Re: [TLS] Thoughts on TLS 1.3 cryptography performance

Eric Rescorla <ekr@rtfm.com> Thu, 13 March 2014 18:03 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425EB1A0A4B for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 11:03:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xkUU2SsiHpn for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 11:03:00 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF521A0A53 for <tls@ietf.org>; Thu, 13 Mar 2014 11:02:59 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id t61so1188791wes.31 for <tls@ietf.org>; Thu, 13 Mar 2014 11:02:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=crQzIy3gaaRiYyTbHGZkrlIWIuR3g7FwcRyqojp4CmE=; b=hXNFHz6IRuueaApiFgEAb3hCtjVRmjhnp4pPd4ewlECjqdcvJ3SM+4vC58IMyQH4Is uWVgRl+1nD1P/0HLdDIUgrkJuGUKNNdZDHYn8aBMr+z9DRZcybkAr3smI2I0stZM7fH7 vuT9wOtXiu7M73uiWGpTw/kU6HHYDcfyo2Dk8tZUQH9PFtRpSDKdf/bmF5ZCbPj7e/u8 pqWYCq3ppBkqbBxyMFiKvesnBv48xABgVxGT/3VYDq2XLU0wOQxkVFGHmdoDJdYc9ns0 tX4bmZKRO+DywPlOjTcC3NlzWgXiqjbuatK1wMc8CurbpZXs2BZMViSkePy6ks8gPkBW RllQ==
X-Gm-Message-State: ALoCoQltOyWwr7zM+s7kg7SHkmZvCdB2NiYPywcmaxySy1hn9s0NmED8eppgsZQt69zKFjNn6uk9
X-Received: by 10.180.164.174 with SMTP id yr14mr2750228wib.18.1394733773075; Thu, 13 Mar 2014 11:02:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Thu, 13 Mar 2014 11:02:12 -0700 (PDT)
X-Originating-IP: [63.245.220.224]
In-Reply-To: <CAGZ8ZG2kGxvbVCNDzQZ4aq_v-4To1xp76zME-LLiiw-h2qqJOQ@mail.gmail.com>
References: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com> <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com> <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com> <CAK3OfOhzD+D2Tf=1JwzCfPf_m5uWhBj3sVd=UQw8b4fthGt-Bw@mail.gmail.com> <CAGZ8ZG3JXiJiCRUUBGGuaVTabn11yZ2u+Nv9cWHO8yagoxr+yw@mail.gmail.com> <CAK3OfOiGCidqTPDcnrMY+prbxYzS76v4JiDo51=z5n3296x8Dw@mail.gmail.com> <CABcZeBMwUHjdSdXyYPzb3NBxEF4vT87r6qOWWM=g18LuBUXNLQ@mail.gmail.com> <CAGZ8ZG2kGxvbVCNDzQZ4aq_v-4To1xp76zME-LLiiw-h2qqJOQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 13 Mar 2014 11:02:12 -0700
Message-ID: <CABcZeBOVH03_NDbhFz5dVy+a+wq1vJtfJaMURjh57Yu0GTekpg@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary="00248c0d791419d98f04f480c3eb"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-ElzGW8wbiDbnh2avNSjAPMKXmY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 18:03:02 -0000

On Thu, Mar 13, 2014 at 10:17 AM, Trevor Perrin <trevp@trevp.net> wrote:

>
> On Thu, Mar 13, 2014 at 9:48 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> On Thu, Mar 13, 2014 at 9:34 AM, Nico Williams <nico@cryptonector.com>wrote:
>>
>>>  But I am concerned about the need for PFS on
>>> resumption in order to limit the extent of resumption ticket cache
>>> compromise; if you're going to lose the 0-RTT resumption for it, might
>>> as well pick the best "fast reauthentication" protocol possible, and
>>> that might be Watson's.
>>
>>
>> WRT this specific point, I wanted to observe that computational cost
>> (within reason) is less important than round trip delay
>>
>
> True, but a 0-RTT session ticket resumption requires less computation than
> a 0-RTT handshake based on a semi-static ECDH key (like QUIC, or your
> draft) without any RTT tradeoff.
>
> (My understanding of both QUIC and your draft is that in the 0-RTT case
> they perform an "overlaid" DH while exchanging application data in the
> initial RT, so subsequent data gets PFS while the initial RT does not.
>  This could be done with session tickets as well.)
>

Thanks for making this point. I think it gets to precisely the questions we
need
to be asking, namely:

1. Do we want to provide a mechanism for a client and server to form a new
TLS connection without doing any public key operations?

2. Do we want to provide a mechanism for a client and server to do a
0-RTT handshake which minimizes the number of public key operations,
potentially at the cost of linkability. (It's possible to do a 0-RTT
handshake
without linkability if the server uses the same DH key for a lot of clients,
but not if you use the same session ticket repeatedly, though maybe you
could swap the ticket each time.)

-Ekr


> Also: if the semi-static handshake is going to require an expensive client
> re-authentication (ChannelID, PAKE, a slow smartcard, etc.), then the
> savings for resumption are even greater.
>
>
> Trevor
>
>