Re: [CFRG] compact representation and HPKE

Richard Barnes <rlb@ipv.sx> Fri, 06 November 2020 22:19 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CDB83A0DD1 for <cfrg@ietfa.amsl.com>; Fri, 6 Nov 2020 14:19:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xDczzzm3z8fr for <cfrg@ietfa.amsl.com>; Fri, 6 Nov 2020 14:19:46 -0800 (PST)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 399433A0DCD for <cfrg@irtf.org>; Fri, 6 Nov 2020 14:19:45 -0800 (PST)
Received: by mail-qk1-x72e.google.com with SMTP id l2so2606465qkf.0 for <cfrg@irtf.org>; Fri, 06 Nov 2020 14:19:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cDwYRMx8vI2DsPc6s/sAJBgqMbdy4UQ6wxQ3Lhl4r7Q=; b=TpwOprTa9xEFBZ6e0/uavoNRgVWl/egX1VxhQT4B4ZDYMm1hd9msd969MT+B4zsirX 5l4tZ9gfuR1BO08IrW/fzbYahOh8wv2xE3hbj60h6nbxCyJJBefDGgABTfuzVRCEIXff g0Z35GkZdCgaC8CczIrjYRWtsa5rVhypxwozJhfsEXSqeBIBWC8IBDVbDwo25YyHwj36 YQf0AZ0mkrIdsa1Yt+eORmrlaKqfDFUS2Nl4DT9PcehFTJ5vf2I9RCAVTEbhgQdeKR8e MeIc+IDiMOchvF8UlXsUOiNXdX2ocSyyw5dSLODWTK42BSLMZMREt0DWWB1DDnOzr4WF 0ayA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cDwYRMx8vI2DsPc6s/sAJBgqMbdy4UQ6wxQ3Lhl4r7Q=; b=d81YckNaGB28RjlAAGe8+ei9xMRdzrWCnHJWe6fEg9LvT3iaXiwta7Dw337CHzbAaH 3o4Oo2hGgLjzcZA+n6kVvh9QiXD39sBHEoI6OpQCeApVX5Y6oqap03nXngAK3js9TyDl IwjQA3jnFm0GLt58iWv/DJvQ+H73A3VVFHus5TFgnL/gzjxRWCjokYKnJxBz7hJDR7Ke 6dLLPNepYUCpa1ybrzpKELJNPpCJizBdjoCFBf+hTrb5TIQCCzgEmLZ7SL2f3B6IREpA ac4RCGPvzyU8O7RaZCxJwNgRf7etgOF3Van/mJfeRaRF6i//NNHlPl0sv/e/GBPjvndD UV6g==
X-Gm-Message-State: AOAM531BT+8dspkmD/Hf68EoQjJ8ZYDokAQiodb08AUyaOgBw5dRHqqP E411dD0BiOmIWTqlN0mQPgL8z4nzSX2urswTqLOYKw==
X-Google-Smtp-Source: ABdhPJx4XIsdOAipl3WpUpgnt1O+ws4fHyiIHe396bgadAjnwyd+cDH1WmKToFlzqoSR1xcsjat81rvBNG8g0rct+w0=
X-Received: by 2002:a37:4d13:: with SMTP id a19mr3708660qkb.159.1604701184795; Fri, 06 Nov 2020 14:19:44 -0800 (PST)
MIME-Version: 1.0
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <4C4DE4EC-1A5B-48F5-871E-B7D323EF63D5@ericsson.com>
In-Reply-To: <4C4DE4EC-1A5B-48F5-871E-B7D323EF63D5@ericsson.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 06 Nov 2020 17:19:23 -0500
Message-ID: <CAL02cgQFGcWjpFV1nFVg2T3aCat6U-uuzUQ_YsUYLHvQq+ZuiQ@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: Dan Harkins <dharkins@lounge.org>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000173f4a05b3779c4c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yt60RUEKYvd9Gy293deK29b1qP0>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2020 22:19:48 -0000

Nothing about this says that you have to *send* the keys uncompressed.  You
can use whatever representation you want on the wire.  You just have to
decompress them before you put them into the key schedule. Which you're
probably doing anyway, because you need both coordinates to do point
multiplication with these curves.  So I am inclined not to make this change.

--Richard

On Fri, Nov 6, 2020 at 4:52 PM John Mattsson <john.mattsson=
40ericsson.com@dmarc.ietf.org> wrote:

> +1
>
> Sending the keys uncompressed makes HPKE unsuitable for constrained IoT.
>
> -----Original Message-----
> From: CFRG <cfrg-bounces@irtf.org> on behalf of Dan Harkins <
> dharkins@lounge.org>
> Date: Friday, 6 November 2020 at 21:00
> To: CFRG <cfrg@irtf.org>
> Subject: [CFRG] compact representation and HPKE
>
>    Hello,
>
>    When doing a DH-based KEM with the NIST curves, HPKE specifies that
> SerializePublicKey and DeserializePublicKey use the uncompressed format
> from SECG. This ends up using 2*Ndh+1 octets to represent the serial
> form of the public key.
>
>    Since compact output is being used in DH-based KEMs-- that is, the
> secret result of DH() is the x-coordinate of the resulting EC point--
> it would also be possible to use compact representation (per RFC 6090)
> and have SerializePublicKey merely do integer-to-octet string
> conversions of the x-coordinate. DeserializePublicKey would then
> do octet string-to-integer conversion for the x-coordinate and use the
> equation of the curve to choose the y-coordinate. The sign isn't
> important because we're doing compact output.
>
>    This would make the interface for the NIST curves and the Bernstein
> curves be uniform-- Serialize would produce an octet string of Ndh
> and Deserialize would consume an octet string of Ndh-- at the cost
> of some CPU inside DeserializePublicKey.
>
>    Please consider this suggestion.
>
>    regards,
>
>    Dan.
>
> --
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
>
> https://protect2.fireeye.com/v1/url?k=513cd874-0ea7e231-513c98ef-867b36d1634c-ce26b08a2499b9a3&q=1&e=4f2b4ce0-8d52-4a80-b41e-0f7537355d35&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>