Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
Watson Ladd <watsonbladd@gmail.com> Mon, 16 March 2015 14:14 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41D461A87A1 for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 07:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcx6BY2DW5EW for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 07:14:25 -0700 (PDT)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8919D1A8790 for <cfrg@irtf.org>; Mon, 16 Mar 2015 07:14:16 -0700 (PDT)
Received: by ykfs63 with SMTP id s63so18024525ykf.2 for <cfrg@irtf.org>; Mon, 16 Mar 2015 07:14:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2VN8OTg4RG7kzz/X9pX9qdSLBTgdb8r5B/gI2i9yLKc=; b=cZAjQYsPpeCeRyHmANO2zEKobBPbIrFBcLhfW7+itB4pWAqZR3F6tTuv8tJe4A5bQU wHSJd+0NDercPJLZavC0jKg1tMNdMSA0i+FaNj32s1Oon0XV6IyJoh4mf+Gg96qkevJO hjw7ehylgkJcob+ApXFUe6Hz5z/Bfcof+Dbvg8USr7rkJKdRvsukaB5xtFlfG5n4u0Nl CC/jYWTI4hPSOFZ4+GlOu7I8HcqNVnanm0MHidrf1xVmRs+QROkN6N+8TuGft+hMRksY evLIWiBeAmz7csHfEpLSEpgYpRy8ZsIX8FnrnU/ZiWW/Xxm8plGJ3h06+uGoWbCbFf2T 1Aeg==
MIME-Version: 1.0
X-Received: by 10.170.185.133 with SMTP id b127mr44655945yke.28.1426515255915; Mon, 16 Mar 2015 07:14:15 -0700 (PDT)
Received: by 10.170.58.201 with HTTP; Mon, 16 Mar 2015 07:14:15 -0700 (PDT)
Received: by 10.170.58.201 with HTTP; Mon, 16 Mar 2015 07:14:15 -0700 (PDT)
In-Reply-To: <55068E9B.2050205@brainhub.org>
References: <20150316002255.28855.qmail@cr.yp.to> <5506699C.3070006@brainhub.org> <594C037C-CA11-4836-AC3C-4CF6F19970BE@shiftleft.org> <55068E9B.2050205@brainhub.org>
Date: Mon, 16 Mar 2015 07:14:15 -0700
Message-ID: <CACsn0cnCBESO3TDdh0bgwQscFTFuGQHeLE0QCp5PBON8z6N40g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: multipart/alternative; boundary="001a1139d34a187c08051168778b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/vKCb9Johi4d1nf6_L7L1FvYdqCM>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 14:14:28 -0000
On Mar 16, 2015 1:05 AM, "Andrey Jivsov" <crypto@brainhub.org> wrote: > > On 03/15/2015 11:50 PM, Michael Hamburg wrote: >>> >>> On Mar 15, 2015, at 10:26 PM, Andrey Jivsov <crypto@brainhub.org> wrote: >>> >>> In my proposal the v, the second coordinate, is only sent in the first flight (or a part of the public key in general). That's where we can expect that the Montgomery ladder will be less common. The second flight, the shared secret calculation, doesn't use v and thus there is no change to the Montgomery ladder. >>> Each 32 bytes arrive every 1/((200*10^6/8)/32) = 0.00000128 seconds (every 1.2 microsec on 200 Mbps). While we seem OK with the *whole* quad-code CPU, the CPU is a precious resource on a busy server (so in reality we are not OK in this scenario). Why pay 10% penalty? >>> >>> If we look at https://tools.ietf.org/html/rfc5246#section-6.2.1, the World is wasting 2 bytes per each >>> 2^14 bytes of traffic in the best case scenario. There is also some waste in 4K handshake and block cipher padding that could be eliminated. >> >> I understand that there are implementations out there other than the Montgomery ladder, and they >> require more compute time if you don’t send a v coordinate. It may be worth discussing further >> whether the communication cost to send v is more or less than the cost for the recipient to compute >> it, though I still expect that in most cases it is cheaper to recompute v. >> >> But this just doesn’t make sense for ECDH. You want to force *every* implementation, of >> which the considerable majority will probably be the Montgomery ladder, to send and receive an >> 32 extra bytes. You want to add non-negligible extra complexity to the simplest implementations >> (IOT) to make this happen. You want this so that a small (and so far hypothetical) minority of >> implementations can make a tradeoff of compute time vs communication that *still* might be >> unfavorable. I just don’t see how this adds up. > > > The protocols that cannot afford a few additional lines of code like in the diff https://github.com/brainhub/curve25519-donna/commit/abc601836b75ba6399c775842647e0f3b66061c4 might standardize on u only ( as I wrote in http://www.ietf.org/mail-archive/web/cfrg/current/msg06480.html ). I would like to hear more about these protocols, though. Your patch is not computing the correct sign bit. Why is having an alternative ECDH algorithm so important? It's not any faster, or easier to test, or simpler. The alternative implementations you are suggesting are less secure and less fast. > > On the Internet in general (YouTube, Netflix streaming) and TLS in particular, it's hard to see that ~32 bytes per (not reused) handshake matter. This part of the Internet is currently using uncompressed points and RSA. > > >> >> Cheers, >> — Mike >> >> PS: If you think it’s good to add 32 bytes to public keys to speed up signature verification, please >> consider the following proposal. Instead of adding a second coordinate, add the u coordinate >> of 2^128 * P and a sign bit. >> >> Compared to your proposed algorithm, this u coordinate saves 128 doublings (~~ 128*6.2 M in >> extensible or extended+Hisil’s lookhaead coordinates) at the cost of an extra decompression >> (~256*0.9 M), an extra wNAF table precomputation (~8*8M), and an extra fixed table for g, >> with a net savings of about 499M. That’s more than double what the v-coordinate saves, and >> almost the same math works for Ed448. >> >> I don’t actually want to do this. I’m just pointing out that “we should always trade space for time” >> is a silly argument, and if you buy it then there are better ways to do it. >> > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Viktor Dukhovni
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- [Cfrg] (flaws with Curve25519 DH function, if one… Rene Struik
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… David Leon Gil
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Viktor Dukhovni
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Nico Williams
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Salz, Rich
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Ilari Liusvaara
- Re: [Cfrg] (flaws with Curve25519 DH function, if… CodesInChaos
- Re: [Cfrg] (flaws with Curve25519 DH function, if… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alexey Melnikov
- [Cfrg] Elliptic Curves - curve form and coordinat… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nadim Kobeissi
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paul Lambert
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Adam Langley
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Dan Brown
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Paterson, Kenny
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Phillip Hallam-Baker
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Nico Williams
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Jakob Breier
- Re: [Cfrg] Elliptic Curves - curve form and coord… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - curve form and coord… Watson Ladd
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Rene Struik
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - curve form and coord… Salz, Rich
- Re: [Cfrg] Elliptic Curves - curve form and coord… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - curve form and coord… Michael Hamburg