Re: [Cfrg] Key establishment advice (say, for TLS): How about MQV?
Watson Ladd <watsonbladd@gmail.com> Wed, 05 March 2014 01:21 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CBBE1A00DD for <cfrg@ietfa.amsl.com>; Tue, 4 Mar 2014 17:21:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhFv8sRZKZ0i for <cfrg@ietfa.amsl.com>; Tue, 4 Mar 2014 17:21:29 -0800 (PST)
Received: from mail-yh0-x233.google.com (mail-yh0-x233.google.com [IPv6:2607:f8b0:4002:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id EE20E1A0084 for <cfrg@irtf.org>; Tue, 4 Mar 2014 17:21:28 -0800 (PST)
Received: by mail-yh0-f51.google.com with SMTP id f10so365225yha.24 for <cfrg@irtf.org>; Tue, 04 Mar 2014 17:21:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VwTPSkeODGBP3QNRW7P8eHsIoZyoj3yWecCKLIL+Sr0=; b=pI6DmU/SZZHTgMfh2rimOo3AWG0s1wS7U1bj0MKV/w9obPEqEmcMwrgliJXkVAvDAX aSZqWqpzH/9HagCCePBYkZJq1C1x002p4alr9RwvA9DyqUfZU9/kusPiVRGmr6mez0Cv 8fpLCZRk9dxN/x9Z6539hA+PHdZpXWUk3zL3SRgb8oz6NdakkRZwf/1aOFng+ydFdCQs gRreXK1TuJimWkGcY1v1l4cL+tm8I7jVhgydK/5dyyPeMe4SoisECo/d+AgsWPeKJV3D C73CznhysscFDsq57tth4DAAx1Tbw+XExvczPmmdZS0AkD3ZpWSGvoz4ysf7+6thcsx+ gEhw==
MIME-Version: 1.0
X-Received: by 10.236.118.212 with SMTP id l60mr3303911yhh.78.1393982485417; Tue, 04 Mar 2014 17:21:25 -0800 (PST)
Received: by 10.170.92.85 with HTTP; Tue, 4 Mar 2014 17:21:25 -0800 (PST)
In-Reply-To: <CF3B7563.125D8%uri@ll.mit.edu>
References: <CF3B7563.125D8%uri@ll.mit.edu>
Date: Tue, 04 Mar 2014 17:21:25 -0800
Message-ID: <CACsn0c=V0bakFm+bn-6V3aQud=MbUDvTsiRnZw7SapEZ1pnVHw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/gxxO_gMxuxHUdQZ1mh2EoHBSHag
Cc: Dan Brown <dbrown@certicom.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Key establishment advice (say, for TLS): How about MQV?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 01:21:31 -0000
Dear all, I think this is a beautiful idea. It unifies client-auth with anon-client, a weakness of my proposal, is based on very well understood primitives, and takes only one round. It's also fairly efficient. However, one does need (F?)HMQV, because the unkown-key share attack on MQV can be mounted if private key possession is not proved. In some of the environments TLS will run this is an essential property. The anonymous variant has been analyzed: it's the ACE protocol that Tor is considering using. The efficiency is very good, but not the best depending on what happens. In the usual case signatures will be verified anyway, and the marginal cost for a signature verification in a batched scheme is small, and the signature generation cost is a fixed-based exponentiation on a genus 1 curve. However, the diffie-hellman exchange can use Kummer surfaces or curves in genus 1 or 2, leading to major gains in efficiency. Because of the need for signature creation the gain isn't a full 50%, but until we implement and test it won't be clear which is faster. Recently genus 2 set a major speed record for diffie-hellman, and because of technical issues addition isn't possible in a clean way with fast implementations. (It's analogous to the Montgomery curve tradeoff) The proposal is likely fast enough however, and the cleanness of the exchange (one flow, everything hashed, add your favorite AEAD scheme on the backend for sending application data back and forth) make me think that signed DH exchanges might be on the way out. In particular, the gains from batching aren't achievable in the real world of X509, because ECDSA isn't batchable, and change won't happen any time soon. Sincerely, Watson Ladd
- [Cfrg] Key establishment advice (say, for TLS): H… Dan Brown
- Re: [Cfrg] Key establishment advice (say, for TLS… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd
- Re: [Cfrg] Key establishment advice (say, for TLS… Feng Hao
- Re: [Cfrg] Key establishment advice (say, for TLS… Hugo Krawczyk
- Re: [Cfrg] Key establishment advice (say, for TLS… Feng Hao
- Re: [Cfrg] Key establishment advice (say, for TLS… Hugo Krawczyk
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd
- Re: [Cfrg] Key establishment advice (say, for TLS… Dan Brown
- Re: [Cfrg] Key establishment advice (say, for TLS… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Key establishment advice (say, for TLS… Peter Gutmann
- Re: [Cfrg] Key establishment advice (say, for TLS… Watson Ladd