Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 23 January 2014 09:35 UTC
Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ECAF1A037A for <tls@ietfa.amsl.com>; Thu, 23 Jan 2014 01:35:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.394
X-Spam-Level:
X-Spam-Status: No, score=0.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iRJvhzISSiOk for <tls@ietfa.amsl.com>; Thu, 23 Jan 2014 01:35:03 -0800 (PST)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id 4C68A1A0376 for <tls@ietf.org>; Thu, 23 Jan 2014 01:35:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=lwmqmvy+Hw8urGSv5RDeLLtNejoBTPw0nXALkez9ijA=; b=ERH5z/m3eey+Y2X14SQ9M0KmJGKhVCFiGkXqhvl76S6xxvYlOJeXmcU3wNkyV8zcf0F5Sys//0ztJuEjG/cEIVUsq2uR5NtGPVLgMsiqVZ8xkLhlKIFOSn2YVQ4DAewEY6fW/C7Z5qvGWnqSo7dKdg3IsiEOLNDMiGQXALKNyIY=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.brainspark.nl with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1W6GZk-0001Bb-DD for tls@ietf.org; Thu, 23 Jan 2014 10:27:53 +0100
Message-ID: <52E0E241.40406@polarssl.org>
Date: Thu, 23 Jan 2014 10:34:57 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1
MIME-Version: 1.0
To: tls@ietf.org
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com>
In-Reply-To: <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 09:35:06 -0000
On 23/01/2014 02:17, Robert Ransom wrote: > On 1/22/14, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: >> On 22/01/2014 22:16, Robert Ransom wrote: > >>> * The draft should specify that implementations MUST discard (i.e. set >>> to zero) the most significant bit of a received public key, for two >>> reasons: (a) Existing Curve25519 scalarmult implementations differ in >>> their handling of inputs with that bit set, and could be distinguished >>> by an active attacker using that difference. >> >> I wasn't aware that some implementations ignored the most significant bit. >> Out >> of curiosity, could you cite examples? > > curve25519-donna and -donna-c64 ignore the MSB. > [...] > The ‘ref’ implementation in NaCl does not ignore the MSB. > [...] Ok, thanks for the information. > Fingerprinting of implementations wasn't one of the security concerns > that Dr. Bernstein had in mind at the time, and it still isn't widely > considered to be a security risk. It's certainly minor compared to > the numerous ways that NSA-curve ECDH implementations can leak their > keys. > > But the bigger reason to mask off the high bit is extensibility. > I fully agree it's the bigger reason. As discussed below, there is probably some other ways to achieve extensibility, so if extensibility wasn't a concern, would you think that avoiding implementation fingerprinting is more valuable than being able to accept any string as a public key without no validation or masking? >>> (b) Future specifications >>> may wish to include the sign bit of an Edwards-form x coordinate in a >>> Curve25519 point format for use with other protocols (e.g. Schnorr >>> signature, Ace) without breaking backwards compatibility with use in >>> ECDH. >>> >> This is a serious concern indeed. By the way, there was another issue under >> discussion that is related: should the point format be just the 32 bytes, or >> should we use a leading byte to follow the existing practice from X9.62, as >> Salz >> Rich suggested? If we use a leading byte, maybe it's better to have two >> formats, >> one for "x coordinate only", one for "y + bit sign of x"? > > * You appear to be confusing Montgomery form with Edwards form. The > Curve25519 paper specifies ‘Montgomery-form x coordinate only’; the > other format you are suggesting seems to be ‘Edwards-form y coordinate > with sign bit of Edwards-form x coordinate’. (Remember that the > Edwards-form y coordinate is analogous to the Montgomery-form x > coordinate.) > I misinterpreted your suggestion indeed. I read "Edwards" and immediately thought that you were talking everything in Edwards form (hence the y coordinate), which would have made little sense in this context. > * If you do not add a leading point-format byte, there is no reason to > specify the meaning of the high bit in this document. If you do add a > leading byte, you will have to choose in this document whether the > sign bit is for the Edwards-form x coordinate or the Montgomery-form y > coordinate. > Or we could add a leading byte now and say that the meaning of the msb is not defined yet an reserved for future use (which is what you suggest anyway, IIUC). Then a future document could update the meaning of this leading byte. > * Some future applications may wish to transmit an uncompressed > Edwards-form x coordinate or Montgomery-form y coordinate, not just > the sign bit. If you add a leading byte, you'll have to choose which > coordinate to use now. Alternatively, you could specify that > implementations of this document accept 64-byte points and ignore the > second half of the point structure. (Note that this means > implementations of this protocol MUST ignore the second half, even if > they know how to use it in some other protocol, or they will be > distinguishable from other ECDH implementations. I don't think that > restriction will ever be a problem for ECDH implementations.) > I'm afraid I didn't get your point. Why would we have to choose which coordinate to use now? If we add a leading byte meaning "the 32 bytes of the x coordinate (Montgomery form) follow"[1], and if people later want to be able to transmit two full coordinates, then they will pick a new leading byte and they will have to choose which coordinates to use with it, not us. [1] With some clarification about the msb as discussed above. > * Some future (non-ECDH) applications may wish to transmit an > Edwards-form y coordinate instead of a Montgomery-form x coordinate > (e.g. so that they can distinguish the point of order 2 from the > identity). If you do not add a leading point-format byte now, those > applications will have to use a different NamedCurve in order to > indicate that they are incompatible with the point formats used for > ECDH. (I'm not sure that this is a problem, or that any such > applications will ever exist.) > My humble opinion is that those applications should use a different NamedCurve indeed. > I'm currently leaning towards ‘just reserve the high bit and tell > implementations to accept and ignore the second half of a 64-byte > point structure’, but there may be good enough arguments for using a > magic byte to justify the minor downsides. > Transmitting 64 bytes when 33 (32 + leading byte allowing future extensions) are enough will probably be seen as a waste by many people. > Then either (a) don't recommend that countermeasure as an alternative > to using constant-time field operations, or (b) explicitly warn that > there is no evidence that that countermeasure will be sufficient to > protect against side-channel attacks. > Right. Manuel.
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard