IETF Logo Mail Archive

Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Additional Curves in TLS

Robert Ransom <rransom.8774@gmail.com> Tue, 28 January 2014 14:47 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053B31A02CF for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 06:47:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0MdfEdkGlck for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2014 06:47:50 -0800 (PST)
Received: from mail-qa0-x22b.google.com (mail-qa0-x22b.google.com [IPv6:2607:f8b0:400d:c00::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 768671A0227 for <cfrg@irtf.org>; Tue, 28 Jan 2014 06:47:50 -0800 (PST)
Received: by mail-qa0-f43.google.com with SMTP id o15so580881qap.30 for <cfrg@irtf.org>; Tue, 28 Jan 2014 06:47:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TABozthbvYmIChexSgg7B6lu27uM1wT/qiS96jSEgZs=; b=x/EN2/nt0oYm7IEPU11+xSWfpNlexRyZ2bXkFQzeBOHtviEQzaxQR77KqQ8/4/r7Gm q4GQ+vZAUINdj/G+76HhVgWJWmRCZMgBmMgyHUhdLAuJ4Q7dBRZFMoBbSLZvf+xCGo5X NRIftTjo3KweDppU6LE7TFWkz7fXpsIPd4J9P1Q1L3cTGvMASqnalBnTnGk47QTR8pyH XGObIc0RAGwPClsG2sYFkrP6pxqs3z/mWE5IhnnbCZWBwr2RlSwbnho7di32fVvIGJ6V jUs3VlfRoHvYFE5PWAZUvxDQfJxbKWy4LIrhdElmzj6ql3YgMEgdNeTv74D8SnIYx+yy l23w==
MIME-Version: 1.0
X-Received: by 10.140.44.6 with SMTP id f6mr2884142qga.10.1390920467598; Tue, 28 Jan 2014 06:47:47 -0800 (PST)
Received: by 10.140.86.42 with HTTP; Tue, 28 Jan 2014 06:47:47 -0800 (PST)
In-Reply-To: <52E76999.5030809@brainhub.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <CABqy+sozYSOTh7pbUS2GXf=4kYV3zgztXZBa10Bx=s-N8zHHyA@mail.gmail.com> <CABqy+soSojSMfx=yU9eFhmAeuJaJ_r=4h=RDR6JtOchYZ9zsQA@mail.gmail.com> <52E1BAE0.8060809@brainhub.org> <CABqy+sqpJr8Vki7-hP4nvwz0VP6+-1RnZ8taz6MZsxkWXfm8FA@mail.gmail.com> <52E76999.5030809@brainhub.org>
Date: Tue, 28 Jan 2014 06:47:47 -0800
Message-ID: <CABqy+sp92+=YAmvfTFLnvFhR_FAZYD9aoYSo=gbkUVybZW5uDQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: text/plain; charset="UTF-8"
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 14:47:52 -0000

On 1/28/14, Andrey Jivsov <crypto@brainhub.org> wrote:
> On 01/23/2014 06:58 PM, Robert Ransom wrote:
>> On 1/23/14, Andrey Jivsov <crypto@brainhub.org> wrote:
>>
>>> Wouldn't http://tools.ietf.org/html/draft-jivsov-ecc-compact be another
>>> method?
>>
>>> ( BTW, the proposal in the draft is in public domain since it was
>>> published on December 10, 2012. )
>>
>> Are you claiming that the point format that I suggested is patented?
>
> I was making a statement about my contribution, in case this issue comes
> up.
>
> The IP for the use of 1 bit to compress a point is a common knowledge,
> but I've heard that some of them are expiring.

If you are referring to the patent addressed in
<http://cr.yp.to/patents/us/6141420.html>, claim 29 of the same patent
covers point decompression with your proposal.


> However, I am concerned about the cofactor issue. These curves have the
> cofactor greater than 1. Unlike "unsafe" NIST curves, this needs to be
> handled. The draft suggest methods that, as I understand them, may run
> into IP issues. Besides, there may be protocols that want to do classic
> DH. One solution to these issues is to enumerate the points in the small
> subgroup, explicitly in the document, or by providing the method to
> identify them.

U.S. patent 6,226,383 (Jablon) claims 31 and 32 cover the use of your
suggestion in ECDH.


Dr. Bernstein's paper which specifies Curve25519 for use in ECDH
addresses its groups' cofactors by (a) generating Diffie-Hellman
keypairs such that the secret exponent is divisible by the cofactor
(as is common in multiplicative-group Diffie-Hellman, where the
cofactor is at least 2), and (b) requiring that the shared-secret
group element be used only as input to a hash function or hash-based
KDF (as is required for all Diffie-Hellman systems).

Are you aware of any specific patent claims which cover these
techniques, or are you merely trying to spread patent FUD?


Robert Ransom

v2.23.0 | Report a Bug | By Email