Re: [openpgp] Curve448 in ECDH

"brian m. carlson" <sandals@crustytoothpaste.net> Sun, 28 February 2021 17:17 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 815C63A197A for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 09:17:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5emYu_sHuhs for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 09:17:27 -0800 (PST)
Received: from injection.crustytoothpaste.net (injection.crustytoothpaste.net [192.241.140.119]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA6943A1979 for <openpgp@ietf.org>; Sun, 28 Feb 2021 09:17:26 -0800 (PST)
Received: from camp.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:7d4e:cde:7c41:71c2]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by injection.crustytoothpaste.net (Postfix) with ESMTPSA id 1619860DF4; Sun, 28 Feb 2021 17:17:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1614532641; bh=aYhYu8hFV7wRsTqN9guVVZLw7HV8hpcIcV4cquWuxAY=; h=Date:From:To:Cc:Subject:References:Content-Type: Content-Disposition:In-Reply-To:From:Reply-To:Subject:Date:To:CC: Resent-Date:Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=GTzL8b4ko98bs4UEsckBKkTCc/8yZZ/D6RE7ukCLn3/eZTcA2Jq35CYLDZf6WSJAn ceeGnZEAU7/1NgCWf5UrEJmkF4XCwfqEZ98GHFrstayYOY6Ap+q4O/IQeHmrzRPqUZ E+pSmvMu3EifmP3bN+z34ukRK4EnQCbdxsf8kvwvFJE0dLBBRYmTXy1YdGyyXEAlOe PcpPPHyyjYN5pSL6KZthvkxFcPYg46i063B3tnVKCQZE8THtPMNb/MResKB1TaawCB htiTiVxAmRWq7H1y9dZe2647TIo1X+XjN4BR4g8ASK/zaNwdAeSoZPuUuHKPv45iYT nNK9i92tho3xbxH21PIiqvcKPcvHS3MQj+XU9ZXsxlKjjDDVSam9CVf+hSlMuGxHt6 vWAZajEveEbyjInPZpU2FUbPaAlpvKrNPikhohIZ5fvZXZXvm1lrIhnMVdVaiTbgRp gVWCnThrUrJ+XN2JpnGlod/u+xFPdmayOlGv/ozaaEF/KbQOkeB
Date: Sun, 28 Feb 2021 17:17:15 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Paul Wouters <paul@nohats.ca>
Cc: openpgp@ietf.org
Message-ID: <YDvQG0Qif46wPlUT@camp.crustytoothpaste.net>
References: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca> <YDrX4NICW6a6TX32@camp.crustytoothpaste.net> <aa9c358f-8982-9d7e-6bf1-e974d6b2d41c@nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Sr/WbtbDCFZaeFA/"
Content-Disposition: inline
In-Reply-To: <aa9c358f-8982-9d7e-6bf1-e974d6b2d41c@nohats.ca>
User-Agent: Mutt/2.0.5 (2021-01-21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Kc88w7MhEmxctLPOKQI9AW2ZlOI>
Subject: Re: [openpgp] Curve448 in ECDH
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2021 17:17:28 -0000

On 2021-02-28 at 17:09:28, Paul Wouters wrote:
> On Sat, 27 Feb 2021, brian m. carlson wrote:
> 
> > I'm wondering, however, if there's consensus for adding Curve448 as well
> 
> That is being tracked by the WG chairs.

Great.

> > The reason I ask is that in many implementations, of the NIST curves,
> > only P-256 is implemented in a constant-time manner, whereas Curve25519
> > and Curve448 are almost always implemented in a constant-time manner.
> 
> Is that a concern for openpgp ? openpgp is not an interactive protocol
> where there is a server-client with possible MITM observing time spent?

People definitely do use OpenPGP for interactive uses where constant
time operations are relevant.  For example, when you create a commit by
editing a file on GitHub, that commit will be signed by GitHub's private
key, which is an online use.  This is hardly the only case where people
sign online.

We've also seen cases where people do encryption and decryption online,
such as by sending an encrypted message to an API and getting back an
error or not depending on whether the message could be successfully
decrypted.

I agree that these are not the typical uses of OpenPGP, but people
definitely do use it for online operations, and therefore, we need to
properly consider them when we secure the protocol.
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US