IETF Logo Mail Archive

Re: [CFRG] compact representation and HPKE

John Mattsson <john.mattsson@ericsson.com> Wed, 10 February 2021 11:59 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F9F3A0E04 for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 03:59:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.25
X-Spam-Level:
X-Spam-Status: No, score=-2.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9AsGfEbGwJQk for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 03:59:46 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2076.outbound.protection.outlook.com [40.107.22.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7977F3A0E07 for <cfrg@irtf.org>; Wed, 10 Feb 2021 03:59:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AYTK7/2AcClL7YKzgT4dn6AIaPRk0Rqobs1wCLdMEQUPpyyB+b2X81e7xRLS7YJUxvWkPNvlvpWZnC4IWJX5reCli/zTpTcRL+W1JHtisvRJxBAHJYlMHpRUsgKyMxAwK+HeO86kUlrAVoaRfEdc3AMPoiiJ9oUrTITJCfWIvwmeEuXmnwT/vWgtj/AzhOfRCIH0STamprsrumVvfYcHbGMhWkfYObogPrSQUggfBOVhWlz9jJwLndPvLuBx17diqf/ekjrOIwmDflPSPBuNH7c1inNyNZGgamtgD5yBF8CFCLAgSAzzTvjN3cSZQ93wLRpZCbR0zTX7sfcbEI773A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N8D9ndnT5uIUxqv08eYcnfr8+M3Bg6MGu4VqUIw7mxU=; b=OUej8qN0XRMwzh1GQ8FX4yD5lvNeh5jL0Y1ZZdL335alT1oGasTJTmEGi5vbxCTObswfxO3DfxeZDrR0Zk0fuRZ+F+3q7ymHcSBK4h4fxovd/meYqyL3oL7VXunSimVWLVrrqmasZ3e+64Tk+qRGrhA4I3y0iAFRXGglFj6Xq0YmkObLFnbNGpiTnenpD6RKp5FwyvwamJtEt9GXTEd5viDUgucrH+eZGf8VoBK6Q81a6vzsK67qwDhNK6zv6ruyC9b2ONLsmAIt+ceeL9+DP1z/nsfT3811kXKxr/ruas9x71EXgeZIudket/kGNV8iijq4VmUwSNVQ/LvrvKOCRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N8D9ndnT5uIUxqv08eYcnfr8+M3Bg6MGu4VqUIw7mxU=; b=ViIHYzLoKAulU8CVA0ph7jvzmSNmjJLQBOdmRrxzxuLhFqwZY4dl3FeY9K9HdbTtXB0RE/km+351RBGLhOq/+rS587oSHZd12DIhDY4my3PToLzvFBcrQmqwcanqqWyNxyWn7t8LjmVLDAbGt3XZwMHC23fCoc9MqF5PeEXj4J4=
Received: from (2603:10a6:3:4b::8) by HE1PR07MB3083.eurprd07.prod.outlook.com (2603:10a6:7:2f::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.15; Wed, 10 Feb 2021 11:59:41 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3846.027; Wed, 10 Feb 2021 11:59:41 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Dan Harkins <dharkins@lounge.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] compact representation and HPKE
Thread-Index: AQHWtHd/qk8nkHIbjU6W/w1XmEnRGqm7tdKA///3AYCAABDDgIAAF8eAgJOZBwCAAoHdgA==
Date: Wed, 10 Feb 2021 11:59:41 +0000
Message-ID: <7A10C0C6-CEBB-496C-9264-63D7153DC3A7@ericsson.com>
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <4C4DE4EC-1A5B-48F5-871E-B7D323EF63D5@ericsson.com> <CAL02cgQFGcWjpFV1nFVg2T3aCat6U-uuzUQ_YsUYLHvQq+ZuiQ@mail.gmail.com> <5C12F8B7-99E2-40DA-8A3C-8930E652C77F@shiftleft.org> <99c28b97-332d-af67-0895-a1bd251153bb@lounge.org> <934cbf19-1e16-24cd-7442-85fb8d41fcb1@lounge.org>
In-Reply-To: <934cbf19-1e16-24cd-7442-85fb8d41fcb1@lounge.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: lounge.org; dkim=none (message not signed) header.d=none;lounge.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0e8f08ca-8e98-455b-ef61-08d8cdbb598f
x-ms-traffictypediagnostic: HE1PR07MB3083:
x-microsoft-antispam-prvs: <HE1PR07MB30831ACE1274FD9E13C95EE5898D9@HE1PR07MB3083.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3qhO1XW6zDnj20DGz1CbMA6yWJVeYOf/AoRpqlRQWzK5TIgejn9CmOnUcXcU0bNQRnZSXLki/RDh14NY1BnzUvrS85nh6w8ZYb4YO8pUbFjcn5nnkHoJSHUiE/xuPplOM+kvjhTOdtOe55ZJlh5CJkVW/DA+YkbkK9Mu0MII+imY08NioGarHiwR8OlhTqqlCxa8pt3i/jHKY5q8QkCjXSfODtJLfH02PsCtDDUCKc+ZuiI3DXjvXLn9Rkgyno/PaxiC9Xq0bepITitth0f4tQF2WKV4ONcyU2miDtFTRIqRsSdwE83MaWafl4HeTcZxamPzk/a14W7h+l4t0KdPZ0wyR91S9IqaKFSwrBq0LHlRY1Y77NpkORT6GF7wMrsn9YAYMVt6uf9Domy/Gob94qshJrafh5dQMzlCGIjuy4zZ+SPdp7sK650mqA7cFD4wtjAQY8HpwHSt+E+6fwqWt6dzc6iaAUvI9seL7mbIawqDdM9oSM7hoFBWifmCBPiGwg1fn/G8IRG29u5QnjsK7Jipr8BP55GapQvqzpiHYMGLhZLicrx/G/Ox8Bt8lSDKKmjOPiGJ6l8razG80otSsFoT3wOBNN5Oh/Gi9S29tQRnkDgThIQauu2lbVmOKAVanfvxUE+WuJ6klto3oswtxyZTXlKsYTrfn+bsAGD58M8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(376002)(39860400002)(136003)(366004)(166002)(66476007)(66946007)(2906002)(5660300002)(66446008)(6506007)(36756003)(76116006)(83380400001)(316002)(6486002)(71200400001)(8676002)(110136005)(66556008)(44832011)(86362001)(8936002)(478600001)(186003)(64756008)(53546011)(966005)(6512007)(33656002)(2616005)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Xz2HSTnJT8D4+lJEwJi2zYD8aeGbwxKiH/46WxiZMhlAc//DcplucKxj9Ox04fymRDTP1M1J/4WgPriSs2Ab4nqDDzTLufohTyxaKTxlmyFyoSrQ9ktRGXs/HnS+ld/SDzZ12yHj/8xDKRtUC57jJN1g+8Z4pOCPMtjoCI3CnqzQ/SizFNrZ36fu21YXNdSK7HA79fVrT0lMep7kaueHqpkB3/ecks0S0rDi+Xk9qy3tuqTq2mrnsegzHdqfBKaBq+nlAAyWWhwJEfwWRLaGehu2/5H28SY0dimwUzLagsiAs8Yvn5xOcK53cSy8uh7hzVWI5tsBpjM3ZA1XNSF7Ee0LySD4DT3QMK/+9zJFPQngiZ1pxsALq1SwmkvSzMzcAsrIzZzXcfgASP4EWuCpkGsSJ14bZfA1NzNMGF1pEpDU6rP0j8AvkZLOwWdQglbwfDH0MfSh6FLiACtH6Td2z9ITFmTT8gPOYxOHx8b9ESFI/zpf17QQxda0IGoWJhQtIdj1Zn5eldGLMnwcr+WNKlki4nmvs/tSBNg+zgESp+JEayF8SSH3Gz0K/mbcgWEWdAblBQ29RsAAnIMlPPcR9LsIW8pv6W4jJYYToZ1/Xo2+wKBmNJ1PfcMnTbPtrW5FwCbRDhmbcdTobWis6+O1roq9jCcm2w/Cjxpl9uTUs/HXeSXgoPW1a2qwf3PDWt9VaYSMiUkK0SK7lr9tWT2euxKjGPYaiWWRgzRQtQUnTSDcYklqCMzd6jPyR8xKtKEjyv9ZvrnDLdrX0YPAvl79STiqiE68CYLPLa4HS+RKpWECS/011f8xNPntyYVoC1RBRzSPrWVKSMeG+ofPeaPD5G1Lf+7zs8iR1TyH501hV0b/xPWpcGBvAizJx4bIOazEeZW86y4STP3yK2FN/IShfczPeGgN8jOe3flKv191LinCvZK/0yzFxWlY8BSht7T9cDli4O1CS9O/+0gN13fMi9XVYVy5rO6QVbo1xAd90WHMvmde5UHQwjbZwSc79UFRulc0Ra1nekotfHqmbtt/mb372rcex28zBb2tdH+FJ9fnV8YvT8cP+TnXaOrJaLGV/oHKGh4RGQzn/Um9pcRoDo7P0m2sbCeZbFTsqi7WBKx3XsE4VVRiKpnEAAPAcTEMhvXcHaPyY3t0VQgN41irpeuA8/SsC+S9mfnDtUMy5nDp1eoVmK05B05j7n1RHrrUkEr4Ge8LhJtwr6+brxNV8FbW+Q/tikBD/g+IMfCu8BKL7zUTKpeFwNohDiT53UZL57iXdSVdguy13KKo5jtXGwMyaj1dWKNJZvBcyaotoKJ9hEXdWu5fH28w6JTJQwvK
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_7A10C0C6CEBB496C926463D7153DC3A7ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e8f08ca-8e98-455b-ef61-08d8cdbb598f
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2021 11:59:41.7289 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Vma8WteyckMVOb4U0N6BdjyWc1wXVvuQ/+l/Xojx3eNpgW3aa0NdLx5jbeupF6ocUM7Ehdo4gtHnuQszvZk8la742KzDU1Nb0SQSZ9tu4yo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3083
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zj4UoJwoDJ3r5NdIwRRwhMNAd4Y>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 11:59:51 -0000

Great work Dan. I strongly think this is the way to go. Forcing implementations to calculate a not needed y-coordinate would be strange.

Cheers,
John

From: CFRG <cfrg-bounces@irtf.org> on behalf of Dan Harkins <dharkins@lounge.org>
Date: Monday, 8 February 2021 at 23:42
To: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [CFRG] compact representation and HPKE


  Hello again,

  I'd like to resurrect this before it becomes "it's too late to make changes
that affect the wire". I created a pull request on github some time ago but
it's been ignored so let me try again here (we still technically do our work
on mailing lists).

  When I brought it up initially there was a +1 and, as Mike notes, the
y-coordinate is not needed. This 04 || x || y format for a key is just some
ancient Certicom proposal and there's really no reason to perpetuate that.

  The y-coordinate is extraneous. Getting rid of it for the NIST curves will
make the API much cleaner and consistent.

  This will reduce the size of the serialized public key by more than 50%
and for apps that care about such things this would be a tremendous
improvement.

  Richard noted that one can lop off the 04 and the y-coordinate after
serialization and pass x alone as part of the app using HPKE and then have
the other size reconstruct it (with either y since the sign doesn't
matter) before passing it on to be deserialized. While technically true,
that completely defeats the whole point of formalizing this process.

  In my pull request I noted that it does change the test vectors and that
I would be happy to generate them. Well, I did it. I have new test vectors
(based on -07) and will happily contribute them if asked. If the test vectors
get changed again (with a new version string) I can reproduce new ones minus
the y-coordinate in a matter of minutes.

  Please consider this request. There is no downside to it.

  regards,

  Dan.
On 11/6/20 4:44 PM, Dan Harkins wrote:

  Yes, this is exactly right. The y-coordinate is not needed for these KEMs
as the sign is unimportant.

  The spec will be simpler and the interface more uniform if you do this.

  The whole point of HPKE is to make a callable API out of this process that
had been done ad hoc. Requiring a app that is taking advantage of this API
to take the output of the API and parse through it, throwing away one half
of one of the output strings and lopping off the first octet, is defeating
the whole purpose and is expecting a lot. The more this is a black box the
better.

  regards,

  Dan.
On 11/6/20 3:19 PM, Mike Hamburg wrote:
Hello Richard,

I haven’t paid much attention to HPKE, so it’s likely I’m missing something here, but why not use the x-only Montgomery ladder on NIST curves?  That’s the fastest and simplest approach, and it can operate with or without the y-coordinates.

Also, some implementations do not compute both the x- and y-coordinates, and it would be more convenient not to compute or send even a sign bit if you’re intending to use an x-only ladder.

Cheers,
— Mike


On Nov 6, 2020, at 10:19 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:

Nothing about this says that you have to *send* the keys uncompressed.  You can use whatever representation you want on the wire.  You just have to decompress them before you put them into the key schedule. Which you're probably doing anyway, because you need both coordinates to do point multiplication with these curves.  So I am inclined not to make this change.

--Richard

On Fri, Nov 6, 2020 at 4:52 PM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
+1

Sending the keys uncompressed makes HPKE unsuitable for constrained IoT.

-----Original Message-----
From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of Dan Harkins <dharkins@lounge.org<mailto:dharkins@lounge.org>>
Date: Friday, 6 November 2020 at 21:00
To: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: [CFRG] compact representation and HPKE

   Hello,

   When doing a DH-based KEM with the NIST curves, HPKE specifies that
SerializePublicKey and DeserializePublicKey use the uncompressed format
from SECG. This ends up using 2*Ndh+1 octets to represent the serial
form of the public key.

   Since compact output is being used in DH-based KEMs-- that is, the
secret result of DH() is the x-coordinate of the resulting EC point--
it would also be possible to use compact representation (per RFC 6090)
and have SerializePublicKey merely do integer-to-octet string
conversions of the x-coordinate. DeserializePublicKey would then
do octet string-to-integer conversion for the x-coordinate and use the
equation of the curve to choose the y-coordinate. The sign isn't
important because we're doing compact output.

   This would make the interface for the NIST curves and the Bernstein
curves be uniform-- Serialize would produce an octet string of Ndh
and Deserialize would consume an octet string of Ndh-- at the cost
of some CPU inside DeserializePublicKey.

   Please consider this suggestion.

   regards,

   Dan.

--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://protect2.fireeye.com/v1/url?k=513cd874-0ea7e231-513c98ef-867b36d1634c-ce26b08a2499b9a3&q=1&e=4f2b4ce0-8d52-4a80-b41e-0f7537355d35&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg

_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=8e4205de-d1d93cdc-8e424545-869a14f4b08c-465b9e5abce36ec9&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>
_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=7a0c280b-25971109-7a0c6890-869a14f4b08c-9306a6e8c390632d&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>




_______________________________________________

CFRG mailing list

CFRG@irtf.org<mailto:CFRG@irtf.org>

https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=66576edf-39cc57dd-66572e44-869a14f4b08c-8204a953b7ece8f9&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>



--

"The object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane." -- Marcus Aurelius



_______________________________________________

CFRG mailing list

CFRG@irtf.org<mailto:CFRG@irtf.org>

https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=9c603329-c3fb0a2b-9c6073b2-869a14f4b08c-2a44603a4c6091cb&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>



--

"The object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email