Re: [Cfrg] Practical summary of ECDH in TLS regarding the curve features

Andrey Jivsov <crypto@brainhub.org> Mon, 28 July 2014 05:25 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF5C1A01F7 for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 22:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKlu1h3kRroJ for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 22:25:14 -0700 (PDT)
Received: from qmta08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:80]) by ietfa.amsl.com (Postfix) with ESMTP id B90091A0217 for <cfrg@irtf.org>; Sun, 27 Jul 2014 22:25:13 -0700 (PDT)
Received: from omta20.emeryville.ca.mail.comcast.net ([76.96.30.87]) by qmta08.emeryville.ca.mail.comcast.net with comcast id XhRD1o0011smiN4A8hRDSy; Mon, 28 Jul 2014 05:25:13 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by omta20.emeryville.ca.mail.comcast.net with comcast id XhRC1o00H4uhcbK8ghRCbe; Mon, 28 Jul 2014 05:25:13 +0000
Message-ID: <53D5DEB8.5000903@brainhub.org>
Date: Sun, 27 Jul 2014 22:25:12 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <53D56D7E.9050306@brainhub.org> <CACsn0cnT_H7aqaBc-wEDjxAUNYoNW71uKNUdLsAC_Tuqeob+rA@mail.gmail.com> <53D5AA12.7020002@brainhub.org> <CACsn0ckeORqNyM3G017k_8EOq8rE_xzdZ9USSr1Xy1WbdR0=fA@mail.gmail.com> <CACsn0cn3=22yspvbw3vqzfOyVBijaEMtPQxBfz15YwdDeHpm4Q@mail.gmail.com>
In-Reply-To: <CACsn0cn3=22yspvbw3vqzfOyVBijaEMtPQxBfz15YwdDeHpm4Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1406525113; bh=0bew71UuQFeNEAWEZsg6Vw9mgV829nkZWpYOcG3q/uw=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=YHQx6QHL5tMO0lYiyztobUawYcSyIyZJWrkxgvuuC6o6YLX5xkfeAm+6tP8yLQd9w s1FBOin9Wt1/UwB2cpVG1/rBxlKaFYFmqzknQu/DO1epr39hAcAk3x99Hj9pZJYYRc XYHdWaklGArNewY8Z3uDLN7sMSoJvVFKDo84nlq30ADqUjeLg/MYrIfSWYwJsni088 WiU8RTMCWc0C0XGpajmL1VB+soxFnP4NInR202JOonDcM9WYdlvvZEM4zgHf7prcru okv+vvYihxYEYqQ0UguzfkhQMH8hwCjHfTJIh8XOjQ9bi/V/t8RJdQ5XtFPpIgGOaM fLF9G7y7ga8PQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/agrmJE1Xv2XVf1xwkJy1en-NIDQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Practical summary of ECDH in TLS regarding the curve features
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 05:25:17 -0000

On 07/27/2014 08:22 PM, Watson Ladd wrote:
> This is true. But why waste time making bad curves when we can make
> good ones?

Certainly. My 4-cell table of likely ephemeral key strategies for client 
and servers meant to show that the reuse of ephemeral DH is expected at 
least for TLS servers. Some TLS clients are actually (computer) servers 
connecting to many TLS servers, and so I am against prohibiting the 
reuse for TLS clients too.

This means that curves must be capable to handle static DH (i.e. reused 
ephemeral DH) and therefore good curves are beneficial for TLS.

The
> argument that side channels don't matter for signatures and ECDH
> ignores quite a few practical
> issues:
> -determinism in signatures lets you reuse a side channel by getting
> repeated signatures on the same message.
> -side-channels are not bounded: I could leak almost all the bits from
> a side channel, leaving a very small number
> to guess.

I wasn't looking at signatures, which use static keys.

I should clarify my comment about the side channel. I was thinking about 
a sidechannel in a network device sense (either a timing channel or an 
error channel).

It's true that if an ECDH scalar multiplication leaks reliably whether 
or not it does double or add, a single ECDH operation implemented that 
way might be hypothetically sufficient to recover the scalar. Would it 
end up in the same feasibility bucket as the 0.866*2^128 ECDLP attack?