Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

Alyssa Rowan <akr@akr.io> Sat, 28 June 2014 17:30 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56141A0384 for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 10:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXCBrxk5qJBZ for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 10:30:52 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA7111A0382 for <tls@ietf.org>; Sat, 28 Jun 2014 10:30:52 -0700 (PDT)
Message-ID: <53AEFBC5.4000605@akr.io>
Date: Sat, 28 Jun 2014 18:30:45 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <53AEF428.3010302@cs.bris.ac.uk> <CACsn0ck9Y-pLcMaaZAb8k+i7YOO2hj0FR-hG63Mio63sMtu7KA@mail.gmail.com>
In-Reply-To: <CACsn0ck9Y-pLcMaaZAb8k+i7YOO2hj0FR-hG63Mio63sMtu7KA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-XSuqoQG6v_QZ7U951knMQMIkIo
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jun 2014 17:30:54 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 28/06/2014 18:01, Watson Ladd wrote:

>> See our recent side channel attacks on EC-DSA with the
>> Eurovision
> Simple solution: write constant time software. The principal of
> side channel attacks being established, one simply eliminates them
> all.

And, of course, it would be remiss of me not to point out that all the
good Curve25519 implementations are both fast and constant-time, the
curve having been specified with the constant-time Montgomery ladder
in mind in the first place. This is actually an area where 25519 wins big.

(It should also be pointed out that constant-time over Weierstrass
curves is possible, with enough care; see Langley/Möller/Kasper's
implementation contributed to OpenSSL. I have yet to see any
implementation capable of doing such a feat with arbitrary curves.)

As far as code quality and reuse is concerned, what we've learned from
things like Heartbleed I think is that "many eyes make bugs shallow"
is only true when the eyes actually _look_ at the code. I don't think
monoculture is to blame (we could just as easily have 10 bad
implementations as 1), just complacency and a lack of sufficient
auditing. I'd be much happier with a few implementations that everyone
looks at very closely than many which aren't as well-audited.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTrvvFAAoJEOyEjtkWi2t6rxoQAKVeCkxlYZz/s5Ji1mI/s43c
tPYVHycIbZkEEpLerpQpZk6XlBPgTiAwgEcBQd3P/MlZWi6N7XdvSap1WBG7S1U4
2uJyTJXlOEqZX/VJFSFX3zO/gLm+xhmanN7uoGfOoy+nf1szMbXDAJo+lmosFNzd
MPGHYNI51b5dlcNQ7jYg/kUkMT5H14Wnm5EMTYsbM0iUV0hZ90lLKXvAZJh6pt8m
hLFH/XDCF8KdfWFcEb/uAnYqMivxPSUl5IN87OTn4911CHIN90g8cWykXxqsXSJf
bdC9fwAR4SCpCynm6MODhZlWJbteXA6gIRGZ/ynnjgcbhOE+7IYaaMuavExZQOB7
gNP3s6pcXe3xU19XIQbWTAtmXUkIBF6c0CI9PYiQFCUZDZpGx1aY4BBw0A08PYDs
kkO8HA/NzhwVZU9pzF1HDaxuvfzkh7P4DVtUXNdOYPeefzOVt0ViwoGCxyaoPuZq
idCEL6Ia3bZCa1OdTbOpRi/GA7T8NEZG6Wu8mL1UsY2FmfsYJgKSfpzIWa0FyGHr
bg8rIPpS6HG4XXusDH2WINR6fCXYnbTKhKehXBUjnh6x6ccrGcHPX3S6kTRmISi8
tvQ+la8+ykMaDKfvEHmlTZmjl1ug4jlhwrAa62Wnz3/dkMF41PpcAHWGSnUdByFO
iBpyxqrJoMGf/OhFwBka
=fRNi
-----END PGP SIGNATURE-----