is an > RFC for ECC point definition; it uses compact representation; the > representation is just a large integer; it's free of patents; secure; > and that's the default mandatory method in every IETF standard. > > I am proposing here a format that in my opinion comes the closest to > the ideal features outlined above. Getting to the ideal world is > another story, but the first step on this journey is a working method > that I am pleased to present here. At the very least, the new protocols > can take advantage of the proposal; otherwise the new submissions will > likely to gravitate towards the SEC1 format, at least on the practical > grounds because the SEC1 is the only popular format that is searchable > and publicly available. I would like to offer an alternative / useful > point of reference to future standards. > > Thank you. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- Re: [Cfrg] [saag] A proposal for compact represen… Rene Struik
- Re: [Cfrg] [saag] A proposal for compact represen… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [saag] A proposal for compact represen… Dan Brown
- Re: [Cfrg] [saag] A proposal for compact represen… Russ Housley
- Re: [Cfrg] [saag] A proposal for compact represen… Rene Struik
- Re: [Cfrg] [saag] A proposal for compact represen… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [saag] A proposal for compact represen… Vadym Fedyukovych