IETF Logo Mail Archive

Re: [CFRG] compact representation and HPKE

Dan Harkins <dharkins@lounge.org> Mon, 08 February 2021 22:42 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852FE3A1680 for <cfrg@ietfa.amsl.com>; Mon, 8 Feb 2021 14:42:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R71guQiLumct for <cfrg@ietfa.amsl.com>; Mon, 8 Feb 2021 14:42:26 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A5F13A167F for <cfrg@irtf.org>; Mon, 8 Feb 2021 14:42:26 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QO80AY24F2OWJ@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 08 Feb 2021 16:42:25 -0600 (CST)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QO800ADNF1KU2@trixy.bergandi.net> for cfrg@irtf.org; Mon, 08 Feb 2021 14:41:44 -0800 (PST)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 08 Feb 2021 14:41:44 -0800
Date: Mon, 08 Feb 2021 14:42:22 -0800
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <99c28b97-332d-af67-0895-a1bd251153bb@lounge.org>
To: cfrg@irtf.org
Message-id: <934cbf19-1e16-24cd-7442-85fb8d41fcb1@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_4whoxVKkuFmcNeCJXz8ysA)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <4C4DE4EC-1A5B-48F5-871E-B7D323EF63D5@ericsson.com> <CAL02cgQFGcWjpFV1nFVg2T3aCat6U-uuzUQ_YsUYLHvQq+ZuiQ@mail.gmail.com> <5C12F8B7-99E2-40DA-8A3C-8930E652C77F@shiftleft.org> <99c28b97-332d-af67-0895-a1bd251153bb@lounge.org>
X-PMAS-Software: PreciseMail V3.3 [210208] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yzXvFgEr3-1-BUcMyEP8vqxD1Eg>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 22:42:29 -0000

   Hello again,

   I'd like to resurrect this before it becomes "it's too late to make 
changes
that affect the wire". I created a pull request on github some time ago but
it's been ignored so let me try again here (we still technically do our work
on mailing lists).

   When I brought it up initially there was a +1 and, as Mike notes, the
y-coordinate is not needed. This 04 || x || y format for a key is just some
ancient Certicom proposal and there's really no reason to perpetuate that.

   The y-coordinate is extraneous. Getting rid of it for the NIST curves 
will
make the API much cleaner and consistent.

   This will reduce the size of the serialized public key by more than 50%
and for apps that care about such things this would be a tremendous
improvement.

   Richard noted that one can lop off the 04 and the y-coordinate after
serialization and pass x alone as part of the app using HPKE and then have
the other size reconstruct it (with either y since the sign doesn't
matter) before passing it on to be deserialized. While technically true,
that completely defeats the whole point of formalizing this process.

   In my pull request I noted that it does change the test vectors and that
I would be happy to generate them. Well, I did it. I have new test vectors
(based on -07) and will happily contribute them if asked. If the test 
vectors
get changed again (with a new version string) I can reproduce new ones minus
the y-coordinate in a matter of minutes.

   Please consider this request. There is no downside to it.

   regards,

   Dan.

On 11/6/20 4:44 PM, Dan Harkins wrote:
>
>   Yes, this is exactly right. The y-coordinate is not needed for these 
> KEMs
> as the sign is unimportant.
>
>   The spec will be simpler and the interface more uniform if you do this.
>
>   The whole point of HPKE is to make a callable API out of this 
> process that
> had been done ad hoc. Requiring a app that is taking advantage of this 
> API
> to take the output of the API and parse through it, throwing away one half
> of one of the output strings and lopping off the first octet, is defeating
> the whole purpose and is expecting a lot. The more this is a black box the
> better.
>
>   regards,
>
>   Dan.
>
> On 11/6/20 3:19 PM, Mike Hamburg wrote:
>> Hello Richard,
>>
>> I haven’t paid much attention to HPKE, so it’s likely I’m missing 
>> something here, but why not use the x-only Montgomery ladder on NIST 
>> curves?  That’s the fastest and simplest approach, and it can operate 
>> with or without the y-coordinates.
>>
>> Also, some implementations do not compute both the x- and 
>> y-coordinates, and it would be more convenient not to compute or send 
>> even a sign bit if you’re intending to use an x-only ladder.
>>
>> Cheers,
>> — Mike
>>
>>> On Nov 6, 2020, at 10:19 PM, Richard Barnes <rlb@ipv.sx 
>>> <mailto:rlb@ipv.sx>> wrote:
>>>
>>> Nothing about this says that you have to *send* the keys 
>>> uncompressed.  You can use whatever representation you want on the 
>>> wire.  You just have to decompress them before you put them into the 
>>> key schedule. Which you're probably doing anyway, because you need 
>>> both coordinates to do point multiplication with these curves.  So I 
>>> am inclined not to make this change.
>>>
>>> --Richard
>>>
>>> On Fri, Nov 6, 2020 at 4:52 PM John Mattsson 
>>> <john.mattsson=40ericsson.com@dmarc.ietf.org 
>>> <mailto:40ericsson.com@dmarc.ietf.org>> wrote:
>>>
>>>     +1
>>>
>>>     Sending the keys uncompressed makes HPKE unsuitable for
>>>     constrained IoT.
>>>
>>>     -----Original Message-----
>>>     From: CFRG <cfrg-bounces@irtf.org
>>>     <mailto:cfrg-bounces@irtf.org>> on behalf of Dan Harkins
>>>     <dharkins@lounge.org <mailto:dharkins@lounge.org>>
>>>     Date: Friday, 6 November 2020 at 21:00
>>>     To: CFRG <cfrg@irtf.org <mailto:cfrg@irtf.org>>
>>>     Subject: [CFRG] compact representation and HPKE
>>>
>>>        Hello,
>>>
>>>        When doing a DH-based KEM with the NIST curves, HPKE
>>>     specifies that
>>>     SerializePublicKey and DeserializePublicKey use the uncompressed
>>>     format
>>>     from SECG. This ends up using 2*Ndh+1 octets to represent the serial
>>>     form of the public key.
>>>
>>>        Since compact output is being used in DH-based KEMs-- that
>>>     is, the
>>>     secret result of DH() is the x-coordinate of the resulting EC
>>>     point--
>>>     it would also be possible to use compact representation (per RFC
>>>     6090)
>>>     and have SerializePublicKey merely do integer-to-octet string
>>>     conversions of the x-coordinate. DeserializePublicKey would then
>>>     do octet string-to-integer conversion for the x-coordinate and
>>>     use the
>>>     equation of the curve to choose the y-coordinate. The sign isn't
>>>     important because we're doing compact output.
>>>
>>>        This would make the interface for the NIST curves and the
>>>     Bernstein
>>>     curves be uniform-- Serialize would produce an octet string of Ndh
>>>     and Deserialize would consume an octet string of Ndh-- at the cost
>>>     of some CPU inside DeserializePublicKey.
>>>
>>>        Please consider this suggestion.
>>>
>>>        regards,
>>>
>>>        Dan.
>>>
>>>     -- 
>>>     "The object of life is not to be on the side of the majority, but to
>>>     escape finding oneself in the ranks of the insane." -- Marcus
>>>     Aurelius
>>>
>>>     _______________________________________________
>>>     CFRG mailing list
>>>     CFRG@irtf.org <mailto:CFRG@irtf.org>
>>>     https://protect2.fireeye.com/v1/url?k=513cd874-0ea7e231-513c98ef-867b36d1634c-ce26b08a2499b9a3&q=1&e=4f2b4ce0-8d52-4a80-b41e-0f7537355d35&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg
>>>
>>>     _______________________________________________
>>>     CFRG mailing list
>>>     CFRG@irtf.org <mailto:CFRG@irtf.org>
>>>     https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>> _______________________________________________
>>> CFRG mailing list
>>> CFRG@irtf.org <mailto:CFRG@irtf.org>
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>
> -- 
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email