Re: [Cfrg] Curve manipulation, revisited

Yoav Nir <ynir.ietf@gmail.com> Mon, 29 December 2014 18:47 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ACB11A8BB2 for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 10:47:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEWwvUUh4Kuw for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 10:47:53 -0800 (PST)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C47331A8BB3 for <cfrg@irtf.org>; Mon, 29 Dec 2014 10:47:52 -0800 (PST)
Received: by mail-wi0-f182.google.com with SMTP id h11so22816827wiw.15 for <cfrg@irtf.org>; Mon, 29 Dec 2014 10:47:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2r0Xi4CHRj0YhconCDSfeidqbWr3LgF2aXJ48yBLNvQ=; b=dEpLgBzfk+3sPaUFQwlcFU8OM12KKAeCHQPQyFXJvNFqAknZ9GfAS4I06qVCzeTuPF /7SELWxWRiV7MfeDozeRm8IVSwG4bvDATVapdBzxKTtW58d2TtY5YQi+zEjIF7iszDOA zanxiPtTv4PIewjYl2317jZu5W16yvrQv0FjjnPlzjrXbH/vMXIe8UHmld9LnSLmFtBW FAZfB+e+ilCWJDFnKNSBLhw4aTkpCYnBzAGDWoYzxW1WAaPF6ktTkGtFsKzulWwQByM5 xc14kjxvMRjODVPkmhb/VlRMVi5q1CeMrx65bNtWeegVAQCv/D0NZ9pYerda6/fASHdl FD1g==
X-Received: by 10.194.94.227 with SMTP id df3mr116175729wjb.34.1419878871622; Mon, 29 Dec 2014 10:47:51 -0800 (PST)
Received: from [192.168.1.104] (IGLD-84-228-227-214.inter.net.il. [84.228.227.214]) by mx.google.com with ESMTPSA id lg7sm40521492wic.0.2014.12.29.10.47.50 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Dec 2014 10:47:50 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D55236ECC@USMBX1.msg.corp.akamai.com>
Date: Mon, 29 Dec 2014 20:47:48 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7D3783D-0159-486E-8136-63E90E20AC0B@gmail.com>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com> <1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com> <CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com> <CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D55236DA1@USMBX1.msg.corp.akamai.com> <68DF78C2-9F4D-457C-A32E-88A58E74A371@gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D55236ECC@USMBX1.msg.corp.akamai.com>
To: Rich Salz <rsalz@akamai.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/X709PeeTWvBdp_o3uu2kwyajxGY
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 18:47:55 -0000

> On Dec 29, 2014, at 8:25 PM, Salz, Rich <rsalz@akamai.com>; wrote:
> 
>> May I ask why?  If we can make key agreement faster by using X25519
>> instead of P-256, it stands to reason that we can make signatures faster by
>> using Ed25519 instead of P-256.
> 
> TLS only needs a key exchange.  (X509 certificates are signed, of course, but that's a separable issue.)

The signatures on X509 certificates are a separable issue. But the signatures in the ServerKeyExchange using the private key associated with the public key in the X509 certificates are very much a part of TLS.

When measuring the performance of the TLS handshakes, the ECDHE derivation takes a similar amount of time as the ECDSA signature. That is the reason for moving away from RSA public keys to ECDSA public keys. If we can use public keys which will be even faster, that’s a net win.

So again, why not?

Yoav