Re: [openpgp] Catch 22 in ECC support of OpenPGP?

Andrey Jivsov <openpgp@brainhub.org> Tue, 04 February 2014 06:53 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EEE81A037D for <openpgp@ietfa.amsl.com>; Mon, 3 Feb 2014 22:53:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xe2m3BCcP2Ax for <openpgp@ietfa.amsl.com>; Mon, 3 Feb 2014 22:53:48 -0800 (PST)
Received: from qmta11.emeryville.ca.mail.comcast.net (qmta11.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:44:76:96:27:211]) by ietfa.amsl.com (Postfix) with ESMTP id 19EA51A0360 for <openpgp@ietf.org>; Mon, 3 Feb 2014 22:53:47 -0800 (PST)
Received: from omta06.emeryville.ca.mail.comcast.net ([76.96.30.51]) by qmta11.emeryville.ca.mail.comcast.net with comcast id N6tn1n00216AWCUAB6tn0U; Tue, 04 Feb 2014 06:53:47 +0000
Received: from [192.168.1.8] ([71.202.164.227]) by omta06.emeryville.ca.mail.comcast.net with comcast id N6tm1n00G4uhcbK8S6tn7A; Tue, 04 Feb 2014 06:53:47 +0000
Message-ID: <52F08E7A.9000002@brainhub.org>
Date: Mon, 03 Feb 2014 22:53:46 -0800
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <87iot0y1su.fsf@vigenere.g10code.de> <E238B88A-6259-4D1F-A432-AD0D20652392@callas.org> <874n4kxqop.fsf@vigenere.g10code.de> <E77E59A7-05D9-480A-939F-E1198CFC8246@callas.org>
In-Reply-To: <E77E59A7-05D9-480A-939F-E1198CFC8246@callas.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1391496827; bh=bbWlhRrN4TsQCfZ71GvcwusfQ23ZeoH7B9t+jEDRXXg=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=UDWOdHyJsU+IKyC1s5QHlI/WfDjkOtKlqG6MsAi3jhFRr8v3tmWIfB9Wcv0EDTT+3 aC1BTIRbXhtTjd7n2Ki2oKl6Q/EwkywWo+qcvegKuU9xnonbewekgZBrEyMqCbKBrn q0/y7NjBayhSVcKcMYTN+3L1t20ZqoUcUlNQ+keTZqmfKlvvO+b+z6ynTpu9DX6fnN b07EANFx+w77YvClv23b/8V89KOg+qbiZF8Mf3g6grehT0QmFDPESaYlTlM14dlJIC WH3m48/D3sDOcZUYChWiloghN5IuSJZEUGdi8RSryuQ6Eq64fq2IebwkTDlcxqUYtO wcjM0CY5Rqzdg==
Subject: Re: [openpgp] Catch 22 in ECC support of OpenPGP?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 06:53:49 -0000

On 02/01/2014 04:57 AM, Jon Callas wrote:
> Of those two, I vote for (1). There's no real value in the compression, it's an observation. And the reason there's little value in compression is the same reason that there's little harm in just putting the point there and don't worry about leading zeroes.

One positive side effect of using compression is that de-compression 
implies a validated point.

In some uses of OpenPGP protocol it may be necessary to validate that 
the ephemeral public key of ECDH lies on the curve and not on some 
specially selected curve with points of low order.

See "Validation of Elliptic Curve Public Keys" sec
4.2 Invalid-Curve Attack on ECIES (that applies to ECDH as well).